SQL injection attacks becoming more intense

May 13, 2008 – 5:17 PM

The mass SQL injection attacks we’ve mentioned here and here are increasing in numbers and we’re seeing more domains being injected and used to host the attack files and we believe that there are now more than one group using a set of different automated tools to inject the code.

Previously these attacks have primarily pointed to IP addresses in China and we’ve seen the following domains being used in addition to the ones we’ve mentioned previously:

www.wowgm1(dot)cn
www.killwow1(dot)cn 
www.wowyeye(dot)cn
vb008(dot)cn
9i5t(dot)cn
computershello(dot)cn

We’ve now seen other domains being used as well such as direct84(dot)com which is inserted by a SQL injection tool (detected as HackTool:W32/Agent.B) distributed to the Asprox botnet. SecureWorks has a nice writeup available. The direct84(dot)com domain fast-fluxes to several different IPs in Europe, Israel and North America.

The injected link eventually leads to a backdoor detected as Backdoor:W32/Agent.DAS.

This is a good time to again mention that it’s not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you an administrator of a website that is using ASP/ASP.NET you have to make sure you sanitize all inputs before you allow it to access the database. There are lots of articles on how to do this such as here. You could also have a look at URLScan which provides an easy way to filter this particular attack based on the length of the QueryString.

Source: F-Secure