×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

500 Thousand MS Web Servers Hacked

kdawson posted more than 5 years ago | from the scream-and-shout dept.

Security 332

andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that have been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

332 comments

ob... (4, Funny)

Anonymous Coward | more than 5 years ago | (#23198614)

Does it run on linux.

Re:ob... (5, Interesting)

ArcherB (796902) | more than 5 years ago | (#23198802)

Does it run on linux.
That is actually a good question and the first thing I thought of. While I'm not worried about my little webserver being hacked as it runs on Linux without MySQL, I am worried about my browser.

If I run Firefox on Linux without NoScript, is there a danger?

Re:ob... (4, Insightful)

RobBebop (947356) | more than 5 years ago | (#23199212)

In other words, you can't rely on the site you are visiting to be safe.. so the onus is on the end user to make sure their PC is fully patched and as secure as possible.

The above quote is from the article link which lists "important sites that have been compromised". I think the important thing is that any site running MSSQL could potentially be compromised in a way that would affect a reader of that site who (a) does not have an updated web browser, or (b) doesn't have script disabled.

In 2008... why is it really so easy to put a damned single or double quote into a SQL form and then make it possible to execute your malicious code on that server? Shouldn't disabling this be a fundamental security rule for databases?

Re:ob... (0, Troll)

sm62704 (957197) | more than 5 years ago | (#23198924)

No. IIS is a Microsoft server. I've heard that IIS stands for "It Isn't Secure".

Does half a million compromised servers comprise a beowolf cluster? No again [wikipedia.org] .

I'd quote the uncyclopedai entry on Microsoft, but the Microsoft <strike>shills</strike> fanboys would mod me "troll" [uncyclopedia.org] .

Re:ob... (2, Interesting)

plague3106 (71849) | more than 5 years ago | (#23198982)

Except that Sql injections can happen on any web server with a poorly coded application. So you should be marked as troll, but your comments on IIS are just here to stir up MS fanboy. To be fair, it's been a long time since there was any huge number of exploits on IIS.

Bias? (5, Informative)

jmpeax (936370) | more than 5 years ago | (#23198632)

SQL injection is a result of poor data validation on the part of the web application - not, as the blurb implies, an indicator of an insecure web server. LAMP installations are also susceptible to SQL injection [mysql.com] (PDF). From TFA:

Unless [...] data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls.
As for the fact that Firefox + NoScript prevents the problems, that really isn't a surprise seeing as these specific exploits rely on executing a JScript. Any browser with scripting disabled would be immune.

The tone of the blurb is not only biased but also counter-productive to promoting open source (as this appears to be its intention): by trying to criticise closed technologies not by highlighting their actual deficiencies but instead by spreading FUD, the whole community is done a disservice.

Re:Bias? (3, Interesting)

ischorr (657205) | more than 5 years ago | (#23198678)

Also, is it 500,000 web *sites* identified so far, or 510,000 web *pages*?

Re:Bias? (4, Informative)

Mia'cova (691309) | more than 5 years ago | (#23198838)

The blurb completely misquotes the article. The article clearly states pages as reported by google. Plus, Google is hardly a live metric for the state of the internet. It really gives us a very poor estimate of how much impact this is having.

Also, which browsers are affected? It sounds like most of the exploits being used against the browsers have already been patched. Is there a new one there?

Re:Bias? (5, Insightful)

Shados (741919) | more than 5 years ago | (#23198700)

I agree, and that was my first reaction: "Wtf does IIS have to do with SQL injection". If nothing else, a LAMP stack would be more susceptible, not because of the servers, but because PHP didn't have mainstream prepared statements as part of a default standard install in its earlier versions, and now that it DOES have it, a lot of script kiddies or peanut gallery programmers aren't using them, as opposed to Java/.NET/Whatever which, while still having some issues with the same group of newbie developers, are prepared-statement centric in their development paradigms and documentation, thus reducing the amount of possible SQL injection significantly, unless the apps are made in legacy environments too.

Its such a rediculous flamebait, I don't know what to say.

Re:Bias? (1, Troll)

MrMr (219533) | more than 5 years ago | (#23198868)

I don't know what to say.
That's pretty obvious.

How is the alledged fact that a LAMP stack would have been more vulnerable to this IIS directed attack relevant to this story? No claims of superiority for any server software in the blurb. Are you just trolling?

Re:Bias? (4, Insightful)

Shados (741919) | more than 5 years ago | (#23198954)

No, i'm not trolling. My point is that the story itself is trolling. This isn't an IIS directed attack, it is a "bad programming" directed attack. The -same- attack, exactly, would work -regardless- of the server. You don't even need to CHECK which server is running on the machine for this attack to work, since the server is IRRELEVENT, and I was trying to demonstrate that. Nothing more.

It is NOT an IIS directed attack. At best, its a loose corelation statistic, and one thats pretty useless without comparing it to other references, such as other web servers.

Re:Bias? (2, Insightful)

willyhill (965620) | more than 5 years ago | (#23199142)

This is not an IIS attack, it is an application attack. No more IIS specific than this [slashdot.org] one is Apache's fault, correct?

I love the difference in tone between the two submissions, and especially the "haha this is all a big joke, relax" tone of the comments on the other one.

It's unfortunate that Slashdot is becoming one big FUD-spewing machine.

Re:Bias? (0)

Anonymous Coward | more than 5 years ago | (#23199238)

He's not trolling, you idiot. Just stating the fact that IIS is in no way related to SQL injection, bad programming is.

Re:Bias? (4, Informative)

Col. Klink (retired) (11632) | more than 5 years ago | (#23199174)

> "Wtf does IIS have to do with SQL injection". RTFA:

the attackers looked for ASP or ASPX pages containing any type of querystring
This specific attack, of which google has found over half a million affected pages, is targeted at IIS.

Re:Bias? (4, Interesting)

Shados (741919) | more than 5 years ago | (#23199314)

Doesn't change that IIS doesn't have anything to do with it. If you take aside that both ASP and ASP.NET (more ASP though) aren't IIS specific by a long shot, the attack is targeting specific technologies, then targetting specific software development flaws within the boundaries of those technologies. If I'm running PERL/PHP on my server, it won't see it. If I'm running an ASP page on Apache, it will, and even if my server hasn't been patched for the last 5 years, I'm no more or less vulnerable to that attack.

If the attackers looked for servers that were advertising themselves as IIS, and/or attacked IIS vulnerabilities or bad administration practices, you'd have a point. But the fact that the servers were running IIS was little beyond a strong corelation.

Not really (3, Informative)

Scareduck (177470) | more than 5 years ago | (#23198772)

PHP has pretty much fixed SQL injection hacks, at least for MySQL, something TFA you quote mentions on page 74. Given that this is the majority combination on web-facing machines, shouldn't that blunt the "LAMP installations are also susceptible to SQL injection" if only by quantity? I mean, I agree with your counter-FUD reasoning, but it seems to me that this blunts your whole sentence, MySQL+PHP being two pillars (and the last half) of LAMP.

Re:Not really (1)

SatanicPuppy (611928) | more than 5 years ago | (#23198878)

That's still pretty new; I've been using php for a while, and it's only been recently that I stopped feeling the need to use my home-rolled anti-injection methods over the new code methods.

There are still plenty of examples of bad php out there; I'd hardly call it fixed when the problem has never really been a problem of the language, but instead a problem of lazy programmers.

Re:Not really (1)

jmpeax (936370) | more than 5 years ago | (#23198892)

The features they discuss were only introduced in the most recent version of PHP, and many, many servers are still running older releases.

Furthermore, note that these safeguards are only a basic defence and programmer awareness is still required to ensure SQL injection can't happen:

But, magic quotes is a generic solution that doesn't include all of the characters that require escaping, and the feature isn't always enabled (for reasons outlined in the first chapter). Ultimately, it's up to you to implement safeguards to protect against SQL injection.

Re:really hust 500,000 (1)

CHRONOSS2008 (1226498) | more than 5 years ago | (#23198786)

Just 500,000? i know one exploit thats worth a cool few million ROFL isn't the www fun, bet your all glad i don't go round giving knowledge like that out let alone leave it ANYWHERE near a pc attached to the net

Re:really hust 500,000 (0)

Anonymous Coward | more than 5 years ago | (#23198858)

...Right

Re:really hust 500,000 (0)

Anonymous Coward | more than 5 years ago | (#23198970)

Sure, kid. Hey, I think your mom just called you up for lunch.

Re:Bias? (1, Interesting)

jellomizer (103300) | more than 5 years ago | (#23198844)

'); drop table users; --Yea this is a microsoft problem. That wouldn't be the cause of poor website development.

Re:Bias? (1)

Splab (574204) | more than 5 years ago | (#23198936)

That will only work on languages supporting multiple statements. PHP/MySQL which is the most commonly used will just throw an error at you.

Re:Bias? (1, Funny)

Anonymous Coward | more than 5 years ago | (#23199302)

HA!, I'm immune from your puny attack. My users table is named Users_Obfuscated

Re:Bias? (1)

Splab (574204) | more than 5 years ago | (#23198888)

Well lamp isn't as vulnerable as MS SQL is - not because of better security mind you, but due to lack of support for multi queries in PHP.

When injecting in PHP/MySQL environment you are limited limited to what you can do inside the query provided by the server (or of course if some retard has put the whole query as an get/put you got free pickings.)

Re:Bias? (4, Insightful)

Anonymous Coward | more than 5 years ago | (#23198910)

Agreed. I *hate* Microsoft and am as rabid a Free Software advocate as you will find, but code injection attacks are neither the fault of nor prevented by the OS or web server.

If users of open source software want to protect our largely well-deserved right to be smug, we have to be no less vigilant against these attacks than the proprietary chumps. This particular attack may only have hit MS servers, but this category of attack in general is frighteningly equal-opportunity.

We can't take our superiority for granted; we have to earn it every day.

Re:Bias? (0)

Anonymous Coward | more than 5 years ago | (#23198912)

Yes, please everyone, run mod_security on your LAMP servers because Linux is just as vulnerable in theory. (Exploit is application layer.)

Course, secure code would be good but it's often written by crack^H^H^H^H^H PHP monkeys and the admin is not given a veto.

Linux admins running in circles (0)

Anonymous Coward | more than 5 years ago | (#23198930)

SQL injection is a result of poor data validation on the part of the web application - not, as the blurb implies, an indicator of an insecure web server. LAMP installations are also susceptible to SQL injection [mysql.com] (PDF)
I'm sure we'll soon have an article about all the Linux admins running around in circles at one of the many forums.
 

Re:Bias? (4, Interesting)

toby360 (524944) | more than 5 years ago | (#23198980)

I have to agree that this is highly Biased.
This has nothing to do with IIS, SQL or ASP, coding against SQL injection is the responsibility of web designer. Also it should be noted that ASP was originally released way back when with NT4.0 in 1996(v1) , 2.0 in 1997 and 3.0 in 2000 http://en.wikipedia.org/wiki/Active_Server_Pages [wikipedia.org] .

With the newer ASP.NET MS was kind enough to provide several layers of protection against attacks such as SQL injection with both server side and client side validation applied to controls when built in the designer (by default).

Re:Bias? (0)

Anonymous Coward | more than 5 years ago | (#23199088)

Amen to that.

When I saw "MS Web servers hacked" and "by SQL Injection" I was like... "This guy must be retarded."

Not to mention Apache's buffer overflow exploit which really did incur a root-kitted server box >_>

If you're gonna criticise MS technology, do it because it actually is an MS flaw.

FUD is as FUD does (1)

Foofoobar (318279) | more than 5 years ago | (#23199264)

FUD proliferation. One must spread FUD before Microsoft spreads FUD. Just the other day, Bill Gates himself stated that you cannot make money with GPL'd products (while Redhat and SUSE and IBM and MYSQL and others continually make millions). So while we do ourselves a disservice, the only way to fight FUD is with FUD.

The Trojan is hosted in China (1, Informative)

Malevolent Tester (1201209) | more than 5 years ago | (#23198656)

Anyone surprised?

Re:The Trojan is hosted in China (1)

Concerned Onlooker (473481) | more than 5 years ago | (#23198784)

A little. I would have thought it would have been Greece.

Re:The Trojan is hosted in China (1)

FurtiveGlancer (1274746) | more than 5 years ago | (#23198988)

Ancient Greece maybe, but now most likely Turkey.

