SQL Injection Attacks

A new mass SQL injection attack has left over 6000 websites hosting malicious JavaScript. The JavaScript adds an IFrame that points to winzipices.cn which is hosting exploits targeting realplayer plugins for Internet explorer. Shadowserver.org has an excellent writeup on this.

If any of the exploits are successful a file is downloaded from http://61.188.38.158/images/test.exe. Users are warned not to visit any of these sites as they could change at any time to include other exploits or security threats and are capable of silently installing malicious software onto a vulnerable machine without any user interaction.

We recommend that administrators block the domain winzipices.cn, and the IPs 61.188.38.158 and 61.134.37.15.