SQL injection domains and SA stats

I took the latest list from ShadowServer (as at 23 May 2008), and did a comparison of SA infected pages to globally infected pages. I used a lame google search for these, but it shows some interesting results. You can see where the focus on the 'well known' domains paid off, and the new injections haven't been cleaned up yet. There is a serious case of missing root cause analyses here. Still some large SA sites infected, but mainly Gov, Property and Storm telecoms sites now.

Host	Global	South Africa
9i5t.cn	418 000	37
bbs.jueduizuan.com	20 000	10
www.qiqigm.com	193 000	8
www.wowgm1.cn	65 700	8
www.nihaorr1.com	158 000	7
www.adw95.com	23 900	5
www.dota11.cn	217 000	4
www.killwow1.cn	68 000	3
usuc.us	66 200	3
www.kisswow.com.cn	60 600	3
www.chliyi.com	33 800	3
computershello.cn	30 600	3
www.2117966.net	18 600	3
xprmn4u.info	356 000	2
www.nihaoel3.com	47 600	2
www.wowgm2.cn	34 300	2
killpp.cn	18 500	2
www.banner82.com	513 000	1
www.ririwow.cn	58 500	1
www.wow112.cn	36 000	1
www.qiqi111.cn	19 500	1
s.see9.us	216 000	0
www.direct84.com	121 000	0
www.adword71.com	112 000	0
free.hostpinoy	102 000	0
www.bluell.cn	68 000	0
www.nmidahena.com	53 900	0
www.qiuxuegm.com	42 700	0
www.nihao112.com	42 500	0
www.wowyeye.cn	42 400	0
winzipices.cn	33 500	0
sb.5252.ws	20 100	0
a188.ws	19 900	0
www.117275.cn	19 500	0
www.aspder.com	18 600	0
www.11910.net	13 100	0
www.414151.com	12 900	0
urkb.net	11 400	0
firestnamestea.cn	7 640	0
1.hao929.cn	3 870	0
c.uc8010.com	964	0
a.ka47.us	769	0
rnmb.net	552	0
ucmal.com	530	0
c11.8866.org	517	0
b15.3322.org	436	0
www.caocaowow.cn	94	0
xvgaoke.cn	90	0
free.edivid.info	63	0
heartgames.cn	57	0
al.99.vc	49	0
h28.8800.org	49	0
www.msshamof.com	35	0
3.trojan8.com	22	0
n.uc8010.com	10	0
d39.6600.org	9	0
t.uc8010.com	8	0
www.aidushu.net	7	0
001yl.com	7	0
yl18.net	6	0
www.z008.net	6	0
cc.18dd.net	5	0
www.fucksb.net	5	0
m11.3322.org	5	0
bc0.cn	5	0
newasp.com.cn	3	0
vb008.cn	2	0
smeisp.cn	1	0
a.13175.com	1	0
52-o.cn	1	0
w11.6600.org	1	0
okey123.cn	0	0
b.kaobt.cn	0	0
www60.actualization.cn	0	0
17ge.cn	0	0
www.adword72.com	0	0
mm.jsjwh.com.cn	0	0
Totals	3 422 119	109

Tuesday, May 27. 2008
Posted by Dominic White in Security
Comments (2) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

#1 Dino C wrote (Link) (Reply)
Posted on Monday, June 2. 2008

Thanks for the fantastic blog :) It's extremely frustrating for us to see this happening throughout ZA space. It's a constant battle for us to make people/companies/etc _understand_ the specific risks associated with being vulnerable to SQL injection(and other attacks). It's also a battle for the companies to understand why they should actually secure their code and "sanitise sanitise sanitise"! Well, i guess they know now. I cannot tell you how many times we have tried to help multiple companies with this issue and how we are faced with them saying "What's the big deal if some hacker obtains our database of 500k users/id numbers etc" or our favorite one is "How exactly can we be held liable and why it is worth fixing". I'm sure that performance bonuses are sometimes not based on finding issues like this, but when it happens, well then its a huge issue all of a sudden(and panic sets in for all directors). I guess, the positive of this whole SQL issue is that it has opened some companies eyes and they are taking things a bit more seriously in terms of Infosec. The negative is that we can obviously see how many "High profile" companies were affected and what our state of Infosec is like in this country. Even more worrying, is how long these companies have taken to fix things(or attempt to "fix" at least). Thanks for all the research and blog posts that you have provided. I'm grateful to see someone else _almost_ as frustrated as us on this matter :)

#1.1 Dominic White wrote (Link) (Reply)
Posted on Monday, June 2. 2008

Hey Dino, Thanks for the kind words. Yeah, this is rather frustrating. I've found that explaining the business impacts to the higher ups has a better change of success, the security guys are just trying to cover their asses. For example: * The reputation of your business can be negativley affected. * You can be help liable for damage of property or worse. * The readership/ad revenue/generic business process will be negativley affected. It does bother me that such a lame attack was so successfull. We are going to see this grow for a while, especially as the injected domains increase their survivability with fast flux and the like. Also, if they make the SQL more generic to target postgres and MySQL DBs.

Add Comment

Name
Email
Homepage
In reply to
Comment
	Remember Information? Subscribe to this entry