Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SQL Injection Worm on the Loose (UPDATED x2)

Published: 2008-05-06
Last Updated: 2008-05-07 14:02:48 UTC
by John Bambenek (Version: 1)
1 comment(s)

A loyal ISC reader, Rob, wrote in to point us at what looks to be a SQL Injection worm that is on the loose.  From a quick google search it shows that there are about 4,000 websites infected and that this worm started at least mid-April if not earlier.  Right now we can't speak intelligently to how they are getting into databases, but what they are doing is putting in some scripts and iframes to take over visitors to the websites.  It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well.

The details, the script source that is injected into webpages is hxxp:// (where # is 1-5).  This, in turn, points to a cooresponding asp page on the same server.  (i.e. hxxp://  This in turn points back to the exploits.  Either from the domain or the domain.  The (hxxp:// domain looks like it could be set up for single flux, but it's the same pool of IP address all the time right now.  hxxp:// just points to which has a short TTL, but only one IP is serving it.

Fair warning, if you google this hostnames, you will find exploited sites that will try and reach out and "touch" you... even if you are looking at the "cached" page.  Proceed at your own risk.

UPDATE: We're also see this website serving up some attacks in connection with this SQL Worm (hxxp://

UPDATE x2: As usual, the good folks at ShadowServer had a good write up on the details of everything after the SQL injection (i.e. what malware gets dropped, IPs involved, etc).

John Bambenek / bambenek \at\ gmail /dot/ com

1 comment(s)
Diary Archives