Wednesday, 9 June 2010
Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers
There have been several recent reports of websites that were compromised following mass SQL injection attacks against what appear to primarily be IIS web servers hosting ASP and ASP.NET applications. SANS/ISC today posted a blog entry referring to this event here: http://isc.sans.edu/diary.html?storyid=8935
The compromised sites were injected with a script that calls back to the domain 'robint.us'. In coordination and cooperation with GoDaddy and Neustar, Shadowserver is now sinkholing this domain. With Shadowserver sinkholing the domain, we are able to provide the community with a few benefits:
- Drive-by web browers will be unable to download the exploit code, however the infected websites will still include a link to the original malicous code.
- By tracking the referring strings, Shadowserver can enumerate the affected webservers and provide alerts and reports back to the affected network owners.
- It allows us to gather information pertaining to the connecting hosts and provide it to the security community for further analysis and remediation.
We're going to be posting a more detailed blog shortly detailing what we've seen thus far from our sinkholing and analysis efforts. It's always a good thing when the community can be both proactive and reactive to security incidents such as this.
If you're an organization that directly owns or controls network space, I'd strongly encourage you to sign up for our free alerting and reporting service. Learn more about this free subscription here: http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
=>Posted June 09, 2010, at 11:32 AM by Andre' - Semper_Securus