<![CDATA[[SecurityRatty] tag: nihaorr1]]>

<![CDATA[[SecurityRatty] tag: nihaorr1]]> http://securityratty.com/tag/nihaorr1 Wed, 23 Apr 2008 06:13:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Malware Domains Used in the SQL Injection Attacks]]> http://securityratty.com/article/006fb71c4d155504d8f571646aa4cc66 http://securityratty.com/article/006fb71c4d155504d8f571646aa4cc66

Whereas the value of these malicious domains lies in the historical preservation of evidence, as long as hundreds of thousands of sites continue operating with outdated and unpatched web applications, the list is prone to grow on a daily basis, thanks to copycats and the Asprox botnet. The Shadowserver Foundation's list of malicious domains used in the SQL injection attacks :

nihaorr1.com
free.hostpinoy.info
xprmn4u.info
nmidahena.com
winzipices.cn
sb.5252.ws
aspder.com
11910.net
bbs.jueduizuan.com
bluell.cn
2117966.net
s.see9.us
xvgaoke.cn
1.hao929.cn
414151.com
cc.18dd.net
kisswow.com.cn
urkb.net
c.uc8010.com
rnmb.net
ririwow.cn
killwow1.cn
qiqigm.com
wowgm1.cn
wowyeye.cn
9i5t.cn
computershello.cn
z008.net
b15.3322.org
direct84.com
caocaowow.cn
qiuxuegm.com
firestnamestea.cn
qiqi111.cn
banner82.com s
meisp.cn
okey123.cn
b.kaobt.cn
nihao112.com
al.99.vc
aidushu.net
chliyi.com
free.edivid.info
52-o.cn
actualization.cn
d39.6600.org
h28.8800.org
ucmal.com
t.uc8010.com
dota11.cn
bc0.cn
adword71.com
killpp.cn
w11.6600.org
usuc.us
msshamof.com
newasp.com.cn
wowgm2.cn
mm.jsjwh.com.cn
17ge.cn
adword72.com
117275.cn
vb008.cn
wow112.cn
nihaoel3.com

Some new additions that I'm tracking :

a.13175.com
r.you30.cn
d39.6600.org
001yl.com
free.edivid.info
aaa.1l1l1l.Com/error/404.html
cc.buhaoyishi.com/one/hao5.htm?015
aaa.77xxmm.cn/new858.htm?075
llSging.com/ww/new05.htm?075
shIjIedIyI.net/one/hao8.htm?005
congtouzaIlaI.net/one/hao8.htm?005
aa.llsging.com/ww/new05.hTm?075

The rough number of SQL injected sites is around 1.5 million pages, in reality the number is much bigger, and there are several ongoing campaigns injecting obfuscated characters making it a bit more time consuming to track down. Who's behind these attacks? Besides the automation courtesy of botnets, the short answer is everyone with a decent SQL injector, and today's SQL injectors have a built-in reconnaissance capabilities, like this one which I assessed in a previous post.

]]> Thu, 22 May 2008 04:49:38 +0000 attacks sql injection attacks sql net decent sql injector htm org malicious domains lies malicious domains Malware Domains Used in the SQL Injection Attacks <![CDATA[Redmondmag...I told you so!]]> http://securityratty.com/article/86c5246bb43764de7badda595a9e2b02 http://securityratty.com/article/86c5246bb43764de7badda595a9e2b02 So when Dancho Danchev pointed out that Redmond Magazine had been SQL injected by Chinese Hacktivists, I was both appalled, yet not surprised.
On January 29th, 2008 I informed 1105 Media, the parent company of the Redmond Media Group, of multiple XSS vulnerabilities in various properties they maintain, including EntMag.com and AdtMag.com, as well as Redmondmag.com.

From my email:
"I’d like to advise you of XSS vulnerabilities in the search code used by all Redmond Media Group websites.
This is most easily validated by pasting a simple script alert generator in the search form.
These vulnerabilities were disclosed by XSSed.com in February and July of 2007.
http://www.xssed.com/mirror/20073/
http://www.xssed.com/mirror/13305/
These vulnerability be exploited by malicious people to conduct XSS attacks and it could further lead to reputation and PR issues for the Redmond Media Group."

Not only did they flatly ignore me, and they guys from XSSed.com who'd notified then in FEBRUARY and JULY 2007!, but all these vulnerabilities still exist, including Redmondmag.com. You could definitely say that these issues have led to "reputation and PR issues for the Redmond Media Group."
Doh! I told you so!
It goes without saying that if you are vulnerable to XSS, you have a significantly higher likelihood of being vulnerable to SQLi.
Redmondmag.com was also victimized by the 2nd wave of mass SQL injection attacks that dropped in nihaorr1.com/1.js.