Close but no Gyro.

Re:The Trojan is hosted in China (1)

Concerned Onlooker (473481) | more than 5 years ago | (#23199190)

Yes, but that wouldn't have made for such a good joke. Apparently this one didn't either.

Re:The Trojan is hosted in China (1)

FurtiveGlancer (1274746) | more than 5 years ago | (#23199280)

You could always try the Friend Of Taiwan, ROC vs PRC approach, but I don't see that succeeding either.

Better to say "Tough Crowd" and look for the next Score 5, Funny.

epic lol (-1, Troll)

conan1989 (1142827) | more than 5 years ago | (#23198688)

epic lol... you'd think these guys who run web servers would be geeky enough to know FOSS pawns M$*

Re:epic lol (5, Informative)

James Kilton (714163) | more than 5 years ago | (#23198738)

Wow. The responses on the forum http://forums.iis.net/t/1148917.aspx?PageIndex=1 [iis.net] are sad indeed. Windows Security patches DON'T protect against shittily built websites. My favorite:

I also have been hit by this attack on Saturday 4/12/08. It compromised our database and overwritten that script into all of your products. Luckily a database restore fixed the problem. Two days later the same thing happened, I have changed all the database and login passwords and did another db restore. Now today 4/18/08 we got hit again by the same thing but this time as the pages are loaded ActivX is activated and wants to run but of course I did not allow it. Anybody has successfully solved this situation?
It truely sickens me how many web developers STILL don't know about SQL Injection.

Re:epic lol (4, Insightful)

caluml (551744) | more than 5 years ago | (#23198896)

Why do you think he's a developer? He sounds more like a sysadmin to me.
Sure, he should know about SQL injection stuff - but even if he did, would he be able to fix it?

Re:epic lol (1)

SatanicPuppy (611928) | more than 5 years ago | (#23198944)

That one made me laugh. Wasn't that Einstein's definition of insanity? Doing the same thing over and over and expecting different results?

Anyone can make a mistake; forget to taint a variable or something, but when you've obviously got an exploitable bug, you need to fix it, not just constantly rebuild the hacked database, probably losing data every time.

Re:epic lol (1)

jellomizer (103300) | more than 5 years ago | (#23198986)

Well Computer Science Programs rairly if ever cover SQL. Or place it in the same class as web development. So you have kids just out of college with 0 SQL experience and get into business which is heavy SQL based. As well many of them are not secuirty minded. They think what does it take to get it to work and not as much as what does it take to break it. Then there is an issue of funding, pressure to get it done fast can leave such issues wide open.

Re:epic lol (2, Insightful)

Shados (741919) | more than 5 years ago | (#23199018)

How can you blame them however? Look at what THIS site (as in Slashdot) is doing. The headline implies that its an IIS hack. If you read the posts attached to this -very- article, a significant amount of people are replying acting like it IS a server issue, related to MS or some such.

When such misconceptions are so pervasive (even in -articles- on a geek web site like here!), obviously newbies are going to be confused all over the place.

Its a bit similar on how there's still so many SQL Server DBAs who think stored procedures are faster by design than dynamic SQL.

Re:epic lol (3, Informative)

D Ninja (825055) | more than 5 years ago | (#23198928)

Parent -1 Flamebait. (Actually...it's more Article -1 Flamebait.)

Anyway, as it has already been noted, this problem has nothing specifically to do with the IIS servers.

Two other notes:
FOSS is good, I agree. But FOSS, by default, is not always better than closed source solutions. Making a blanket statement like that is being just as close minded as the opposite camp.

Using M$ to represent Microsoft is soooooooo 1990s.

Re:epic lol (1)

mckinnsb (984522) | more than 5 years ago | (#23199292)

Anyway, as it has already been noted, this problem has nothing specifically to do with the IIS servers.

Yes, but interestingly enough, the targets were seem to be IIS servers. The vulnerability is not IIS specific, as SQL injection can happen anywhere, on any platform, if the developer isn't paying attention.

So this prompts the following question: Why were only IIS servers targeted, if this wasn't simply an IIS vulnerability? Was this a political statement, an intentional "mudball hack" (tarnishing IIS's reputation), or simply a coincidence-that a lot of poorly trained developers maintain and develop IIS systems, even if there are many talented IIS/.ASP net developers out there?

