Thursday, June 24, 2010

Ongoing Mass SQLi attempts

I'm continuing to see ongoing SQLi attempts using the same injection technique we saw a couple of weeks ago. As one would expect the third-party site hosting the malicious JavaScript keeps changing. Below is a list of both the source IP addresses of the attempted SQLi attack as well as the script URL they're trying to inject:

**Last Updated 24-Jun-2010 12:45 EDT**

Source IP addresses of SQLi attacks:

86.197.85.243
218.248.42.113

Malicious Script URLs:

hxxp://oem.webserviceget.ru/js.js
hxxp://org.webservicefull.ru/js.js
hxxp://kernel.webserviceget.ru/js.js

These have been reported to MalwareDomains, ISC, Sucuri and Shadowservers.

1 comment:

Mike said...

i think this one is the culprit?
http://www.m86security.com/labs/i/Another-round-of-Asprox-SQL-injection-attacks,trace.1366~.asp