xiaobaishan.net - yet another SQL injection attack

It looks like the sites hit by the chliyi.com attack have been hit again, this time with an injection to a script pointing at www.xiaobaishan.net/dt/us/Help.asp. Right at the moment, the www.xiaobaishan.net domain is not resolving, but it does appear to be hosted on 219.146.128.119 in China.

It looks like the domain may well be a legitimate one that has somehow been compromised and 219.146.128.119 looks like a pretty standard shared server.

It's possible that the chliyi.com infected sites were deliberately targeted, the resulting HTML is an awful mess though (see below).

Some notable infected sites:

• kcsg.com (again)
• sciencescotland.org (again)
• paramountcomedy.com (again)
• drdrew.com (again)
• gisp.org (again)
• legis.state.ia.us (Iowa State legislature)
• modernamuseet.se (Stockholm Museum)
• calbears.berkeley.edu (University)
• reportchildsex.com (Child protection)
• cas.org.uk (Citizen's Advice Scotland)
• tcpmap.com (Technlogy magazine)
• randomhouse.com.au (Random House publishers, Australia)
• ispyni.com (Northern Ireland tourism)

There are a number of other sites, notably in Ireland, Australia and Canada hit too.

This is not the only SQL injection attack doing the rounds today, and I suspect that some of them have been hit by another one pointing at en-us18.com/b.js

As an aside, these multiple SQL injections are really messy. A code snippet from sciencescotland.org demonstrates this: