There seems to be a really new SQL injection attack running around like wildfire on the Internet that leaves a trail pointing at verynx.cn. If your applications are not hardened to sql injection attacks, you may have noticed a very funny new behavior of some of your web pages. Specifically, there is some script from verynx.cn running when you look at the source code that you didn't put there. This is serious business on a big scale. We put in a little tracker to catch verynx.cn in the act and had over 10,000 unique IP addresses hitting us in under 24 hours. So, don't think that a simple IP block approach will work here.
Behavior After Attack
How does the verynx.cn SQL Injection work?
There are a few steps to this little virus hack from verynx.cn. The first thing it needs to do is figure out that your site is not hardened to a sql injection attack. So, it will probably run a few tests on user input forms around your site and see what it gets back. Specifically, I would imagine that they are appending simple exploratory statements to various user-input forms. In many cases, with sloppy development, this input is not validated or checked for malicious intent (I know - how crazy to trust the world ;-) So they will run an EXECUTE or SELECT at the end of a user field. If it works, they know that your site is vulnerable to a SQL Injection attack.
Make sure you don't allow any statements like EXECUTE, DECLARE, VARCHAR, or SELECT through your user-input fields. Just pull them off. If you want to be slightly more proactive, keep a list of source IPs that try and cut them off to keep them from coming back, but that's not entirely necessary. What's important is that the SQL statements that are injected don't get executed. You can also remove execute permissions on the database side, but you may need that available for other reasons.
I don't know who the dudes are at verynx.cn, but they really are no fun at all.