Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Report: new malicious domains associated with SQL injection attacks

July 3rd 2008 in Uncategorized

I’ve been keeping a close eye on Australian web sites that have been affected by malicious SQL injection attacks, specifically concentrating on sites that are ‘repeat offenders’.

One of the repeat offenders is walkingchallenge.gov.au.  On that site I found code pointing to the domain ucomddv.com (created today, 2 July 2008), and what may be a new JS naming convention, being ngg.js

A search for ngg.js reveals even more domains, being mainbvd.com (created today), cont67.com (created on 1 July 2008) and portwbr.com (created today).

A close look at the new domains reveals a treasure trove of relational information.

Some of the domains below that can be tied in with the newly created malicious domains have been identified in association with SQL injection incidents.  Others have been used for phishing – the bad guys certainly believe in diversity.

 

adupd.mobi | adwste.mobi | app52.com | appid37.com | asp23.net | asp27.com | asp63.com | asp707.com | asp72.com | aspssl63.com | bnrupdate.mobi | capitalonebank.com.pag23.com | chase.com.id746.com | chk52.com | cls37.com | coldwop.com | com.id746.com | com.pag23.com | comm62.com | cont67.com | cookie83.com | core45.com | hdadwcd.com | hyperadw.com | id294.com | id746.com | kadport.com | mode64.com | mx1.updatead.com | ns1.adupd.mobi | ns1.adwste.mobi | ns1.app52.com | ns1.appid37.com | ns1.asp23.net | ns1.asp27.com | ns1.asp63.com | ns1.asp72.com | ns1.aspssl63.com | ns1.bnrupdate.mobi | ns1.chk52.com | ns1.cls37.com | ns1.coldwop.com | ns1.comm62.com | ns1.cont67.com | ns1.cookie83.com | ns1.core45.com | ns1.hdadwcd.com | ns1.hyperadw.com | ns1.id294.com | ns1.id746.com | ns1.kadport.com | ns1.mode64.com | ns1.pag23.com | ns1.portwbr.com | ns1.sid36.com | ns1.ssl39.com | ns1.supbnr.com | ns1.ucomddv.com | ns1.update34.com | ns1.updatead.com | ns1.view62.com | ns1.www.appid37.com | ns10.www.appid37.com | ns11.www.appid37.com | ns12.www.appid37.com | ns13.www.appid37.com | ns14.www.appid37.com | ns15.www.appid37.com | ns2.adupd.mobi | ns2.adwste.mobi | ns2.app52.com | ns2.appid37.com | ns2.asp23.net | ns2.asp27.com | ns2.asp63.com | ns2.asp72.com | ns2.aspssl63.com | ns2.bnrupdate.mobi | ns2.chk52.com | ns2.cls37.com | ns2.coldwop.com | ns2.comm62.com | ns2.cont67.com | ns2.cookie83.com | ns2.core45.com | ns2.hdadwcd.com | ns2.hyperadw.com | ns2.id294.com | ns2.id746.com | ns2.kadport.com | ns2.mode64.com | ns2.pag23.com | ns2.portwbr.com | ns2.sid36.com | ns2.ssl39.com | ns2.suppadw.com | ns2.ucomddv.com | ns2.update34.com | ns2.updatead.com | ns2.view62.com | ns2.www.appid37.com | ns3.adupd.mobi | ns3.adwste.mobi | ns3.app52.com | ns3.appid37.com | ns3.asp23.net | ns3.asp27.com | ns3.asp63.com | ns3.asp72.com | ns3.aspssl63.com | ns3.bnrupdate.mobi | ns3.chk52.com | ns3.cls37.com | ns3.coldwop.com | ns3.comm62.com | ns3.cont67.com | ns3.cookie83.com | ns3.core45.com | ns3.hdadwcd.com | ns3.hyperadw.com | ns3.id294.com | ns3.id746.com | ns3.kadport.com | ns3.mode64.com | ns3.pag23.com | ns3.portwbr.com | ns3.sid36.com | ns3.ssl39.com | ns3.supbnr.com | ns3.suppadw.com | ns3.ucomddv.com | ns3.update34.com | ns3.updatead.com | ns3.view62.com | ns3.www.appid37.com | ns4.adupd.mobi | ns4.adwste.mobi | ns4.app52.com | ns4.appid37.com | ns4.asp23.net | ns4.asp27.com | ns4.asp63.com | ns4.asp72.com | ns4.aspssl63.com | ns4.chk52.com | ns4.cls37.com | ns4.coldwop.com | ns4.hdadwcd.com | ns4.hyperadw.com | ns4.id294.com | ns4.id746.com | ns4.kadport.com | ns4.mode64.com | ns4.pag23.com | ns4.sid36.com | ns4.ssl39.com | ns4.supbnr.com | ns4.suppadw.com | ns4.update34.com | ns4.updatead.com | ns4.www.appid37.com | ns5.www.appid37.com | ns6.www.appid37.com | ns7.www.appid37.com | ns8.www.appid37.com | ns9.www.appid37.com | pag23.com | ssl39.com | supbnr.com | suppadw.com | towernet4.capitalonebank.com.pag23.com | ucomddv.com | update34.com | view62.com | ww4.chase.com.id746.com | www .appid37.com | www .aspssl63.com


2 comments to...
“Report: new malicious domains associated with SQL injection attacks”

sdfsdf

Who is this ? i have some of this event.



Gabriel

Ngg.js is also used for attacks from the http://www.lokriet.com domain ..


Do you ever get the feeling that people are not listening? I blogged about malicious advertisements featuring XM Radio on Sunday here:Report- Malvertizements that have been circulating Now Kimberley has discovered that those same XM Radio malvertizements are appearing on the ifrance.com web site – info here:http://www.bluetack.co.uk/forums/index.php?showtopic=18064&pid=87888&mode=threaded&show=&st=90&#entry87888 I admit to feeling a lot of frustration […]

Previous Entry

Adobe Reader 9 has been released, and guess what, it can display SWF and FLA files… I wonder what implication this has with regards to the security landscape surrounding malicious SWF.   Are we going to have to watch out for PDFs which contain malicious SWF?  I simply do not have enough information to judge […]

Next Entry

Archives