The niggling b’s: Another chapter in the SQL injection story

Besides using Sophos Anti-Virus, a manual way of confirming a page having been hit by one of the recent SQL injection attacks was to run the following command:

egrep -ri '\/\w\.js>' *

The main script name has been b.js but we have seen a gamut of script names of one character.

At the end of of last week the gang using SQL injections changed tactics and are now using longer filenames, for example ngg.js.

SophosLabs are tracking these changes 24/7 and making updates to the detections Mal/Badsrc-C and Troj/Iframe-AG.