Author Topic: chliyi.com sql injection  (Read 3741 times)

0 Members and 1 Guest are viewing this topic.

May 27, 2008, 04:24:52 am
Read 3741 times

cjeremy

  • Special Members
  • Full Member

  • Offline
  • *

  • 58
    • sudosecure
Looks like another SQL injection occured.  Here are the urls from my analysis:

Code: [Select]
www.chliyi.com/reg.js  (iframe injected)
     www.chliyi.com/img/info.htm (vbscript obfustication)
            www.chliyi.com/img/real.htm  (exploit)
            www.chliyi.com/img/new.htm  (exploit)
            www.chliyi.com/img/help.htm  (exploit)
                    www.jj120.net/inc/fuckjp.exe  (bin from exploits)
                                www.hanme.cn/chs/faq/WLoader.exe  (gets this after above bin executes)
                                www.hanme.cn/chs/faq/FLoader.exe   (and then gets this)
                               

Virustotal results:
fuckjp.exe: http://www.virustotal.com/analisis/b886b982b374a082346c133c365415be
WLoader.exe: http://www.virustotal.com/analisis/5b3b142871a2c6e8d16dfad0eeebcc7d
FLoader.exe: http://www.virustotal.com/analisis/79157bf7e81c27b5d58eca72cbd24e28


Looks like ~10,000 sites have been hit by this. 

May 27, 2008, 05:37:19 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964