SA Security Bloggers
SensePost
Junaid LoonatPopular Entries
Articles
Vulnerability Life Cycle - threat modelling
Web Hacking 2.0
Why Exploit Markets are Bad
Ettercap-NG Workings and Defence
The Zotob Summary
How-To's
Linux SSH Jail with pam_chroot
Firefox Privacy & Security Extensions
Papers
Managing Patching, my MSc Thesis
Risk Analysis of Monthly Patch Schedules
Tools
Automated Vodacom SMS (VodaSMS)
RSS 2 SMS
DShield Hack Detection
Neologisms
Encryption principles
Zoolander's Law
Syndicate This Blog
SSL
Certificate fingerprints:
SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89
HTTPS version.
You can find an explanation here.
License
Disclaimer
This blog and its contents are in no way affiliated with, or endorsed by my employer.
Tuesday, May 27. 2008
SQL injection domains and SA stats
I took the latest list from ShadowServer (as at 23 May 2008), and did a comparison of SA infected pages to globally infected pages. I used a lame google search for these, but it shows some interesting results. You can see where the focus on the 'well known' domains paid off, and the new injections haven't been cleaned up yet. There is a serious case of missing root cause analyses here. Still some large SA sites infected, but mainly Gov, Property and Storm telecoms sites now.
| Host | Global | South Africa |
| 9i5t.cn | 418 000 | 37 |
| bbs.jueduizuan.com | 20 000 | 10 |
| www.qiqigm.com | 193 000 | 8 |
| www.wowgm1.cn | 65 700 | 8 |
| www.nihaorr1.com | 158 000 | 7 |
| www.adw95.com | 23 900 | 5 |
| www.dota11.cn | 217 000 | 4 |
| www.killwow1.cn | 68 000 | 3 |
| usuc.us | 66 200 | 3 |
| www.kisswow.com.cn | 60 600 | 3 |
| www.chliyi.com | 33 800 | 3 |
| computershello.cn | 30 600 | 3 |
| www.2117966.net | 18 600 | 3 |
| xprmn4u.info | 356 000 | 2 |
| www.nihaoel3.com | 47 600 | 2 |
| www.wowgm2.cn | 34 300 | 2 |
| killpp.cn | 18 500 | 2 |
| www.banner82.com | 513 000 | 1 |
| www.ririwow.cn | 58 500 | 1 |
| www.wow112.cn | 36 000 | 1 |
| www.qiqi111.cn | 19 500 | 1 |
| s.see9.us | 216 000 | 0 |
| www.direct84.com | 121 000 | 0 |
| www.adword71.com | 112 000 | 0 |
| free.hostpinoy | 102 000 | 0 |
| www.bluell.cn | 68 000 | 0 |
| www.nmidahena.com | 53 900 | 0 |
| www.qiuxuegm.com | 42 700 | 0 |
| www.nihao112.com | 42 500 | 0 |
| www.wowyeye.cn | 42 400 | 0 |
| winzipices.cn | 33 500 | 0 |
| sb.5252.ws | 20 100 | 0 |
| a188.ws | 19 900 | 0 |
| www.117275.cn | 19 500 | 0 |
| www.aspder.com | 18 600 | 0 |
| www.11910.net | 13 100 | 0 |
| www.414151.com | 12 900 | 0 |
| urkb.net | 11 400 | 0 |
| firestnamestea.cn | 7 640 | 0 |
| 1.hao929.cn | 3 870 | 0 |
| c.uc8010.com | 964 | 0 |
| a.ka47.us | 769 | 0 |
| rnmb.net | 552 | 0 |
| ucmal.com | 530 | 0 |
| c11.8866.org | 517 | 0 |
| b15.3322.org | 436 | 0 |
| www.caocaowow.cn | 94 | 0 |
| xvgaoke.cn | 90 | 0 |
| free.edivid.info | 63 | 0 |
| heartgames.cn | 57 | 0 |
| al.99.vc | 49 | 0 |
| h28.8800.org | 49 | 0 |
| www.msshamof.com | 35 | 0 |
| 3.trojan8.com | 22 | 0 |
| n.uc8010.com | 10 | 0 |
| d39.6600.org | 9 | 0 |
| t.uc8010.com | 8 | 0 |
| www.aidushu.net | 7 | 0 |
| 001yl.com | 7 | 0 |
| yl18.net | 6 | 0 |
| www.z008.net | 6 | 0 |
| cc.18dd.net | 5 | 0 |
| www.fucksb.net | 5 | 0 |
| m11.3322.org | 5 | 0 |
| bc0.cn | 5 | 0 |
| newasp.com.cn | 3 | 0 |
| vb008.cn | 2 | 0 |
| smeisp.cn | 1 | 0 |
| a.13175.com | 1 | 0 |
| 52-o.cn | 1 | 0 |
| w11.6600.org | 1 | 0 |
| okey123.cn | 0 | 0 |
| b.kaobt.cn | 0 | 0 |
| www60.actualization.cn | 0 | 0 |
| 17ge.cn | 0 | 0 |
| www.adword72.com | 0 | 0 |
| mm.jsjwh.com.cn | 0 | 0 |
| Totals | 3 422 119 | 109 |
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Thanks for the fantastic blog :)
It's extremely frustrating for us to see this happening throughout ZA space. It's a constant battle for us to make people/companies/etc _understand_ the specific risks associated with being vulnerable to SQL injection(and other attacks). It's also a battle for the companies to understand why they should actually secure their code and "sanitise sanitise sanitise"! Well, i guess they know now.
I cannot tell you how many times we have tried to help multiple companies with this issue and how we are faced with them saying "What's the big deal if some hacker obtains our database of 500k users/id numbers etc" or our favorite one is "How exactly can we be held liable and why it is worth fixing". I'm sure that performance bonuses are sometimes not based on finding issues like this, but when it happens, well then its a huge issue all of a sudden(and panic sets in for all directors).
I guess, the positive of this whole SQL issue is that it has opened some companies eyes and they are taking things a bit more seriously in terms of Infosec. The negative is that we can obviously see how many "High profile" companies were affected and what our state of Infosec is like in this country. Even more worrying, is how long these companies have taken to fix things(or attempt to "fix" at least).
Thanks for all the research and blog posts that you have provided. I'm grateful to see someone else _almost_ as frustrated as us on this matter :)
Hey Dino,
Thanks for the kind words. Yeah, this is rather frustrating. I've found that explaining the business impacts to the higher ups has a better change of success, the security guys are just trying to cover their asses. For example:
* The reputation of your business can be negativley affected.
* You can be help liable for damage of property or worse.
* The readership/ad revenue/generic business process will be negativley affected.
It does bother me that such a lame attack was so successfull. We are going to see this grow for a while, especially as the injected domains increase their survivability with fast flux and the like. Also, if they make the SQL more generic to target postgres and MySQL DBs.
Quicksearch
this blog:
Schneier on Security: Friday Squid Blogging: Squid Launcher from "Despicable Me"