Mass SQL injection attack compromises IIS/ASP sites

Thousands of websites and who knows how many visitors were affected by the recently discovered mass SQL injection attack that targeted – among others – The Wall Street Journal and The Jerusalem Post websites.

Sucuri Security spotted the attack on many websites and Googled the http://ww.robint.us/u.js web address to which the script was pointing, and according to the results, some 114.000 different pages contained it.

Further investigation into the matter revealed the common denominator: all sites are hosted on IIS servers and use ASP.net. By sifting through the logs and the packet dump of the attack, they also discovered that the attack was launched against a third party ad management script.

When a user visits a compromised site, the malicious code will attempt to redirect him to a site where malware is waiting to be installed on his machine and allow the criminals behind this attack remote access to it.

Mary Landesman, security researcher with Cisco, claims that only around 7,000 pages are infected (she searched the entire script through Google, not just the web address it points to). She also points out that when it comes to larger websites, only certain pages on the websites are infected, which – she admits – might not mean much to affected users.