The asprox bot is back again injecting javascripts in vulnerable webpages. The scripts being injected are ngg.js, fgg.js, b.js or js.js. The SANS ISC Stormcenter is speaking of 1.470.000 websites being affected. Mark Hofman (ISC Handler) provided this Google query to have a look at your own site.
site:yoursite "script src=http://*/""ngg.js"|"js.js"|"b.js"
This provided some formula (like the pipe sign) to increase efficiency in my own Google Fu. I wanted to use this to have an impression on how many Belgian websites were affected. I first used the additional option
inurl.beBut after some experimentation, I found that the following was more accurate:
site:BEso the entire query would become:
"script src=http://*/""ngg.js"|"js.js"|"b.js" site:BEHere is a clickable link to this query. This gave me about 222 results. This is quite okay compared to other results the Internet Storm Center presented:
.gov - 238 .com - 474KThe situation still might change as updated websites tend to only appear in Google Search after hours or days.
.gov.au - 927 .org - 79.9K
.gov.uk - 2,930 .com.au - 19.5K
.gov.cn - 34K .co.uk - 19.3K
.gov.za - 424 .ca - 13.1K
.gov.br - 263
Now I wanted to monitor this using Google alerts. BUT there is a HUGE issue with this. Each alert automatically adds &lr=lang_en. This option only returns English results, excluding a lot of Belgian websites written in Dutch. I tried various settings, read the FAQ and searched Google but to no avail. So unless anyone has some advice, Google Alerts can't be used to monitor websites besides English ones. Too bad.
Malwaredomains.com has a list with domains used for the asprox botnet or other malware sites (available in ISA, BIND or Adblock formats).
Related posts:
- A list of updated domains used in the SQL injection attacks
- Third sql injection wave and the impact on Belgian websites
- Yet another sql injection detected (Updated)
- New Belgian government department to monitor hacking and espionage activity
- Followup on the 1.js sql injection wave
- Mass malware SQL injections still continuing and the number of Belgian sites infected
- Mass website infections from January solved
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
4 comments:
And the Netherlands is not doing any better.
Indeed. But I must say that Luxembourg is the winner with zero !!! ;-)
Update on the 11th of August
Results 21 - 40 of about 551 for "script src=http://*/""ngg.js"|"js.js"|"b.js" site:BE *.js. (0.08 seconds)
Hi Benny!
There is also up to date list in the Shadowserver page - http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Post a Comment