Wrong kind of ‘accident and emergency’

We have blogged about the recent SQL injection attacks a few times recently [1,2]. Though we have not mentioned it in the last few weeks, the problem has certainly not gone away. We are still seeing large numbers of sites affected, including many well known brands and government sites. Sophos products detect compromised pages as Mal/Badsrc-A,-B and –C.

Many sites have been hit multiple times – resulting in script tags attempting to load malicious content from a whole variety of malicious domains. The screenshots below show some of these domains courtesy of the NoScript status bar.

From a web page for a UK hospital:


And from the site of a IT consultancy firm:


I have blurred the domains of the victim sites. All of the others (except google-analytics.com in the second image) are sites that will serve up a malicious JavaScript to kick start the infection process. Monitoring these domains reveals they continue to be using fast-flux techniques to evade IP filtering defenses (as previously mentioned).

Clearly these attacks are giving site administrators plenty of headaches. It is important to reiterate that recovery is not simply a matter of cleaning out the malicious script tags from the back end database(s). As ever with malicious site defacements, it is also important to identify how the attack succeeded, so that door can be closed. Failure to do this will almost certainly mean being hit again (as has been the case for several well known brands we have seen in our data).

For those interested in finding out more about SQL injections and methods to mitigate an attack, I would recommend reading this recent article.