Courtesy:-stopthehacker.com
SQL injection is a technique used by malicious hackers and security researchers to inject code into a website. This mechanism exploits the improper use of input by web sites, such as the use of raw input from forms, and direct database queries using this information.
SQL Injection continues to be a major security vulnerability. Malicious hackers can exploit SQL injection vulnerabilities to insert malware onto websites without the knowledge of the website owner.
LizaMoon Mass SQL Injection
Recently, Websense published a report detailing LizaMoon – what they deem to be one of the most widespread SQL injection attacks.
This attack primarily injects the following piece of code:
1 | src=hxxp://lizamoon.com/ur.php |
This link loads a fake AV page:
What Links are Injected?
We appreciate the information that Websense researchers have shared so far. Perhaps we can add a little more detail to this information.
The SQL injection attacks that we observe on a daily basis from the corpus of almost 200,000 samples of web malware. These attacks can be observed on websites everyday. They are not restricted to injecting just one malicious link inside benign web pages.
For more information take a look at our post about how hackers can inject multiple links to compromised sites via SQL injection of benign sites.
In this case the following link was not injected alone:
1 | src=hxxp://lizamoon.com/ur.php |
The following links were also injected:
01 | src=hxxp://t6ryt56.info/ur.php |
02 | src=hxxp://sol-stats.info/ur.php |
03 | src=hxxp://alexblane.com/ur.php |
04 | src=hxxp://alisa-carter.com/ur.php |
05 | src=hxxp://pop-stats.info/ur.php |
06 | src=hxxp://sol-stats.info/ur.php |
07 | src=hxxp://milapop.com/ur.php |
08 | src=hxxp://multi-stats.info/ur.php |
09 | src=hxxp://general-st.info/ur.php |
10 | src=hxxp://worid-of-books.com/ur.php |
11 | src=hxxp://online-guest.info/ur.php |
12 | src=hxxp://google-stats48.info/ur.php |
13 | src=hxxp://google-stats49.info/ur.php |
14 | src=hxxp://google-stats50.info/ur.php |
15 | src=hxxp://google-server12.info/ur.php |
Malicious links accompanying LizaMoon malware.
Who owns these malicious sites?
Most of the web sites seem to be registered to the following entity.
Registrant Contact:
Administrative Contact:
1 | Vasea Petrovich (tik0066@gmail.com) |
Technical Contact:
1 | Vasea Petrovich (tik0066@gmail.com) |
How Do I Protect My Site?
Webmasters and administrators should search for instances of each malicious link in their sites to ensure that they remove all occurrences of the injected links. More importantly, it is critical to identify the cause of the SQL injection that allowed the site to be compromised.
No comments:
Post a Comment