 |
|
|
|
 |
 |
|
 |
|
|
|
|
|
| Mass Infection of IIS/ASP Sites |
Last week there have been reports about large number of sites being hacked with a malware script pointing to hxxp://ww.robint.us/u.js. According to Google, more than 111,000 different pages have been infected (Jerusalem Post web site was affected as well).
Anatomy of this mass infection can be found here. It is basically based on a known SQL injection method we have seen in the past. Once the DB server has been attacked, it will hold a script pointing to malicious web site in its tables. This script will be embedded on the web server's pages directing unsuspecting users to a hostile web server.
The attack pattern would look like the following parameter value on a HTTP request:
dEcLaRe @s vArChAr(8000)
set @s=0x6445634C6152652040742076........6F523B2D2D
eXEc(@s)—
A customer reached us today asking how SecureSphere can protect from this circulating attack. IMPERVA's customers are protected by default. SecureSphere has an affective signature to block such attempt. It is enabled by default as part of the "Recommended for blocking for web applications" dictionary.
The original domain is no longer serving up malware, but the attack might still run in a different variation pointing to new malicious pages.
For more information, you may also email gd@acw-group.com.ph or call
02-7065592. Visit http://www.imperva.com/ .
|
|
|
|
|
|
| © Copyright 2006 |
Privacy Policy |
Legal Issues |
|
|
|