More keylogging attacks - Gamers be extra cautious!!!
It seems the attacks that are infecting websites are growing:
- Another attack is currently targeting servers running vulnerable ASP scriptsthat can be exploited through SQL injection to host malicious HTML code. The injected code references a malicious script… which in turn injects an IFRAME into the page to redirect users to a site that tries to exploit various known and patched vulnerabilities. This attack is believed to have affected over 15,000 pages, but the number of unique servers compromised may be far less.
- Yet another large-scale attack involving SQL injectionis targeting servers running PHPBB. This attack injects HTML code that loads a malicious JavaScript file from ‘free.hostpinoy.com’. Reports indicate that this attack is much more prevalent, perhaps because of the ubiquity of PHPBB. Over 150,000 pages may be affected. Note again, however, that the number of unique servers compromised may be far less. In previously observed cases, over 5000 pages have been affected on a single domain. At the time of writing, most of the sites hosting the exploits or malicious JavaScript are down, but they may come back online at any time. Administrators are advised to audit their web services to ensure that no exploitable flaws exist in the publicly exposed scripts and that the latest versions are installed. Network admins are advised to block access to ‘2117966.net’ and ‘free.hostpinoy.com’ at the gateway.
Source: safer-networking.org
Our friends over at Safer Networking (the makers of Spybot Search & Destroy) have been tracking this threat since it came out and providing good updates as they come available.
Shadow Server has a new update:
uc8010.com and 2117966.net Attacks Linked
We are posting this up a little late, but better late than never. In our last post we mentioned the several thousands of websites that were SQL injected to reference malicious JavaScriptcode on 2117966.net. At the time we were actually just taking an educated guess that this was the result of SQL injection. However, it has since been confirmed on Neil Carpenter’s Blog at http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx
Source: Shadow Server
SANS has a new article on this as well:
Couple of days ago fellow handler Scott wrote a diaryabout sites hosting exploits for various Realplayer vulnerabilities. One of the malicious sites mentioned in the article, uc8010.com looked particulary interesting. When you search for this web site in Google you get thousands of other, compromised sites that are all pointing to the uc8010.com web site. This, obviously, sparked some interest in the security community so we decided to dig a bit further into this attack.
Source: isc.sans.org
If you have not, check your systems with the latest versions of virus definitions from the maker of you anti-virus software and run Microsoft’s Baseline Security Analyzer to make sure you are patched properly. If you want a list of contiguous IP blocks for China and Korea to block for spam, hacking etc, this guy has researched and listed them:
http://www.okean.com/
His list complete list is available here:
http://www.okean.com/sinokorea.txt
Leave a Reply