Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: SQL Injection Worm on the Loose (UPDATED x2) - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SQL Injection Worm on the Loose (UPDATED x2)

A loyal ISC reader, Rob, wrote in to point us at what looks to be a SQL Injection worm that is on the loose.  From a quick google search it shows that there are about 4,000 websites infected and that this worm started at least mid-April if not earlier.  Right now we can't speak intelligently to how they are getting into databases, but what they are doing is putting in some scripts and iframes to take over visitors to the websites.  It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well.

The details, the script source that is injected into webpages is hxxp:// (where # is 1-5).  This, in turn, points to a cooresponding asp page on the same server.  (i.e. hxxp://  This in turn points back to the exploits.  Either from the domain or the domain.  The (hxxp:// domain looks like it could be set up for single flux, but it's the same pool of IP address all the time right now.  hxxp:// just points to which has a short TTL, but only one IP is serving it.

Fair warning, if you google this hostnames, you will find exploited sites that will try and reach out and "touch" you... even if you are looking at the "cached" page.  Proceed at your own risk.

UPDATE: We're also see this website serving up some attacks in connection with this SQL Worm (hxxp://

UPDATE x2: As usual, the good folks at ShadowServer had a good write up on the details of everything after the SQL injection (i.e. what malware gets dropped, IPs involved, etc).

John Bambenek / bambenek \at\ gmail /dot/ com


262 Posts
ISC Handler
May 6th 2008
If you're using Firefox, exploited sites may reach out and "touch" you even before you look at cached pages, unless you've manually disabled "network.prefetch-next" in "about:config". Check out for more information.

Sign Up for Free or Log In to start participating in the conversation!