D'oh
Trend Micro have tried to be clever by mosaic-ing the references to where the trojan downloads from. Pity they forgot to blat one in the final picture, right next to the 327,000.
Thousands of websites in China have been booby trapped with code written to download Trojan software onto visitors who run vulnerable Windows PCs. Unlike earlier rounds of SQL injection attacks the latest assaults mostly target English language sites (predominantly sites hosted in China but with a .com suffix) and purposefully …
The image on the linked artical http://www.trendmicro.com/vinfo/images/google_search.gif has blanked over the address they searched for forgetting that it displays itself more then once on the result page :P
See: http://www.google.co.uk/search?q=%22http%3A%2F%2Fs.see9.us%2Fs.js%22
Silly people :D
I'm familiar with a few preventative measures to withstand website SQL injection, such as sanitising the user input and escaping certain characters etc.
I'm curious about these recent events.
Are there any special techniques/code examples on how these new attacks can be prevented? Any advice would be greatly appreciated.
Chris 'the Cautious Coder'
58 59 60 61
114 115 116 117 118 119 120 121 123 124 125 126
153 163 171 202 203 210 211 218 219 220 221 222
Those are the IP address leaders, though do give it a check yourself if you are going to go down this route (pun alert).
Shame about Japan, and Australasia though, they probably need to sort something out to get out of APNIC.
This list is not accurate, eg I'm posting from a 153.x.x.x address and I can assure you I'm not in China. Well, perhaps my job is beeing moved there and I'm the only one not to know ? :)
For those interested, take a look at the IP ranges on apnic's website : http://www.apnic.net/db/ranges.html
Whilst the link to IANA shows 153 as belonging to APNIC.
I have done some whois 'ing.
And:
inetnum: 153.0.0.0 - 153.255.255.255
netname: EU-ZZ-153
descr: Various Registries
country: EU # Country is really world wide
remarks: These addresses were issued by
The IANA before the formation of
Regional Internet Registries.
<http://www.iana.org/assignments/ipv4-address-space>
So, hmm, probably a lot of EU folks in 153, but it is worldwide so could be China :)
153 is in RIPE at the moment.
Indeed. It is staggering that by default, designs contain nothing to stop SQL-injections.
The problem is that databases and web sites interfaces were deliberately designed so that anybody could use them, allowing for unclear statements, unquoted arguments, etc.
Apparently, the database engineers think that user input should be sanitized by coders, coders believe it should be sanitized by the one making the web site, and that one is usually a web designer which cares more about making a cool interface than about security measures.
Hopefully, we will soon have database interfaces which disable literals by default...
What a good idea! Instead of fixing the problem, just take apart the internet.
Any SysAdmin who does that kind of blanket blocking should be prosecuted for a criminal denial of service attack, and gross stupidity. Think about it, there's not even any evidence that the attacks are *originating* in the APNIC, it could be the scumball in the cubical next to you supplementing his income breaking into poorly-protected home user PCs in APNIC to bounce the attacks. Or, from an economic perspective, look at China's GDP growth - think your multinational companies are going to want a piece of that? How will they communicate if idiots like you block them.
I'm physically in Hong Kong, China, but I'd like to think that this inter-thingy is making the world more connected...
I thought I heard a ping from Hong Kong just then :)
Anyone can block traffic if they like, if it is their equipment, there is no law saying it has to be open. In fact since blocking a huge chunk of the net the number of attempted attacks have gone down considerably, and the amount of useful traffic has increased also considerably.
Criminal denial of service eh? Oh, and why should we be serving you? And gross stupidity, well I think you have more than your fair share :)
Most sites, want quality traffic, not crack attempt after crack attempt, sure if some place has to communicate with a site then they can be added to a white list. It does actually make a lot of sense in many scenarios. So you're in Hong Kong why do we care?
"why should we be serving you?" Huh? Well who are you? If you're just running your own private blog server, then fair enough, block whoever you like, it's your machine, nobody's going to care. If you're involved in any sort of commercial operation then what on earth are you on? Blocking random chunks of the IP address space has to be about the laziest, stupidest and least effective security method around. Why don't you just block all IP addresses that end in a number under 128, then you're 50% less likely to be attacked!
Good grief...