Yet another sql injection detected (Updated)

SANS ISC is warning us of yet another iframe attack. It doesn't seem to be as massive as the last one but it is currently unknown how they are performing the SQL injection. You might want to filter these pages out for now.

A loyal ISC reader, Rob, wrote in to point us at what looks to be a SQL Injection worm that is on the loose. From a quick google search it shows that there are about 4,000 websites infected and that this worm started at least mid-April if not earlier. Right now we can't speak intelligently to how they are getting into databases, but what they are doing is putting in some scripts and iframes to take over visitors to the websites. It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well.

The details, the script source that is injected into webpages is hxxp://winzipices.cn/#.js (where # is 1-5). This, in turn, points to a cooresponding asp page on the same server. (i.e. hxxp://winzipices.cn/#.asp). This in turn points back to the exploits. Either from the cnzz.com domain or the 51.la domain. The cnzz.com (hxxp://s141.cnzz.com) domain looks like it could be set up for single flux, but it's the same pool of IP address all the time right now. hxxp://www.51.la just points to 51la.ajiang.net which has a short TTL, but only one IP is serving it.

UPDATED (07/05/2008) : Shadowservers.org has a detailed analysis.

Abstract:

As predicted, the attacks against ASP and ASP.NET pages via SQL injection have continued. This time the domain name "winzipices.cn" is in the spotlight. It has managed to find itself in the source of over 4,000 pages according to Google. ISC has also has a short diary today mentioning this attack here. It turns out this is also something we have been taking a look at now for a few days. With that being said, we would like to share some information that can help protect end users and organizations.

It would appear that our attackers in this instance are taking advantage of the same issues we have discussed in some of our recent postings. However, we do know that the malware and malicious file trail here are different than the last few attacks. If your websites has been hacked or you are visiting a hacked website, you will find something like this in your HTML source in the page you visit:

 ""

It appears that 1.js, 2.js, 3.js, and 4.js are also present. Each of these files in turn have hidden iframes that we will discuss below.

Protection & Detection

As always we recommend that you block access to the malicious domains and sites. Using a content filter, changing DNS entries, and blocking IP addresses are all valid methods. Of course being up-to-date on your patches can also go a long way. Here's a quick recap of the malicious sites/IP addresses involved in this attack:

-winzipices.cn [60.191.239.229]
-61.188.38.158
-61.134.37.15

Read entire analysis.

Previous articles:

• Website Security Strategies that work
• WAFs , PCI and the United Nations SQL injection
• Followup on the 1.js sql injection wave
• Mass malware SQL injections still continuing and the number of Belgian sites infected
• Mass website infections from January solved