praka123
21-05-2008, 10:55 AM
May 16th, 2008
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b14471817769c178615141)
Posted by Dancho Danchev @ 3:10 pm
Categories: Microsoft (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b14470b4b33901015141), Viruses and Worms (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b14470b4b3390148e15141), People's Republic of China (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b14470b4b3390138615141)
(http://vtunnel.com/index.php/1010110A/e3e23c5e3c2dea71250bafc04f510b186c80c5d833a1cce4c3 f3a71ba65a160b42288662df48966598f61bd6b4972715141)
Irony at its best. It appears that Redmond - The Independent Voice of the Microsoft IT Community (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a18a5dc06470a586a9b869435a297f5d0 e7a05d965219041532df4a834e81798dba1a91b29f2f2822de 6299bfd5fdaf42d5f015141), formerly known as Microsoft Certified Professional Magazine (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a18a5dc06470a586a9b869435a297f5d0 e7a05d965219041532df4a834e81798dba1a91ad993b282cd7 2897b1dffc15141) is currently flagged as a badware site, and third-party exploit detection tools are also detecting internal pages as exploit hosting ones, in this particular case Mal/Badsrc-A. What is Mal/Badsrc-A? Mal/Badsrc-A is a malicious web page also known as HTML.XORER, that has been compromised to load a script from a malicious website.
Redmond’s site is part of yet another massive and naturally automated SQL injection attack, whose main malicious URL appears to be down when last checked. Who’s behind it, and was Redmond’s magazine targeted on purposes? Chinese hacktivists attempting to SQL inject as many sites as possible seem to have come across Redmond’s site with no specific intention to do so, comment spammed it, and left a message on the malicious domain (wowyeye.cn) which is descriptive enough to speak for itself:“The invasion can not control bulk!!!!If the wrong target. Please forgive! Sorry if you are a hacker. send email to kiss117276@163.com my name is lonely-shadow TALK WITH ME! china is great! f**k france! f**k CNN! f**k ! HACKER have matherland!”
Two more related sites are affected as well, namely, Redmond Developer News (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a18a5dc06470a586a9b869435a297f5d0 e7a05d965219041532df4a834e81798dba1a91b29f2f2128c6 6891a9c1fdaf42d5f015141) and Redmond Channel Partner Online (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a18a5dc06470a586a9b869435a297f5d0 e7a05d965219041532df4a834e81798dba1a91b2993b282cd7 2897b1dffc15141). To bottom line - despite that wowyeye.cn/ m.js is currently down, it managed to get injected at 49,900 sites, which like the majority of sites that were participating in the most recent tidal wave of successful SQL injection attacks, continue to remain vulnerable to copycats introducing new malicious domains within the vulnerable sites.
http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b1411054b20c8559154906990ef5bda9f972a222cca 6f9abbeda0bd41e7ed2c49eaae15141 (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b1411054b20c8559154906990ef5bda9f972a222cca 6f9abbeda0bd41e7ed2c49eaae15141)
It is also important to emphasize on the fact that this is a lone gunman operation, and not necessarily one backed up by a botnet such as Asprox (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a1babc10a590a176d9d85dc72af8cfd8d f0bb5797561d065e69cc55ce1991629edf5cdafdcb7e767482 37d289e6fdbf5bd4e26c66cd9a56d40815141), which got some publicity for its involvement in automated SQL injections attacks. Whether or not a standalone SQL injecting tool (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3cfe742a1ca2d617050d1a669398cb33b8cdf3cd f9fb06d20b4f471a728241d149926198ad5ddfa391222b2a9d 609bac9fa5b941d6ba7062d8800be24d97043d55947ef49e15 141) was used (screenshots included), the concept of using botnets which would create their hitlists from public search engines’ indexes (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3cfe742a1ca2d617050d1a669398cb33b8cdf3cd f9fb06d20b4f471a708255cf4ad86493ea50ddb493242b60c4 6e86b1c7b4a400cbba6371d9814aee579908201e8f24f18640 5915141) (screenshots included) and automatically SQL inject or Remotely File Include (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3df43b3316a1da114e0b1f68da84c93be394f9c9 fdfb668756171c4f18eb4fd243aa4493e359cbb393242b1514 1) them, has been around for years with the availability of such scanning modules available for the botnet masters to take advantage of.
http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b1411054b20c8559154906990ef5bda9f972a222cca 6f9abbeda0bd41e7ec2c49eaae15141 (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b1411054b20c8559154906990ef5bda9f972a222cca 6f9abbeda0bd41e7ec2c49eaae15141)
And now that the probability of locating and successfully exploiting vulnerable sites is increasing due to the success rate of previous campaigns, what we would be dealing with for the next couple of months are the copycats (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a11afc716441d1d7e9b99d738e280ffcf bbba519548575a1a7795098e13c438cdb818cdb196662c23da 6397aadbbca200d9ab7662d9824aff5197132a568b6bef9703 5d7150f315141) who just memorized a new buzz word — SQL injection — and efficiently execute massive unethical web applications pen-testing all over the Web.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and E-crime incident response. Dancho is also involved in business development, marketing research and competitive intelligence as an independent contractor. He's been an active security blogger since 2007, and maintains a popular security blog (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3cfe742a1ca2d617050d1a669398cb33b8cdf3cd f915141) sharing real-time threats intelligence data with the rest of the community on a daily basis.
