Monday, June 23, 2008

ASPROX SQL Injection Botnet and iFrame/Malware

We first noticed this attack when one of our larger clients saw a barrage of SQL injection alerts in the report of their Sentinel IPS (6,000 in one week). We looked into and found the extremely clever attack which hides the SQL Injection payload in a hexidecimal string to evade IDS/IPS. Well our device caught the attack at the initial injection stage hence the hex evasion portion of the attack failed.

So what is the good news? Sentinel IPS our managed security product protects against this attack even before it reaches your webserver by catching the initial SQL injection. This means instant protection from this ASP/SQL Injection threat without having to re-write your ASP code over night.

Grab our ASPROX toolkit for information on cleaning and defending from this attack.


***UPDATE*** I met with Dallas US Secret Service office today and this issue is much more wide spread than we previously thought. We want to help so if you have any information for us or need assistance cleaning up this mess give us a call.

How do you know if your site was compromised? Check your ASP application with your browser by viewing source and seeing if their is javascript which loads an iframe containing any of the following domains:

***UPDATE*** Maybe faster to search for the string "/b.js"

nihaorr1.com, free.hostpinoy.info, xprmn4u.info, nmidahena.com, winzipices.cn, sb.5252.ws, aspder.com, 11910.net, bbs.jueduizuan.com, bluell.cn, 2117966.net, s.see9.us, xvgaoke.cn, 1.hao929.cn, 414151.com, cc.18dd.net, yl18.net, kisswow.com.cn, urkb.net, c.uc8010.com, rnmb.net, ririwow.cn, killwow1.cn, xiaobaishan.net, qiqigm.com, wowgm1.cn, wowyeye.cn, 9i5t.cn, c11.8866.org, computershello.cn, tlcn.net, z008.net, b15.3322.org, qiqicc.cn, direct84.com, heihei117.cn, caocaowow.cn, qiuxuegm.com, locale48.com, firestnamestea.cn, fami4ka.net, redir94.com, rexec39.com, en-us18.com, ck1.in, adjuncnet.com, rundll92.com, sysid72.com, n.uc8010.com, libid53.com, qiqi111.cn, heartgames.cn, logid83.com, datajto.com, adw95.com, tjwh202.162.ns98.cn, jetadwor.com, cookieadw.com, bannerupd.com, nb88.cn, bigadnet.com, 1.cool0.biz, updatebnr.com, flyzhu.9966.org, sslnet72.com, advertbnr.com, script46.com, fengnima.cn, tag58.com, banner82.com, smeisp.cn, hoursebuilds.cn, hyperadw.com, adsitelo.com, okey123.cn, b.kaobt.cn, getadw.com, nihao112.com, al.99.vc, aidushu.net, a.13175.com, chliyi.com, free.edivid.info, 52-o.cn, fucksb.net, 0.actualization.cn, d39.6600.org, h28.8800.org, 001yl.com, ucmal.com, t.uc8010.com, dota11.cn, pingbnr.com, bnrcompro.com, y66.us, m11.3322.org, bc0.cn, clsidw.com, adword71.com, killpp.cn, bnradw.com, cmiia.com, sslput4.com, exe94.com, bnrcntrl.com, w11.6600.org, usuc.us, hlpadw.com, jumpbnr.com, advabnr.com, siteid38.com, msshamof.com, refer68.com, newasp.com.cn, wowgm2.cn, mm.jsjwh.com.cn, updatead.com, win496.com, usuc.us, view89.com, 17ge.cn, err68.com, upgradead.com, adword72.com, kk6.us, clickbnr.com, 117275.cn, c23.2288.org, sysid72.com, encode72.com, exec51.com, pingadw.com, vb008.cn, wow112.cn, nihaoel3.com, p060523.info, o7n9.cn, rundll841.com, jetdbs.com, dbdomaine.com, domaincld.com, clsiduser.com, heiheinn.cn, coldwop.com, alzhead.com, chinabnr.com, adwbnr.com, chkbnr.com, chkadw.com

15 comments:

ebk said...

New one: www.dl251.com/b.js

Anonymous said...

More new ones:

lang34.com
base48.com
adwsupp.com
hlpgetw.com
supbnr.com
adupd.mobi
pid76.net
get49.net

Anonymous said...

FYI...

- http://atlas.arbor.net/summary/fastflux
"... Currently monitoring 551 fastflux domains..." [2008.07.02]

Update... 7.4.2008
- http://atlas.arbor.net/summary/fastflux
"...Currently monitoring -6508- fastflux domains..."

Distinct Networks:
- http://atlas.arbor.net/summary/fastflux#networks


:-(

jose nazario said...

yes, we ran into a huge cache of names (via NS server analysis) run by spammers. not all are asprox.

we've been adding asprox domains discovered in a variety of ways, including on this blog.

-- jose nazario (from arbor)

Dries Schuddinck said...

We also got attacked, this was inserted:

http://www.admatch.com/ngg.js

Rich said...

Easy way to block them using a Cisco router, assuming no other security device present:

http://cisconews.co.uk/2008/07/09/asprox-sql-injection-attacks-block-them-using-a-cisco-router/

Cheers,

Anonymous said...

another attack source:
drvadw.com/ngg.js

Jeff said...

Three new ones we've seen today:
js.users.51.la
www.plgou.com
jjmaobuduo.3322.org

Anonymous said...

Heres a new one....
pkseio.ru

Raviv Raz said...

More details on ASPROX, SQL Injections at:

Asprox Silent Defacement

You can find download links for:

- Injector: tests for ASPROX vulnerability on websites
- dotDefender: protects web sites against ASPROX

Raviv

Raviv Raz said...

More details on ASPROX, SQL Injections at:

http://chaptersinwebsecurity.blogspot.com/2008/07/asprox-silent-defacement.html

You can find download links for:

- Injector: tests for ASPROX vulnerability on websites
- dotDefender: protects web sites against ASPROX

Raviv

RRave said...
This comment has been removed by a blog administrator.
rossignol axium ski said...

Hello to all :) I can�t understand how to add your site in my rss reader. Help me, please

cole hann handbag said...

I usually don�t post in Blogs but your blog forced me to, amazing work.. beautiful �

Lonny Violetta said...

Hi, I can�t understand how to add your site in my rss reader. Can you Help me, please :)