Tens of thousands of legitimate websites have been compromised and have code add which will direct visitors to malicious websites. These iframes are smilar to the following (obfuscated, periods replaced with spaces):
- <script src=”hxxp://www aspder com/1 js”> </script>
- <script src=”hxxp://www 414151 com/fjp js”></script>
- <script src=”hxxp://www nihaorri com/1 js”> </script>
Other domains used include:
banner82 com> wowgm1 cn direct84 com wowgm2 cn> killwow1 cn wowyeye com vb008 cn> 9i5t cn computershello com
A large number of these iframes being inserted into code is due to sql injection through a form or querystring. All forms and querystrings need input checking and validation.
Here are some forum posts from other website owners who are discussing this:
There are even automated tools the BadGuys use to discover vulnerable web sites. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on a web site.
Here are some good articles on SQL Injection attacks and some tips on how to prevent them (watch wrap):