Stop SQL Injections - CZ32ts, NV32ts and TL32Sn

Posted By: Tech Guy
Last Updated at 8:32 PM on Monday Jan 4, 2010
Found in: ASP.NET

Lately we have noticed an increase in SQL-Injection attacks on our IIS webserver. While all attacks have the common user_agent CV32ts, they seem to be coming from a very large botnet where each attack has been initiated from thousands of different IP addresses.

Searching the internet, it appears that there are 3 different variants of the same botnet each reporting a different user_agent of CZ32ts, NV32ts and TL32Sn. Here is what we know about the bots:

  • All 3 botnets are related.
  • The attacks are co-ordinated to hit all at the exact same time from different IP addresses.
  • Each attack uses one of the following user agents: CZ32ts, NV32ts and TL32Sn
  • Each attempt from one IP addresses uses at least 2 different variations of a valid url on your site to Inject it's SQL
  • A Url list is generated from Google's search results.
  • The botnet traverses through it's list of domains/websites in alphabetical order
  • There have been reports of the botnet controlled through a single IP address, this is un-confirmed.

If this happens to you, be sure to read up on How to protect from a SQL injection in ASP.NET. and also check out the MS site for best practices for preventing SQL injection attacks.

Post a Comment





Copyright 2017 Alter Procedure All Rights Reserved