Re: [WEB SECURITY] Mass SQL Injection Bots Now Targeting PHP Sites

["Stephan Wehner" <stephanwehner@xxxxxxxxx>]

On Thu, Aug 28, 2008 at 12:05 PM, Ryan Barnett <rcbarnett@xxxxxxxxx> wrote:
> Greetings everyone,
> I know that most of you have already heard about the mass SQL Injection bots
> that have been hammering IIS/ASP/MS-SQL sites, however the theory is that
> the SQL injection code could be updated to compromise other platforms such
> as PHP/MySQL, etc... Well, I have been doing some research and I am finding
> evidence of PHP sites that have been infected. For example, if you do a
> google search looking for PHP sites that have the same javascript code as some examples that ModSecurity users to me, you will see approximately 3,200 site PHP sites are currently infected.

I tried your Google search; your link:

http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=%221000mg.cn%2Fcsrss%2Fw.js%22+inurl%3Aphp&btnG=Search

and looked at the first result, which for me was

http://trio.hillwoodmuseum.org/detail.php?t=objects&type=all&f=&s=Glass&record=45

I couldn't find any sign of infection.

Another search result,

http://pvc.buildinggreen.com/source.php?id=644

did have some dubious HTML :

<script src="http://www3.800mg.cn/csrss/w.js";>

Stephan


-- 
Stephan Wehner

-> http://stephan.sugarmotor.org
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA