Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Mass SQL injection
Mass SQL injection
News from F-Secure Labs
Thursday, April 24, 2008
Posted by Patrik @ 03:59 GMT
------------------------------------------------------------
There's another round of mass SQL injections going on which has infected hundreds of thousands of websites.
Performing a Google search results in over 510,000 modified pages.
As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.
Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):
What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.
see more here..
»www.f-secure.com/weblog/archives···427.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
|
|
amungus
Premium
join:2004-11-26
America
clubs:
 ·Cox HSI
| I missed this, but it has just happened to hit our corner of the web. Not fun. Not fun for our web guru either.
SQL Injection making the rounds:
»blog.washingtonpost.com/security···o_1.html
...My personal favorite...
»ddanchev.blogspot.com/2008/04/un···are.html
The UN serving up malware 
Anyway, it's mess. Yes, better methods of coding won't let such an attack happen. Apparently there are LOTS of sites out there getting hit with this though...
---------------------Anyone else hit with this?
Any good tips, besides re-coding things, to mitigate such an attack?
...Only other thing I've found is this:
»www.aqtronix.com/?PageID=99
"What is it?
AQTRONIX WebKnight is an application firewall for IIS and other web servers and is released under the GNU General Public License. More particularly it is an ISAPI filter that secures your web server by blocking certain requests. If an alert is triggered WebKnight will take over and protect the web server. It does this by scanning all requests and processing them based on filter rules, set by the administrator. These rules are not based on a database of attack signatures that require regular updates. Instead WebKnight uses security filters as buffer overflow, SQL injection, directory traversal, character encoding and other attacks. This way WebKnight can protect your server against all known and unknown attacks. Because WebKnight is an ISAPI filter it has the advantage of working closely with the web server, this way it can do more than other firewalls and intrusion detection systems, like scanning encrypted traffic." (emphasis mine)
Looks like a great tool for IIS administrators. I'm trying it out tonight...
Thought I'd share the link to this software, and ask if anyone else here has dealt with this issue, and if so, how.
Thanks |
|
redwolfe_98
join:2001-06-11
·RoadRunner Cable
| reply to Name Game
name game, i am glad you posted this.. when i saw the post at danchev's blog, about the united nations website, i didn't pay attention to it, but now amungus says that this has become more of an issue..
i saw this post at the "malware domain list" forum which i thought was interesting:
»www.malwaredomainlist.com/forums···c=1781.0 |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
edit:
May 9th, @10:05AM
| Thanks..some moght not be able to see that info since must be a member according to your link.
The topic or board you are looking for appears to be either missing or off limits to you.
Please login below or register an account with Malware Domain List. |
|
anonin
@bsnl.in
| reply to Name Game
As someone who just browses the net and does not host any webpages, I have the following questions:
1. Are fully patched systems safe even if one visits the infected webpages?
2. Does adding niahorr1.com (since that seems to be a common to the infected webpages) to the restricted sites list or the hosts file, stop the infection to a visitor to the affected webpages?
3, Is niahorr1.com still up? ISPs can block that site if it is not yet shut down? |
|
mysec
Premium
join:2005-11-29
| reply to amungus
See also:
»isc.sans.org/diary.html?storyid=4393
»www.shadowserver.org/wiki/pmwiki···20080507
Note that these are Remote Code Execution exploits. The hacked pages have multiple iframes, each exploiting a different vulnerability, hoping to find an opening on the user's computer.
said by amungus  :Any good tips, besides re-coding things, to mitigate such an attack?
Since most exploits these days have the end result of installing a trojan, one's security should include something to prevent downloading by remote code execution any executable not already installed on your computer.
I was able to get two of the exploits to run, showing how they can be blocked:
SQL exploit test
|
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to anonin
The site themselves can bock them..and do..The hosts for the sites can shut them down..an ISP could surely shield a surfer from going to the niahorr1.com or anyother place like it...and you can take control yourself for your own protection as you mentioned..lots of good lists out there that are updated regularly or you can do it on your own. |
|
