SQL Attacks Still Inject Websites Including Government Sites In US, UK
A new round of SQL injection attacks (most likely by Asprox) has infected millions of web pages belonging to businesses and government agencies, including those that belong to the National Institutes of Health and Education Department in the US and the UK Trade & Investment. It seems that a lot of domains involved are still (or again) active, typically using fast flux. The script that is being injected tends to be ngg.js, fgg.js, b.js or js.js. This links to an IP address that is still active.
Simple Google search shows at least 1,470,000 infected pages, some from US and UK government websites that have been hit by the attack. The attack is rather popular and not hard to perform, something that is worrying to know about government-run websites. About 591,000 or so are infected with b.js which seems to point to inactive domains so these are unlikely to do damage. The rest is a mixture of active and inactive links.
A quick breakdown by SANS shows the numbers of infected sites:
.gov – 238
.gov.au – 927
.gov.uk – 2,930
.gov.cn – 34,000
.gov.za – 424
.gov.br – 263
.com – 474,000
.org – 79,900
.com,au – 19,500
.co.uk – 19,300
.ca – 13,100
The high number of infected sites points to a couple of issues. First, sites are compromised and nobody notices, and second, sites that are infected are not cleaned up. To check your own website, do the following Google search replacing domain.com with your own website domain. If this search returns results, you have to clean your website, since it infects it`s visitors:
site:domain.com “script src=http://*/””ngg.js”|”js.js”|”b.js”
SQL injections take advantage of web developers who write applications that accept user-supplied data without inspecting it for malicious characters. The input is usually entered into search boxes or other fields that interact with the site’s SQL database. Commands in the entered data instruct the website to add links that redirect visitors to websites under the control of attackers.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.