Thousands of websites in China have been booby trapped with code written to download Trojan software onto visitors who run vulnerable Windows PCs. Unlike earlier rounds of SQL injection attacks the latest assaults mostly target English language sites (predominantly sites hosted in China but with a .com suffix) and purposefully …
Trend Micro have tried to be clever by mosaic-ing the references to where the trojan downloads from. Pity they forgot to blat one in the final picture, right next to the 327,000.
The image on the linked artical http://www.trendmicro.com/vinfo/images/google_search.gif has blanked over the address they searched for forgetting that it displays itself more then once on the result page :P
Silly people :D
SQL Injection Protection Tips
I'm familiar with a few preventative measures to withstand website SQL injection, such as sanitising the user input and escaping certain characters etc.
I'm curious about these recent events.
Are there any special techniques/code examples on how these new attacks can be prevented? Any advice would be greatly appreciated.
Chris 'the Cautious Coder'
They also forgot to blur the third search result's address:
A good list of attacks and preventative measures can be found at:
Basically use prepared statements and filters.
Many thanks Matthew
You're nicked sonny
If they have the domain name (qiqigm.com) that was registered on 16 May where the scripts are downloaded from, won't this help in tracking down the malware creators/distributors ?
direct db access?
while injection is likely, my fw logs tell me ms sql ports are constantly hammered. If they are worth scanning they must be vulnerable.
re: direct db access?
mssql's default admin password is (or at least used to be) notoriously commonly left as-is, which probably makes it worth checking any system for it. You don't need sql injection for that though.
True, however that address is not resolving at all from here.
Anyone else get a look at exactly what sql its trying to inject via the .js?
Just block APNIC on the firewall
58 59 60 61
114 115 116 117 118 119 120 121 123 124 125 126
153 163 171 202 203 210 211 218 219 220 221 222
Those are the IP address leaders, though do give it a check yourself if you are going to go down this route (pun alert).
Shame about Japan, and Australasia though, they probably need to sort something out to get out of APNIC.
Re: Just block APNIC on the firewall
This list is not accurate, eg I'm posting from a 153.x.x.x address and I can assure you I'm not in China. Well, perhaps my job is beeing moved there and I'm the only one not to know ? :)
For those interested, take a look at the IP ranges on apnic's website : http://www.apnic.net/db/ranges.html
er, my understanding of the article is that they have used sql injection to place the frame on websites, which then serves a .js to visitors in order to install a trojan on their machine. so the .js is the result of the sql injection, the .js does not perform the sql injection.
Jesus how hard is it?
Haven't people know how obvious SQL injection attacks are for like... 15 years now? How can so many people write so much crap software? I know the answer, I just wish the world was better.
People ought to have their Internet licenses revoked.
Ref Ref 153 APNIC
Only going by what IANA is saying.
Sure your ISP is not APNIC orientated?
153 Legacy now in EU or worldwide
Whilst the link to IANA shows 153 as belonging to APNIC.
I have done some whois 'ing.
inetnum: 126.96.36.199 - 188.8.131.52
descr: Various Registries
country: EU # Country is really world wide
remarks: These addresses were issued by
The IANA before the formation of
Regional Internet Registries.
So, hmm, probably a lot of EU folks in 153, but it is worldwide so could be China :)
153 is in RIPE at the moment.
This is your brain.
Th15 15 ur br41n 0n M1cr0s0ft SQL S3rv3r.
Indeed. It is staggering that by default, designs contain nothing to stop SQL-injections.
The problem is that databases and web sites interfaces were deliberately designed so that anybody could use them, allowing for unclear statements, unquoted arguments, etc.
Apparently, the database engineers think that user input should be sanitized by coders, coders believe it should be sanitized by the one making the web site, and that one is usually a web designer which cares more about making a cool interface than about security measures.
Hopefully, we will soon have database interfaces which disable literals by default...
I had some Chinese SQL Injections...
...but an hour later I was still hungry!
Re: Just block APNIC on the firewall
What a good idea! Instead of fixing the problem, just take apart the internet.
Any SysAdmin who does that kind of blanket blocking should be prosecuted for a criminal denial of service attack, and gross stupidity. Think about it, there's not even any evidence that the attacks are *originating* in the APNIC, it could be the scumball in the cubical next to you supplementing his income breaking into poorly-protected home user PCs in APNIC to bounce the attacks. Or, from an economic perspective, look at China's GDP growth - think your multinational companies are going to want a piece of that? How will they communicate if idiots like you block them.
I'm physically in Hong Kong, China, but I'd like to think that this inter-thingy is making the world more connected...
Did someone say something
I thought I heard a ping from Hong Kong just then :)
Anyone can block traffic if they like, if it is their equipment, there is no law saying it has to be open. In fact since blocking a huge chunk of the net the number of attempted attacks have gone down considerably, and the amount of useful traffic has increased also considerably.
Criminal denial of service eh? Oh, and why should we be serving you? And gross stupidity, well I think you have more than your fair share :)
Most sites, want quality traffic, not crack attempt after crack attempt, sure if some place has to communicate with a site then they can be added to a white list. It does actually make a lot of sense in many scenarios. So you're in Hong Kong why do we care?
Re: Did someone say something
"why should we be serving you?" Huh? Well who are you? If you're just running your own private blog server, then fair enough, block whoever you like, it's your machine, nobody's going to care. If you're involved in any sort of commercial operation then what on earth are you on? Blocking random chunks of the IP address space has to be about the laziest, stupidest and least effective security method around. Why don't you just block all IP addresses that end in a number under 128, then you're 50% less likely to be attacked!