Security researchers at Webroot warn that another massive SQL injection attack is currently underway and that hundreds of thousands of websites have already been injected with a malicious script pointing towards one of the following domains:
- hjfghj.com/r.php (~84,900 sites infected)
- fgthyj.com/r.php (~205,000 sites infected)
- gbfhju.com/r.php (~68,200 sites infected)
- statsmy.com/ur.php (~930,000 sites infected)
- stmyst.com/ur.php (~236,000 sites infected)
All of the domains are parked at 18.104.22.168, which is hosted within the Russian Federation, and are registered using the same information as other domains used in previous SQL injection attacks, including the Lizamoon mass SQL injection attack last year:
James Northone firstname.lastname@example.org
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
Webroot analysts suspect that the cybercrooks are already beginning to cover their tracks, though, as the domains listed above are currently returning a “404 Not Found” error message. However, given the amount of activity witnessed from this group within the last year, it’s only a matter of time before they launch their next attack.
To avoid being affected by mass SQL injection attacks like these, users should keep their systems up-to-date and use antivirus software. Past mass SQL injection attacks by this particular group were focused on spreading scareware (fake antivirus software), so be cautious of “security alerts” that do not follow the typical behavior and/or appearance of your legitimate antivirus program.
Site owners can minimize their chances of their site being hacked by using strong FTP credentials and checking for website vulnerabilities (such as outdated CMS systems, plug-ins, etc).