back to article Mass SQL injection hits English language websites

Thousands of websites in China have been booby trapped with code written to download Trojan software onto visitors who run vulnerable Windows PCs. Unlike earlier rounds of SQL injection attacks the latest assaults mostly target English language sites (predominantly sites hosted in China but with a .com suffix) and purposefully …

COMMENTS

This topic is closed for new posts.
  1. Edd

    D'oh

    Trend Micro have tried to be clever by mosaic-ing the references to where the trojan downloads from. Pity they forgot to blat one in the final picture, right next to the 327,000.

  2. Mike F
    Boffin

    Silly image

    The image on the linked artical http://www.trendmicro.com/vinfo/images/google_search.gif has blanked over the address they searched for forgetting that it displays itself more then once on the result page :P

    See: http://www.google.co.uk/search?q=%22http%3A%2F%2Fs.see9.us%2Fs.js%22

    Silly people :D

  3. Anonymous Coward
    Anonymous Coward

    SQL Injection Protection Tips

    I'm familiar with a few preventative measures to withstand website SQL injection, such as sanitising the user input and escaping certain characters etc.

    I'm curious about these recent events.

    Are there any special techniques/code examples on how these new attacks can be prevented? Any advice would be greatly appreciated.

    Chris 'the Cautious Coder'

  4. brym

    Another address

    They also forgot to blur the third search result's address:

    http://www.salonlive.com.tw/job_index.aspx

  5. Matthew L

    @AC

    A good list of attacks and preventative measures can be found at:

    http://www.owasp.org/index.php/Top_10_2007

    Basically use prepared statements and filters.

  6. Anonymous Coward
    Anonymous Coward

    Re: @AC

    Many thanks Matthew

    Chris

  7. Anonymous Coward
    Stop

    You're nicked sonny

    If they have the domain name (qiqigm.com) that was registered on 16 May where the scripts are downloaded from, won't this help in tracking down the malware creators/distributors ?

  8. foo_bar_baz

    direct db access?

    while injection is likely, my fw logs tell me ms sql ports are constantly hammered. If they are worth scanning they must be vulnerable.

  9. Chris Stafford

    re: direct db access?

    mssql's default admin password is (or at least used to be) notoriously commonly left as-is, which probably makes it worth checking any system for it. You don't need sql injection for that though.

  10. Gareth
    Unhappy

    @Mike F

    True, however that address is not resolving at all from here.

    Anyone else get a look at exactly what sql its trying to inject via the .js?

  11. Anonymous Coward
    Anonymous Coward

    Just block APNIC on the firewall

    58 59 60 61

    114 115 116 117 118 119 120 121 123 124 125 126

    153 163 171 202 203 210 211 218 219 220 221 222

    Those are the IP address leaders, though do give it a check yourself if you are going to go down this route (pun alert).

    Shame about Japan, and Australasia though, they probably need to sort something out to get out of APNIC.

  12. Olivier

    Re: Just block APNIC on the firewall

    This list is not accurate, eg I'm posting from a 153.x.x.x address and I can assure you I'm not in China. Well, perhaps my job is beeing moved there and I'm the only one not to know ? :)

    For those interested, take a look at the IP ranges on apnic's website : http://www.apnic.net/db/ranges.html

  13. Unlimited
    Pirate

    @Gareth

    er, my understanding of the article is that they have used sql injection to place the frame on websites, which then serves a .js to visitors in order to install a trojan on their machine. so the .js is the result of the sql injection, the .js does not perform the sql injection.

  14. Nexox Enigma

    Jesus how hard is it?

    Haven't people know how obvious SQL injection attacks are for like... 15 years now? How can so many people write so much crap software? I know the answer, I just wish the world was better.

    People ought to have their Internet licenses revoked.

  15. Anonymous Coward
    Anonymous Coward

    Ref Ref 153 APNIC

    http://www.iana.org/assignments/ipv4-address-space

    Only going by what IANA is saying.

    Sure your ISP is not APNIC orientated?

  16. Anonymous Coward
    Anonymous Coward

    153 Legacy now in EU or worldwide

    Whilst the link to IANA shows 153 as belonging to APNIC.

    I have done some whois 'ing.

    And:

    inetnum: 153.0.0.0 - 153.255.255.255

    netname: EU-ZZ-153

    descr: Various Registries

    country: EU # Country is really world wide

    remarks: These addresses were issued by

    The IANA before the formation of

    Regional Internet Registries.

    <http://www.iana.org/assignments/ipv4-address-space>

    So, hmm, probably a lot of EU folks in 153, but it is worldwide so could be China :)

    153 is in RIPE at the moment.

  17. Franklin

    Remember, kids...

    This is your brain.

    Th15 15 ur br41n 0n M1cr0s0ft SQL S3rv3r.

  18. ratfox

    @nexox

    Indeed. It is staggering that by default, designs contain nothing to stop SQL-injections.

    The problem is that databases and web sites interfaces were deliberately designed so that anybody could use them, allowing for unclear statements, unquoted arguments, etc.

    Apparently, the database engineers think that user input should be sanitized by coders, coders believe it should be sanitized by the one making the web site, and that one is usually a web designer which cares more about making a cool interface than about security measures.

    Hopefully, we will soon have database interfaces which disable literals by default...

  19. Anonymous Coward
    Thumb Down

    I had some Chinese SQL Injections...

    ...but an hour later I was still hungry!

  20. Allan Dyer
    Flame

    Re: Just block APNIC on the firewall

    What a good idea! Instead of fixing the problem, just take apart the internet.

    Any SysAdmin who does that kind of blanket blocking should be prosecuted for a criminal denial of service attack, and gross stupidity. Think about it, there's not even any evidence that the attacks are *originating* in the APNIC, it could be the scumball in the cubical next to you supplementing his income breaking into poorly-protected home user PCs in APNIC to bounce the attacks. Or, from an economic perspective, look at China's GDP growth - think your multinational companies are going to want a piece of that? How will they communicate if idiots like you block them.

    I'm physically in Hong Kong, China, but I'd like to think that this inter-thingy is making the world more connected...

  21. Anonymous Coward
    Anonymous Coward

    Did someone say something

    I thought I heard a ping from Hong Kong just then :)

    Anyone can block traffic if they like, if it is their equipment, there is no law saying it has to be open. In fact since blocking a huge chunk of the net the number of attempted attacks have gone down considerably, and the amount of useful traffic has increased also considerably.

    Criminal denial of service eh? Oh, and why should we be serving you? And gross stupidity, well I think you have more than your fair share :)

    Most sites, want quality traffic, not crack attempt after crack attempt, sure if some place has to communicate with a site then they can be added to a white list. It does actually make a lot of sense in many scenarios. So you're in Hong Kong why do we care?

  22. Anonymous Coward
    Flame

    Re: Did someone say something

    "why should we be serving you?" Huh? Well who are you? If you're just running your own private blog server, then fair enough, block whoever you like, it's your machine, nobody's going to care. If you're involved in any sort of commercial operation then what on earth are you on? Blocking random chunks of the IP address space has to be about the laziest, stupidest and least effective security method around. Why don't you just block all IP addresses that end in a number under 128, then you're 50% less likely to be attacked!

    Good grief...

This topic is closed for new posts.

Other stories you might like