Based on Google's index, the following sites are/were infected based on the SQL injection attack discussed all over the place (1, 2, 3, 4, 5). From an SA perspective, News24, Sunday Times (available in dead tree only) and Talk Radio 702 have covered this.
Click here for Google's latest list.
Click here for Yahoo's latest list (much less accurate).
Status: Medium
- Most of the sites hosting the JavaScript are down, and most of the sites listed as infected seem to be clean (for SA). As this appears to be the 3rd or 4th injection, if web admins haven't fixed the root vulnerability and the attack is re-run pointing at a different domain, it could happen again.
- The command and control server the Trojan sends stolen passwords to is still up.
Warnings:
- Do not click on any of the links from Google or Yahoo as you are likely to be taken to a website which will infect your computer with a trojan.
- Search engines (aka Google and Yahoo) work on an index, which works on a snapshot of information. This snapshot takes a while to update, so some sites may be infected and not listed yet, and others may no longer be infected and still listed.
OSVDB's SoC code monkey, Dave, has been ferreting away and is already producing some good stuff (one, two, three). I am going to have a go at getting back into mangling some vulns later tonight. Given that the last time I mangled vulns was almost four years ago, I have a feeling I will be very pleased/surprised by the many changes.
For those of you living in the dark ages, OSVDB will be *the* canonical vulnerability reference one day, in the meantime it's just more accurate than the rest ;), all it needs is more manglers.