While catching up on my blog reading yesterday I saw mention, in Silent Noise, of some new domains used in the SQL attacks. While investigating this, I found several other domains as well (Silent Noise has since been updated with some of them). Last night I updated Mal/Badsrc-C and Mal/Iframe-F to detect this new SQL attack.
The above image shows various sites hit in this last attack. The top level contains Mal/Badsrc-C detections and the middle level Mal/Iframe-F. The bottom node is to an IP in Lebanon that is current not responding.
The list of domains affected by this new attack is diverse
- Several sites with TLDs suggesting a South American Government.
- An educational establishment in another South American country.
- A social networking site for ex-service men in the UK.
- A utility comparison site in South Africa.
- A techno-gadgets site in India.
- An online programming community for .NET in India.
- A music site in the USA.