Shadowserver posted an interesting list of the domains used in the recent SQL attack. You could just monitor any unauthorized changes to your website if you have change management and monitoring in place. Alternatively, you could use Google alerts with some google foo like "site:www.mysite.be" in combination with some other terms or domain names to keep track of unauthorized changes. Google Alerts are email updates of the latest relevant Google results (web, news, etc.) based on your choice of query or topic. You can also use Google alerts to track certain topics like I use for "Storm Worm" for example. It could possibly be used to track Black PR activities related to your company. Something to think about. But let's have a look at those domains.
Below is a list of domains used in the mass SQL injections that insert malicious javascript into websites. We've also included an approximate number of pages infected (according to Google). Note that these numbers decay with time. Some of these domains were injected long ago and have been cleaned. At their height, their numbers may have been larger.
www.nihaorr1.com 468,000 free.hostpinoy.info 444,000 xprmn4u.info 369,000 www.nmidahena.com 140,000 winzipices.cn 75,000 sb.5252.ws 69,000 www.aspder.com 62,000 www.11910.net 47,000 bbs.jueduizuan.com 44,000 www.bluell.cn 44,000 www.2117966.net 39,000 s.see9.us 39,000 xvgaoke.cn 33,000 1.hao929.cn 20,000 www.414151.com 17,000 cc.18dd.net 15,000 yl18.net 15,000 www.kisswow.com.cn 13,000 urkb.net 13,000 c.uc8010.com 9500 rnmb.net 7000 www.ririwow.cn 6000 www.killwow1.cn 4000 www.qiqigm.com 3600 www.wowgm1.cn 3500 www.wowyeye.cn 2800 9i5t.cn 2500 computershello.cn 2300 www.z008.net 1600 b15.3322.org 1200 www.direct84.com 1100 www.caocaowow.cn 900 www.qiuxuegm.com 800 firestnamestea.cn 700 %61%2E%6B%61%34%37%2E%75%73 (a.ka47.us) 600 %61%31%38%38%2E%77%73 (a188.ws) 500 www.qiqi111.cn 230 www.banner82.com 90 smeisp.cn 85 okey123.cn 55 www.nihao112.com 45 al.99.vc 45 www.aidushu.net 45 www.chliyi.com 40 free.edivid.info 40 52-o.cn 40 www.fucksb.net 40 www60.actualization.cn 40 d39.6600.org 40 h28.8800.org 34 ucmal.com 30 t.uc8010.com 30 www.dota11.cn 25 bc0.cn 20 %33%2E%74%72%6F%6A%61%6E%38%2E%63%6F%6D (3.trojan8.com) 20 www.adword71.com 17 killpp.cn 16 w11.6600.org 13 usuc.us 13 www.msshamof.com 10 newasp.com.cn 7 www.wowgm2.cn 8 mm.jsjwh.com.cn 8 17ge.cn 4 www.adword72.com 2 www.117275.cn 1 vb008.cn ? www.wow112.cn ?
The list might not be that useful anymore but it gives a nice idea about the number of website affected. Since the attackers stay very dynamic and make us of fast flux dns, they have already moved to some new domains. Thanks to ddchanchev for providing them.
www.nihaoel3.com
The botnet masters behind Asprox are converging tactics already, by fast-fluxing the SQL injected domains. Related URLs for this campaign :If you have some original Google search terms to keep track of 'security events', feel free to share them.
banner82.com
dll64.com
aspx88.com
bank11.net
cookie68.com
exportpe.net
Read the complete assessment - Fast-Fluxing SQL Injection Attacks Executed from the Asprox Botnet, and go through previous posts related to the botnet as well - Phishing Emails Generating Botnet Scaling; Inside a Botnet's Phishing Activities; Fake Yahoo Greetings Malware Campaign Circulate
Previous articles:
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment