« March 2010 · September 2010 · March 2017 »

May 2010
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
31      
June 2010
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
282930    
July 2010
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
262728293031 

Calendar:

Newest first Oldest first

Wednesday, 9 June 2010

Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers

There have been several recent reports of websites that were compromised following mass SQL injection attacks against what appear to primarily be IIS web servers hosting ASP and ASP.NET applications. SANS/ISC today posted a blog entry referring to this event here: http://isc.sans.edu/diary.html?storyid=8935

The compromised sites were injected with a script that calls back to the domain 'robint.us'. In coordination and cooperation with GoDaddy and Neustar, Shadowserver is now sinkholing this domain. With Shadowserver sinkholing the domain, we are able to provide the community with a few benefits:

  • Drive-by web browers will be unable to download the exploit code, however the infected websites will still include a link to the original malicous code.
  • By tracking the referring strings, Shadowserver can enumerate the affected webservers and provide alerts and reports back to the affected network owners.
  • It allows us to gather information pertaining to the connecting hosts and provide it to the security community for further analysis and remediation.

We're going to be posting a more detailed blog shortly detailing what we've seen thus far from our sinkholing and analysis efforts. It's always a good thing when the community can be both proactive and reactive to security incidents such as this.

If you're an organization that directly owns or controls network space, I'd strongly encourage you to sign up for our free alerting and reporting service. Learn more about this free subscription here: http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

=>Posted June 09, 2010, at 11:32 AM by Andre' - Semper_Securus