< SQL injections continue | Chip & Spin >
May 27

SQL injection domains and SA stats

Security 2 Comments »
Security I took the latest list from ShadowServer (as at 23 May 2008), and did a comparison of SA infected pages to globally infected pages. I used a lame google search for these, but it shows some interesting results. You can see where the focus on the 'well known' domains paid off, and the new injections haven't been cleaned up yet. There is a serious case of missing root cause analyses here. Still some large SA sites infected, but mainly Gov, Property and Storm telecoms sites now.
Host Global South Africa
9i5t.cn 418 000 37
bbs.jueduizuan.com 20 000 10
www.qiqigm.com 193 000 8
www.wowgm1.cn 65 700 8
www.nihaorr1.com 158 000 7
www.adw95.com 23 900 5
www.dota11.cn 217 000 4
www.killwow1.cn 68 000 3
usuc.us 66 200 3
www.kisswow.com.cn 60 600 3
www.chliyi.com 33 800 3
computershello.cn 30 600 3
www.2117966.net 18 600 3
xprmn4u.info 356 000 2
www.nihaoel3.com 47 600 2
www.wowgm2.cn 34 300 2
killpp.cn 18 500 2
www.banner82.com 513 000 1
www.ririwow.cn 58 500 1
www.wow112.cn 36 000 1
www.qiqi111.cn 19 500 1
s.see9.us 216 000 0
www.direct84.com 121 000 0
www.adword71.com 112 000 0
free.hostpinoy 102 000 0
www.bluell.cn 68 000 0
www.nmidahena.com 53 900 0
www.qiuxuegm.com 42 700 0
www.nihao112.com 42 500 0
www.wowyeye.cn 42 400 0
winzipices.cn 33 500 0
sb.5252.ws 20 100 0
a188.ws 19 900 0
www.117275.cn 19 500 0
www.aspder.com 18 600 0
www.11910.net 13 100 0
www.414151.com 12 900 0
urkb.net 11 400 0
firestnamestea.cn 7 640 0
1.hao929.cn 3 870 0
c.uc8010.com 964 0
a.ka47.us 769 0
rnmb.net 552 0
ucmal.com 530 0
c11.8866.org 517 0
b15.3322.org 436 0
www.caocaowow.cn 94 0
xvgaoke.cn 90 0
free.edivid.info 63 0
heartgames.cn 57 0
al.99.vc 49 0
h28.8800.org 49 0
www.msshamof.com 35 0
3.trojan8.com 22 0
n.uc8010.com 10 0
d39.6600.org 9 0
t.uc8010.com 8 0
www.aidushu.net 7 0
001yl.com 7 0
yl18.net 6 0
www.z008.net 6 0
cc.18dd.net 5 0
www.fucksb.net 5 0
m11.3322.org 5 0
bc0.cn 5 0
newasp.com.cn 3 0
vb008.cn 2 0
smeisp.cn 1 0
a.13175.com 1 0
52-o.cn 1 0
w11.6600.org 1 0
okey123.cn 0 0
b.kaobt.cn 0 0
www60.actualization.cn 0 0
17ge.cn 0 0
www.adword72.com 0 0
mm.jsjwh.com.cn 0 0
Totals 3 422 119 109

Posted by Dominic White

Last modified on 2008-06-02 21:19

0 Trackbacks

Trackback specific URI for this entry
  1. No Trackbacks

2 Comments

Display comments as(Linear | Threaded)
  1. Dino C says:
    06/02/2008 07:26:17 PM

    Thanks for the fantastic blog :)

    It's extremely frustrating for us to see this happening throughout ZA space. It's a constant battle for us to make people/companies/etc _understand_ the specific risks associated with being vulnerable to SQL injection(and other attacks). It's also a battle for the companies to understand why they should actually secure their code and "sanitise sanitise sanitise"! Well, i guess they know now.

    I cannot tell you how many times we have tried to help multiple companies with this issue and how we are faced with them saying "What's the big deal if some hacker obtains our database of 500k users/id numbers etc" or our favorite one is "How exactly can we be held liable and why it is worth fixing". I'm sure that performance bonuses are sometimes not based on finding issues like this, but when it happens, well then its a huge issue all of a sudden(and panic sets in for all directors).

    I guess, the positive of this whole SQL issue is that it has opened some companies eyes and they are taking things a bit more seriously in terms of Infosec. The negative is that we can obviously see how many "High profile" companies were affected and what our state of Infosec is like in this country. Even more worrying, is how long these companies have taken to fix things(or attempt to "fix" at least).

    Thanks for all the research and blog posts that you have provided. I'm grateful to see someone else _almost_ as frustrated as us on this matter :)

  2. Dominic White says:
    06/02/2008 09:19:23 PM

    Hey Dino,

    Thanks for the kind words. Yeah, this is rather frustrating. I've found that explaining the business impacts to the higher ups has a better change of success, the security guys are just trying to cover their asses. For example:

    * The reputation of your business can be negativley affected.
    * You can be help liable for damage of property or worse.
    * The readership/ad revenue/generic business process will be negativley affected.

    It does bother me that such a lame attack was so successfull. We are going to see this grow for a while, especially as the injected domains increase their survivability with fast flux and the like. Also, if they make the SQL more generic to target postgres and MySQL DBs.

Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA