Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: List of malicious domains inserted through SQL injection - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
List of malicious domains inserted through SQL injection

One of the main attack vectors we have seen during the last years are "silent" Web defacements, typically in the form of redirections to malicious JavaScript code that are inserted inside the contents of Web pages using iframes, images, or other HTML tags. As lots of Web servers get their contents (or part of them) directly from a database, SQL injection vulnerabilities are widely exploited to insert the malicious references. You can find some of the previous related ISC diary entries here (by using Google).

Unfortunately, there is no silver bullet method to identify if a Web site (Web server or database) has been infected with new HTML tags, due to the fact that complex Web environments typically contain hundreds of scripts, redirections and references. One way of checking if a Web site is vulnerable and has been compromised is by searching for the specific malicious domains hosting the JavaScript and pointed out by the inserted references. We always try to emphasize these malicious domains in the diary entries so that you can search for or even block them.

Mike Johnson from Shadowserver has published a list of domains used in past and recent massive SQL injections that insert malicious javascript into websites. The list is just focused on mass SQL injection attacks, and do not replace other  generic malware lists such as or Mike's plans to maintain this list as we come across new domains over time. The list also contains an estimated number of current number of infected Web sites based on Google stats. This is a great initiative and a very useful resource, and I encourage you to check if you can find references to any of these domains in:

  • Your Web server contents (static contents and database), meaning the server has been compromissed and you need to clean it up and fix the vulnerability originally used by the attackers to insert the redirection tags.
  • Your network traffic, meaning your clients are accessing compromissed Web servers and are being redirected to the malicious domains. These domains are typically trying to exploit client-based vulnerable software, so if your clients are not throughly updated, there is a higher chance that some of them have being compromised.

If you know about any other similar resource, or additional domains hosting (or that have hosted in the past) malicious code used in SQL injection attacks, please contact us.

Raul Siles

Raul Siles

152 Posts
May 20th 2008

Sign Up for Free or Log In to start participating in the conversation!