Nikjju Mass injection campaign (180k+ pages compromised)
Our research team have been tracking a new mass SQL injection campaign that started early this month. So far more than 180,000 URLs have been compromised. We will keep posting updates as we get them.
<script src= http://nikjju.com/r.php ></script>
This is used to redirect anyone visiting the infected websites to Fake/Rogue AVs (best-antiviruu.de.lv – mostly targeting Windows users). All the sites we analysed so far are Windows-based servers running ASP/ASP.net compromised via SQL injection.
Another interesting thing is that if you move up the Google results pages, you’ll get “Page 4 of about 457,000 results (0.21 seconds)”. It is likely that the number is even higher than our estimated 180k pages.
The domain Nikjju.com (184.108.40.206) was registered April 1st and we started to see the first batch of compromised sites a few days after (April 4th).
Updated Date: 01-apr-2012
Creation Date: 01-apr-2012
If your suspect your site has been compromised, you can verify it on Sucuri SiteCheck (free scanner).
You will also need to audit your code to make sure that any user input is sanitized before use.
We are seeing a few small .gov sites compromised as well (mostly from China):
More details to follow..