Ongoing SQL Injection Attacks
A number of malicious code samples have been recovered from the domains listed.
Typically, an attack initially involves SQL injection, through automated attack attempts exploiting insecure querystrings. These attacks have mainly used hexadecimal as a means to hide their purpose. When converted to ASCII, it can be seen that these attacks use a database server's master database to locate all tables within all databases, and write a JavaScript code link to the end of each record.
This does create interesting results with fully dynamic websites, where string-only fields such the webpage's title will display the code, rather than executing it. Most of the examples looked at linked to one or two malicious domains, hosting more that one browser exploit - the initial script on each domain linking to four or five others
While it is likely that not all the web domains used to host the physical script files are owned by the attackers, google9.info certainly has a long standing history of malicious attacks.
This entry was created on Friday, July 18, 2008, at 12:00 AM