« February 2017 · August 2017 · September 2017 »

April 2017
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
May 2017
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728
293031    
June 2017
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
2627282930  

Calendar:

  • No entries for June 2017.
  • No entries for May 2017.
  • No entries for April 2017.
Newest first Oldest first

Wednesday, 9 June 2010

Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers

There have been several recent reports of websites that were compromised following mass SQL injection attacks against what appear to primarily be IIS web servers hosting ASP and ASP.NET applications. SANS/ISC today posted a blog entry referring to this event here: http://isc.sans.edu/diary.html?storyid=8935

The compromised sites were injected with a script that calls back to the domain 'robint.us'. In coordination and cooperation with GoDaddy and Neustar, Shadowserver is now sinkholing this domain. With Shadowserver sinkholing the domain, we are able to provide the community with a few benefits:

  • Drive-by web browers will be unable to download the exploit code, however the infected websites will still include a link to the original malicous code.
  • By tracking the referring strings, Shadowserver can enumerate the affected webservers and provide alerts and reports back to the affected network owners.
  • It allows us to gather information pertaining to the connecting hosts and provide it to the security community for further analysis and remediation.

We're going to be posting a more detailed blog shortly detailing what we've seen thus far from our sinkholing and analysis efforts. It's always a good thing when the community can be both proactive and reactive to security incidents such as this.

If you're an organization that directly owns or controls network space, I'd strongly encourage you to sign up for our free alerting and reporting service. Learn more about this free subscription here: http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

=>Posted June 09, 2010, at 11:32 AM by Andre' - Semper_Securus