Regarding current vulnerabilities, observe the following:
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://search.redmondmag.com/search.asp&cmd=search&SearchForm=%%SearchForm%%&index=C:\dtSearch\rmg\red_all&sort=Date&srcrequest=%22%3E%3CSCRIPT%3Ealert('XSS_Alert')%3C/SCRIPT%3E&submit1=Search">http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=
http://search.redmondmag.com/search.asp&cmd=search&SearchForm=%%SearchForm%%&
index=C:\dtSearch\rmg\red_all&sort=Date&
srcrequest=(Insert JavaScript here)&submit1=Search

Props, as always, to Whiteacid's XSS Assistant and POST forwarder.
But behold, what do we see, but index=C:\dtSearch\rmg\red_all.
Well, now we know you use dtSearch on the C: of your Windows server (no surprise there ;-)).

Common people, fix your sites!
You have been found guilty of the following charges:
1) Vulnerable to SQLi
2) Vulnerable to XSS
3) Internal file disclosure
4) Flagrant negligence with regard to secure coding best practices
50 Flagrant disregard fo information submitted to you by the information security community.
1105 Media and the Redmond Media Group, you have failed your readers, your visitors, your customers, and yourselves, and you should be ashamed.

del.icio.us | digg]]> Sun, 18 May 2008 08:36:00 +0000 xss vulnerabilities vulnerabilities current vulnerabilities multiple xss vulnerabilities xss xss target xss assistant redmond media xss alert Redmondmag...I told you so! <![CDATA[The United Nations Serving Malware]]> http://securityratty.com/article/d1d822ed6374f6c7f294fed616ac7d76 http://securityratty.com/article/d1d822ed6374f6c7f294fed616ac7d76

Yet another massive SQL injection attack is making its rounds online, and this time without the SEO poisoning as an attack tactic, has managed to successfully infect the United Nations events page, which is now also marked as malware infected page, and with a reason since both the malicious URl and the injection are still active. According to WebSense :

"This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing. There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too. "

Let's assess the malicious injection. nihaorr1.com/ 1.js (219.153.46.28) is attempting to load nihaorr1.com/ 1.htm, where several other internal exploit serving URLs and javascript obfuscations load through IFRAMES, such as :

nihaorr1.com/ Real.gif
nihaorr1.com/ Yahoo.php
nihaorr1.com/ cuteqq.htm
nihaorr1.com/ Ms07055.htm
nihaorr1.com/ Ms07033.htm
nihaorr1.com/ Ms07018.htm
nihaorr1.com/ Ms07004.htm
nihaorr1.com/ Ajax.htm
nihaorr1.com/ Ms06014.htm
nihaorr1.com/ Bfyy.htm
nihaorr1.com/ Lz.htm
nihaorr1.com/ Pps.htm
nihaorr1.com/ XunLei.htm

and finally serve the malware, by also taking us out of the point and loading another malicious IFRAME farm at gg.haoliuliang.net/one/ hao8.htm?036 (222.73.44.162) :

Scanners Result: 18/32 (56.25%) :
W32/PWStealer1!Generic; PWS:Win32/Lineage.WI.dr
File size: 24667 bytes
MD5...: 4b913be127d648373e511974351ff04e
SHA1..: 0ab703c93e3ad7c03d1aae5ea394d7db3b89bfd2

Another internal IFRAME serving exploits is also loading at haoliuliang.net, gg.haoliuliang.net/wmwm/ new.htm where a new piece of malware is served :

Scanners Result: 26/32 (81.25%)
Trojan-PSW.Win32.OnLineGames.ppu; Trojan.PSW.Win32.OnlineGames.GEN
File size: 7205 bytes
MD5...: af05c777700b338f428463e56f316a05
SHA1..: bd68f621ec6c9796afa8b766c6cf4167afbd4703

As it appears, everyone's a victim of web application vulnerabilities discovered automatically, and either filtered based on high-page rank, or trying to take advantage of the long-tail of SQL injected sites to compensate for the lack of vulnerable high profile sites.

Related posts:
UNICEF Too IFRAME Injected and SEO Poisoned
Embedded Malware at Bloggies Awards Site
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Yet Another Massive Embedded Malware Attack
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two

]]> Wed, 23 Apr 2008 06:13:00 +0000 malware attack malware attack anti-malware vendor media malware gang htm nihaorr1 load nihaorr1 attack tactic The United Nations Serving Malware