This is the first time I have ever seen SQL injection this widespread and in an automated fashion. Before it’s all said and done this could be !!! HUGE !!!. News of this has been trickling out since the end of April with the first hint of it at the beginning of the year.
I’ve seen these attacks come across the IDS (intrusion detection system) where users are visiting infected URL’s. Of course attackers could easily move their operations to different URL’s. Some exploit URL’s I’ve seen so far are nihaorr1.com, nmidahena.com, aspder.com, rirwow.cn, and wowyeye.cn. I performed searches to get an idea of the infection numbers, now doing a search for the offending URL won’t give you a 1 to 1 relationship but it will give you a ballpark figure. Take a look at the “Results” numbers in the following screen shots.
Also check out this screen shot from ririwow.cn, you’ll get a laugh from it.
Below are some other good articles related to this topic
Another thing to consider is how dynamic the attack can be. Consider that what is stored to the victim-site is the call to the external js file and NOT the js file, itself.
This means that the person/people who serve the malicious js files can constantly update the code with different or newly crafted attacks.
…Of course, this is assuming that the injection goes unnoticed by the victim-sites’ owners. But given the widespread success, how many of the victim-sites’ owners are aware that they are victims? 🙂
The internet worm is back. My only surprise is that it took them this long to innovate.
Second, being that the exploits are being served up by the database, the Database Admin will see no problems, because we’re not dealing with corruption here. They would need to delve into the tables and find the offending code… and how the heck are they supposed to do that?
Apparently history does repeat itself, the attackers have gone back to defacing websites.
you make a good point, i’m surprised this didn’t happen months or years ago. as far as offending code you can do it but it’s not the easiest solution. Eric Jenko above pointed me to a link on how to fix the problem.
in phreakhead’s case he searches for and replaces wowyeye.com/m.js, you would of course have to search for other offending URL’s also.
speaking of worms Joel, Eric also pointed to an article yesterday saying that the likely culprit is a botnet. who would’a thunk it?