[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Mass SQL Injection Bots Now Targeting PHP Sites
- From: Shaun <shaun@xxxxxxxxxx>
- Subject: Re: [WEB SECURITY] Mass SQL Injection Bots Now Targeting PHP Sites
- Date: Thu, 28 Aug 2008 23:54:12 -0500
There are rumors, backed up by somewhat empirical evidence, that Google
proactively filters SQL injection victims from their index as they learn
of new attacks. It's also important to remember that Google's snapshot reflects
days- or potentially even weeks-old results. Sites that appear in the
search results for a particular exploit may have been fixed some time
ago.
Ryan reported 3,200 results; when I checked a few hours after he sent
his message it was down to a couple of hundred, and now about twelve
hours later, I only get 22 matches. A spot check shows most of them are
still either infected or affected (and will probably be summarily inspected
and rejected by the almighty G).
-s
On Thu, 28 Aug 2008 17:10:23 -0700
"Stephan Wehner" <stephanwehner@xxxxxxxxx> wrote:
> On Thu, Aug 28, 2008 at 12:05 PM, Ryan Barnett <rcbarnett@xxxxxxxxx> wrote:
> > Greetings everyone,
> > I know that most of you have already heard about the mass SQL Injection bots
> > that have been hammering IIS/ASP/MS-SQL sites, however the theory is that
> > the SQL injection code could be updated to compromise other platforms such
> > as PHP/MySQL, etc... Well, I have been doing some research and I am finding
> > evidence of PHP sites that have been infected. For example, if you do a
> > google search looking for PHP sites that have the same javascript code as some examples that ModSecurity users to me, you will see approximately 3,200 site PHP sites are currently infected.
>
> I tried your Google search; your link:
>
> http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=%221000mg.cn%2Fcsrss%2Fw.js%22+inurl%3Aphp&btnG=Search
>
> and looked at the first result, which for me was
>
> http://trio.hillwoodmuseum.org/detail.php?t=objects&type=all&f=&s=Glass&record=45
>
> I couldn't find any sign of infection.
>
> Another search result,
>
> http://pvc.buildinggreen.com/source.php?id=644
>
> did have some dubious HTML :
>
> <script src="http://www3.800mg.cn/csrss/w.js";>
>
> Stephan
>
>
> --
> Stephan Wehner
>
> -> http://stephan.sugarmotor.org
> -> http://www.thrackle.org
> -> http://www.buckmaster.ca
> -> http://www.trafficlife.com
> -> http://stephansmap.org
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|