JPCERT-AT-2008-0005
                                                            JPCERT/CC
                                           2008-03-14 (First edition)
                                                 2008-04-08 (Updated)

                  <<< JPCERT/CC Alert 2008-03-14 >>>

            Websites Compromised by SQL Injection Attacks

             http://www.jpcert.or.jp/at/2008/at080005.txt


I. Overview

  For the last several days, SQL injection attacks have been observed
both inside and outside Japan, resulting in many websites being
altered. When a user views an altered website, malware could be
installed on the user#&39;s computer.

1) An attacker, exploiting a web application vulnerability, embeds
script tags in data stored in a database. This alters content that is
viewed by users.

2) A malicious script may be executed on the computer of a user who 
visits an attacked site, and malware may be installed.

*** Update: Added on April 8, 2008 *********************************

    JPCERT/CC has found that the domains used for attacks have
changed at the beginning of April, and that many websites inside and
outside of Japan have been altered by these attacks. Users should be
careful when viewing websites since these attacks may still be ongoing.

********************************************************************


II. Solution

  JPCERT/CC recommends the following solutions:

  [End users]

    The attacks exploit known vulnerabilities. The solutions below
    will reduce the risk of attacks.

    - Keep the OS and installed applications up-to-date.
    - Use an antivirus software with the latest definition file
      applied.

    Also, attacks may be mitigated by disabling JavaScript execution
    because these attacks use JavaScript installed in an external 
    site.

  [Server administrators]

    Due to the SQL injection attacks, unintended scripts may be 
    inserted in the contents that are dynamically generated by a web
    server. Make sure that public contents and databases are not 
    altered.

    Characteristics: JavaScript that refers to an unfamiliar domain
    or IP address
        <script src=http://<any host>/fuckjp.js></script>
        <script src=http://<any host>/fuckjp0.js></script>

*** Update: Added on April 8, 2008 *************************
        <script src=http://<any host>/fjp.js></script>
        <script src=http://<any host>/1.js></script>

Note: JavaScript with other file names may also be used. 

************************************************************


    If an alteration is found, a vulnerability may exist in the web 
application. It is recommended to consider taking an appropriate
response such as an investigation.

        INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN
       "How to Secure Your Web Site 3rd Edition"
        http://www.ipa.go.jp/security/vuln/websecurity.html


III. References

    US-CERT
    Compromised Websites Redirect Users to Malicious Websites
    http://www.us-cert.gov/current/archive/2008/03/13/archive.html#website_compromises_facilitating_exploitation_of

    Little eArth Corporation Co., Ltd.
    Web page alterations by SQL injection attacks targeting Japan,
      and malware infection due to accessing the altered pages
    http://www.lac.co.jp/news/press20080312.html


  If you have any information you could provide regarding this alert,
please contact us.

________

Revision history
2008-03-14  First edition
2008-04-08  Added that the SQL injection attacks are still continued

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: 03-3518-4600  FAX: 03-3518-4602
http://www.jpcert.or.jp/