SQL attacks are not dead

While catching up on my blog reading yesterday I saw mention, in Silent Noise, of some new domains used in the SQL attacks. While investigating this, I found several other domains as well (Silent Noise has since been updated with some of them). Last night I updated Mal/Badsrc-C and Mal/Iframe-F to detect this new SQL attack.

The above image shows various sites hit in this last attack. The top level contains Mal/Badsrc-C detections and the middle level Mal/Iframe-F. The bottom node is to an IP in Lebanon that is current not responding.

The list of domains affected by this new attack is diverse

  • Several sites with TLDs suggesting a South American Government.
  • An educational establishment in another South American country.
  • A social networking site for ex-service men in the UK.
  • A utility comparison site in South Africa.
  • A techno-gadgets site in India.
  • An online programming community for .NET in India.
  • A music site in the USA.

My colleague Fraser has explained how to avoid SQL attacks several times in the blog and as a podcast. SQL attacks are not dead and system administrators still need to be vigilant.