Whereas the value of these malicious domains lies in the historical preservation of evidence, as long as hundreds of thousands of sites continue operating with outdated and unpatched web applications, the list is prone to grow on a daily basis, thanks to copycats and the Asprox botnet. The Shadowserver Foundation's list of malicious domains used in the SQL injection attacks :nihaorr1.com
free.hostpinoy.info
xprmn4u.info
nmidahena.com
winzipices.cn
sb.5252.ws
aspder.com
11910.net
bbs.jueduizuan.com
bluell.cn
2117966.net
s.see9.us
xvgaoke.cn
1.hao929.cn
414151.com
cc.18dd.net
kisswow.com.cn
urkb.net
c.uc8010.com
rnmb.net
ririwow.cn
killwow1.cn
qiqigm.com
wowgm1.cn
wowyeye.cn
9i5t.cn
computershello.cn
z008.net
b15.3322.org
direct84.com
caocaowow.cn
qiuxuegm.com
firestnamestea.cn
qiqi111.cn
banner82.com s
meisp.cn
okey123.cn
b.kaobt.cn
nihao112.com
al.99.vc
aidushu.net
chliyi.com
free.edivid.info
52-o.cn
actualization.cn
d39.6600.org
h28.8800.org
ucmal.com
t.uc8010.com
dota11.cn
bc0.cn
adword71.com
killpp.cn
w11.6600.org
usuc.us
msshamof.com
newasp.com.cn
wowgm2.cn
mm.jsjwh.com.cn
17ge.cn
adword72.com
117275.cn
vb008.cn
wow112.cn
nihaoel3.com
Some new additions that I'm tracking :
a.13175.com
r.you30.cn
d39.6600.org
001yl.com
free.edivid.info
aaa.1l1l1l.Com/error/404.html
cc.buhaoyishi.com/one/hao5.htm?015
aaa.77xxmm.cn/new858.htm?075
llSging.com/ww/new05.htm?075
shIjIedIyI.net/one/hao8.htm?005
congtouzaIlaI.net/one/hao8.htm?005
aa.llsging.com/ww/new05.hTm?075
The rough number of SQL injected sites is around 1.5 million pages, in reality the number is much bigger, and there are several ongoing campaigns injecting obfuscated characters making it a bit more time consuming to track down. Who's behind these attacks? Besides the automation courtesy of botnets, the short answer is everyone with a decent SQL injector, and today's SQL injectors have a built-in reconnaissance capabilities, like this one which I assessed in a previous post.
No comments:
Post a Comment