http://blogs.zdnet.com/security/?p=1118&tag=nl.e550
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b14471817769c178615141)
Posted by Dancho Danchev @ 3:10 pm
Categories: Microsoft (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b14470b4b33901015141), Viruses and Worms (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b14470b4b3390148e15141), People's Republic of China (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b14470b4b3390138615141)
(http://vtunnel.com/index.php/1010110A/e3e23c5e3c2dea71250bafc04f510b186c80c5d833a1cce4c3 f3a71ba65a160b42288662df48966598f61bd6b4972715141)
Irony at its best. It appears that Redmond - The Independent Voice of the Microsoft IT Community (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a18a5dc06470a586a9b869435a297f5d0 e7a05d965219041532df4a834e81798dba1a91b29f2f2822de 6299bfd5fdaf42d5f015141), formerly known as Microsoft Certified Professional Magazine (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a18a5dc06470a586a9b869435a297f5d0 e7a05d965219041532df4a834e81798dba1a91ad993b282cd7 2897b1dffc15141) is currently flagged as a badware site, and third-party exploit detection tools are also detecting internal pages as exploit hosting ones, in this particular case Mal/Badsrc-A. What is Mal/Badsrc-A? Mal/Badsrc-A is a malicious web page also known as HTML.XORER, that has been compromised to load a script from a malicious website.
Redmond’s site is part of yet another massive and naturally automated SQL injection attack, whose main malicious URL appears to be down when last checked. Who’s behind it, and was Redmond’s magazine targeted on purposes? Chinese hacktivists attempting to SQL inject as many sites as possible seem to have come across Redmond’s site with no specific intention to do so, comment spammed it, and left a message on the malicious domain (wowyeye.cn) which is descriptive enough to speak for itself:“The invasion can not control bulk!!!!If the wrong target. Please forgive! Sorry if you are a hacker. send email to kiss117276@163.com my name is lonely-shadow TALK WITH ME! china is great! f**k france! f**k CNN! f**k ! HACKER have matherland!”
Two more related sites are affected as well, namely, Redmond Developer News (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a18a5dc06470a586a9b869435a297f5d0 e7a05d965219041532df4a834e81798dba1a91b29f2f2128c6 6891a9c1fdaf42d5f015141) and Redmond Channel Partner Online (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a18a5dc06470a586a9b869435a297f5d0 e7a05d965219041532df4a834e81798dba1a91b2993b282cd7 2897b1dffc15141). To bottom line - despite that wowyeye.cn/ m.js is currently down, it managed to get injected at 49,900 sites, which like the majority of sites that were participating in the most recent tidal wave of successful SQL injection attacks, continue to remain vulnerable to copycats introducing new malicious domains within the vulnerable sites.
http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b1411054b20c8559154906990ef5bda9f972a222cca 6f9abbeda0bd41e7ed2c49eaae15141 (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b1411054b20c8559154906990ef5bda9f972a222cca 6f9abbeda0bd41e7ed2c49eaae15141)
It is also important to emphasize on the fact that this is a lone gunman operation, and not necessarily one backed up by a botnet such as Asprox (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a1babc10a590a176d9d85dc72af8cfd8d f0bb5797561d065e69cc55ce1991629edf5cdafdcb7e767482 37d289e6fdbf5bd4e26c66cd9a56d40815141), which got some publicity for its involvement in automated SQL injections attacks. Whether or not a standalone SQL injecting tool (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3cfe742a1ca2d617050d1a669398cb33b8cdf3cd f9fb06d20b4f471a728241d149926198ad5ddfa391222b2a9d 609bac9fa5b941d6ba7062d8800be24d97043d55947ef49e15 141) was used (screenshots included), the concept of using botnets which would create their hitlists from public search engines’ indexes (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3cfe742a1ca2d617050d1a669398cb33b8cdf3cd f9fb06d20b4f471a708255cf4ad86493ea50ddb493242b60c4 6e86b1c7b4a400cbba6371d9814aee579908201e8f24f18640 5915141) (screenshots included) and automatically SQL inject or Remotely File Include (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3df43b3316a1da114e0b1f68da84c93be394f9c9 fdfb668756171c4f18eb4fd243aa4493e359cbb393242b1514 1) them, has been around for years with the availability of such scanning modules available for the botnet masters to take advantage of.
http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b1411054b20c8559154906990ef5bda9f972a222cca 6f9abbeda0bd41e7ec2c49eaae15141 (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3af67a230ce4c905450a02279784d673bf86f3d7 e6bd409b1411054b20c8559154906990ef5bda9f972a222cca 6f9abbeda0bd41e7ec2c49eaae15141)
And now that the probability of locating and successfully exploiting vulnerable sites is increasing due to the success rate of previous campaigns, what we would be dealing with for the next couple of months are the copycats (http://vtunnel.com/index.php/1010110A/e3e23c5e3c2fed626a11afc716441d1d7e9b99d738e280ffcf bbba519548575a1a7795098e13c438cdb818cdb196662c23da 6397aadbbca200d9ab7662d9824aff5197132a568b6bef9703 5d7150f315141) who just memorized a new buzz word — SQL injection — and efficiently execute massive unethical web applications pen-testing all over the Web.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and E-crime incident response. Dancho is also involved in business development, marketing research and competitive intelligence as an independent contractor. He's been an active security blogger since 2007, and maintains a popular security blog (http://vtunnel.com/index.php/1010110A/e3e23c5e3c3cfe742a1ca2d617050d1a669398cb33b8cdf3cd f915141) sharing real-time threats intelligence data with the rest of the community on a daily basis.
http://blogs.zdnet.com/security/?p=1118&tag=nl.e550