« December 2009 · June 2010 · July 2017 »

Calendar:

  • 06.04.2010: Shadows in the Cloud: An investigation into cyber espionage 2.0
  • 24.03.2010: Shadowserver's thoughts on the B49 Waledac Effort
  • No entries for February 2010.
Newest first Oldest first

Wednesday, 9 June 2010

Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers

There have been several recent reports of websites that were compromised following mass SQL injection attacks against what appear to primarily be IIS web servers hosting ASP and ASP.NET applications. SANS/ISC today posted a blog entry referring to this event here: http://isc.sans.edu/diary.html?storyid=8935

The compromised sites were injected with a script that calls back to the domain 'robint.us'. In coordination and cooperation with GoDaddy and Neustar, Shadowserver is now sinkholing this domain. With Shadowserver sinkholing the domain, we are able to provide the community with a few benefits:

  • Drive-by web browers will be unable to download the exploit code, however the infected websites will still include a link to the original malicous code.
  • By tracking the referring strings, Shadowserver can enumerate the affected webservers and provide alerts and reports back to the affected network owners.
  • It allows us to gather information pertaining to the connecting hosts and provide it to the security community for further analysis and remediation.

We're going to be posting a more detailed blog shortly detailing what we've seen thus far from our sinkholing and analysis efforts. It's always a good thing when the community can be both proactive and reactive to security incidents such as this.

If you're an organization that directly owns or controls network space, I'd strongly encourage you to sign up for our free alerting and reporting service. Learn more about this free subscription here: http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

=>Posted June 09, 2010, at 11:32 AM by Andre' - Semper_Securus