Author Topic: Google for SLQ infected sites...  (Read 1802 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Google for SLQ infected sites...
« on: August 08, 2008, 01:40:29 AM »
Hi malware fighters,

Yes, millions and milions of sites infected with SLQ injection. SQL injections take advantage of web developers who write applications that accept user-supplied data without inspecting it for malicious characters. The input is usually entered into search boxes or other fields that interact with the site's SQL database. Commands in the entered data instruct the website to add links that redirect visitors to websites under the control of attackers. We strongly recommend not clicking on the infected sites unless you know what you're doing.
Search query to find them up with Google: /*/""ngg.js"|"js.js"|"b.js"

This is our old friend: APROX. It seems that a lot of the domains used by this are still or again active.  Typically using fast flux.   The script that is being injected tends to be ngg.js, fgg.js, b.js or js.js.  This links to an IP address (still up) where a CGI script starts the road of pain.

Doing a quick search using our friend Google I ended up with 1,470,000 sites that are currently infected.  Now about 591,000 or so are b.js which seems to point to inactive domains so these are unlikely to do damage.  The rest is a mixture of active and inactive links.

The high number of infected sites points to a couple of issues.

   1. Sites are compromised and nobody notices
   2. Sites that are infected are not cleaned up.

Now the number of infected sites is high, but the sky is not falling, however if you have a spare few minutes do the following google search replacing yoursite  with your domain, e.g. sans.org (just cut and paste the whole search).

   site:yoursite    "script src=http://*/""ngg.js"|"js.js"|"b.js"

If the search returns results, you have some cleaning to do.

Keep your browser secure with NoScript, Finjan, and scanning through scandoo.com and using DrWeb's av link checker plug-in,

polonus
« Last Edit: August 08, 2008, 01:44:01 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!