Trend Micro have tried to be clever by mosaic-ing the references to where the trojan downloads from. Pity they forgot to blat one in the final picture, right next to the 327,000.

The image on the linked artical http://www.trendmicro.com/vinfo/images/google_search.gif has blanked over the address they searched for forgetting that it displays itself more then once on the result page :P

See: http://www.google.co.uk/search?q=%22http%3A%2F%2Fs.see9.us%2Fs.js%22

Silly people :D

I'm familiar with a few preventative measures to withstand website SQL injection, such as sanitising the user input and escaping certain characters etc.

I'm curious about these recent events.

Are there any special techniques/code examples on how these new attacks can be prevented? Any advice would be greatly appreciated.

Chris 'the Cautious Coder'

They also forgot to blur the third search result's address:

http://www.salonlive.com.tw/job_index.aspx

A good list of attacks and preventative measures can be found at:

http://www.owasp.org/index.php/Top_10_2007

Basically use prepared statements and filters.

Many thanks Matthew

Chris

If they have the domain name (qiqigm.com) that was registered on 16 May where the scripts are downloaded from, won't this help in tracking down the malware creators/distributors ?

while injection is likely, my fw logs tell me ms sql ports are constantly hammered. If they are worth scanning they must be vulnerable.

mssql's default admin password is (or at least used to be) notoriously commonly left as-is, which probably makes it worth checking any system for it. You don't need sql injection for that though.

True, however that address is not resolving at all from here.

Anyone else get a look at exactly what sql its trying to inject via the .js?

58 59 60 61

114 115 116 117 118 119 120 121 123 124 125 126

153 163 171 202 203 210 211 218 219 220 221 222

Those are the IP address leaders, though do give it a check yourself if you are going to go down this route (pun alert).

Shame about Japan, and Australasia though, they probably need to sort something out to get out of APNIC.

This list is not accurate, eg I'm posting from a 153.x.x.x address and I can assure you I'm not in China. Well, perhaps my job is beeing moved there and I'm the only one not to know ? :)

For those interested, take a look at the IP ranges on apnic's website : http://www.apnic.net/db/ranges.html

er, my understanding of the article is that they have used sql injection to place the frame on websites, which then serves a .js to visitors in order to install a trojan on their machine. so the .js is the result of the sql injection, the .js does not perform the sql injection.

Haven't people know how obvious SQL injection attacks are for like... 15 years now? How can so many people write so much crap software? I know the answer, I just wish the world was better.

People ought to have their Internet licenses revoked.

http://www.iana.org/assignments/ipv4-address-space

Only going by what IANA is saying.

Sure your ISP is not APNIC orientated?

Whilst the link to IANA shows 153 as belonging to APNIC.

I have done some whois 'ing.

And:

inetnum: 153.0.0.0 - 153.255.255.255

netname: EU-ZZ-153

descr: Various Registries

country: EU # Country is really world wide

remarks: These addresses were issued by

The IANA before the formation of

Regional Internet Registries.

<http://www.iana.org/assignments/ipv4-address-space>

So, hmm, probably a lot of EU folks in 153, but it is worldwide so could be China :)

153 is in RIPE at the moment.

This is your brain.

Th15 15 ur br41n 0n M1cr0s0ft SQL S3rv3r.

Indeed. It is staggering that by default, designs contain nothing to stop SQL-injections.

The problem is that databases and web sites interfaces were deliberately designed so that anybody could use them, allowing for unclear statements, unquoted arguments, etc.

Apparently, the database engineers think that user input should be sanitized by coders, coders believe it should be sanitized by the one making the web site, and that one is usually a web designer which cares more about making a cool interface than about security measures.

Hopefully, we will soon have database interfaces which disable literals by default...

...but an hour later I was still hungry!

What a good idea! Instead of fixing the problem, just take apart the internet.

Any SysAdmin who does that kind of blanket blocking should be prosecuted for a criminal denial of service attack, and gross stupidity. Think about it, there's not even any evidence that the attacks are *originating* in the APNIC, it could be the scumball in the cubical next to you supplementing his income breaking into poorly-protected home user PCs in APNIC to bounce the attacks. Or, from an economic perspective, look at China's GDP growth - think your multinational companies are going to want a piece of that? How will they communicate if idiots like you block them.

I'm physically in Hong Kong, China, but I'd like to think that this inter-thingy is making the world more connected...

I thought I heard a ping from Hong Kong just then :)

Anyone can block traffic if they like, if it is their equipment, there is no law saying it has to be open. In fact since blocking a huge chunk of the net the number of attempted attacks have gone down considerably, and the amount of useful traffic has increased also considerably.

Criminal denial of service eh? Oh, and why should we be serving you? And gross stupidity, well I think you have more than your fair share :)

Most sites, want quality traffic, not crack attempt after crack attempt, sure if some place has to communicate with a site then they can be added to a white list. It does actually make a lot of sense in many scenarios. So you're in Hong Kong why do we care?

"why should we be serving you?" Huh? Well who are you? If you're just running your own private blog server, then fair enough, block whoever you like, it's your machine, nobody's going to care. If you're involved in any sort of commercial operation then what on earth are you on? Blocking random chunks of the IP address space has to be about the laziest, stupidest and least effective security method around. Why don't you just block all IP addresses that end in a number under 128, then you're 50% less likely to be attacked!

Good grief...