« June 2010 · December 2010 · April 2017 »

August 2010
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
3031     
September 2010
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
27282930   
October 2010
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031

Calendar:

  • No entries for October 2010.
  • 13.09.2010: Prolific DDoS Bot targeting many industries
  • 15.08.2010: Spam using RU domains - Who's your nameserver?
  • 13.08.2010: Binary Whitelisting Service
  • 02.08.2010: Of Opinions and Anti-Virus Testing
Newest first Oldest first

Wednesday, 9 June 2010

Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers

There have been several recent reports of websites that were compromised following mass SQL injection attacks against what appear to primarily be IIS web servers hosting ASP and ASP.NET applications. SANS/ISC today posted a blog entry referring to this event here: http://isc.sans.edu/diary.html?storyid=8935

The compromised sites were injected with a script that calls back to the domain 'robint.us'. In coordination and cooperation with GoDaddy and Neustar, Shadowserver is now sinkholing this domain. With Shadowserver sinkholing the domain, we are able to provide the community with a few benefits:

  • Drive-by web browers will be unable to download the exploit code, however the infected websites will still include a link to the original malicous code.
  • By tracking the referring strings, Shadowserver can enumerate the affected webservers and provide alerts and reports back to the affected network owners.
  • It allows us to gather information pertaining to the connecting hosts and provide it to the security community for further analysis and remediation.

We're going to be posting a more detailed blog shortly detailing what we've seen thus far from our sinkholing and analysis efforts. It's always a good thing when the community can be both proactive and reactive to security incidents such as this.

If you're an organization that directly owns or controls network space, I'd strongly encourage you to sign up for our free alerting and reporting service. Learn more about this free subscription here: http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

=>Posted June 09, 2010, at 11:32 AM by Andre' - Semper_Securus