Thoughts?

Re:epic lol (1)

D Ninja (825055) | more than 5 years ago | (#23199338)

From a cursory reading of the forum thread, it seems like IIS was attacked because, once the SQL Injection was made, the attackers relied on ActiveX vulnerabilities (which, I will absolutely agree - ActiveX is crap) and specific Windows applications (Real Player, Yahoo Messenger) to continue the attack.

That, IMO, is why IIS was the focus. Not specifically because of IIS, but an IIS machine is guaranteed to be running on a Windows box.

LOL (2, Funny)

ThePhilips (752041) | more than 5 years ago | (#23198714)

Lolicious.

I once spend an hour trying to explain IIS/MS SQL Server admin what PHP/MySQL addslashes()/mysql_escape_string() do - all to no avail. He was absolutely sure it is sufficient to like in VB surround any string with single quotes and it all will be fine.

Now seeing that it's real fun for guys, I can only laugh.

Re:LOL (1)

sakdoctor (1087155) | more than 5 years ago | (#23198808)

To which he replied: "Don't use mysql_escape_string(), it's a deprecated function. Use mysql_real_escape_string() instead."

Re:LOL (2, Informative)

Shados (741919) | more than 5 years ago | (#23198882)

I'd personally laugh at you. Escaping sql strings, what the hell? the 1980/90s called and they want their obsolete methodologies back.

In any semi-advanced programming language or framework (including PHP, even more so since PHP5 as it doesn't require any extension or whatever), you just use prepared statements. Maybe that MS SQL Server admin was a bozo, but in VB, you'll almost always be using prepared statements (even in VB5-6, pre-.NET), or at worse, stored procedures, which act as prepared statements.

SQL string escaping is inexistant in environments where prepared statements are first class citizens of the language/framework, because they're inferior methods of handling it. (and again: even in PHP its not what you're supposed to do).

So this isn't an IIS attack at all. (1)

Chas (5144) | more than 5 years ago | (#23198724)

This is a SQL injection attack. IIS just happens to be the front-end of a poorly written web app.

Thus, if I'm running a web app that doesn't rely on IIS for anything more than presentation, and am not using SQL in my authentication (say something like Terminal Services or GraphOn), I should be fine.

Correct?

Re:So this isn't an IIS attack at all. (1)

Shados (741919) | more than 5 years ago | (#23198780)

Yup. Heck, even if you are using SQL on every last thing... if you're using prepared statements (or stored procedures), which MUST be done for performance reasons and code maintainability ANYWAY (sql strings concat is such a rediculous anti-pattern...), you're immune.

SQL Injection is by far the stupidest security vulnerability there is... Worse than buffer overflows, cross site scripting, etc... Because you have to go -out of your way- to make them possible. You have to make your code slower, take more time to develop, harder to read and maintain, etc, before you can be vulnerable... You have to -try- (or be a totally clueless developer).

There is no excuse for it.

Re:So this isn't an IIS attack at all. (2, Informative)

kisrael (134664) | more than 5 years ago | (#23199086)

I agree there's no excuse for it, but in your second paragraph I don't agree with your logic 'til the final parenthetical remark.

In development, it often IS simpler to start with a single hardcoded SQL query (probably cut and paste from your DB tool, and then if your language supports + or . for string concat, it's easier to just do a "+variablename+" where the hardcoded value was -- plus, it keeps the flow of the SQL 'sentence' in correct order, rather than that kind of weird "sprintf()"ness you get when you have placeholder ?s in your string and a list of variables at the end.

Mind you, I'm not defending this; it's still a D,U,M thing to do, but also it is a lazier route, it doesn't really "take more time to develop, harder to read and maintain" like you said.

Re:So this isn't an IIS attack at all. (1)

Shados (741919) | more than 5 years ago | (#23199270)

I don't know, personally. You need all those concat symbols, the parameters aren't obvious...

"select * from blah where stuff = " + var1 + " and lol = '" + var2 + "';";

It gets messy when you have strings, dates in special formats, xml literals, multiline queries... look at this around var2, the single quote followed by a double quote... messy messy. And depending on the language, you have to escape the quotes, etc. Crazy. How can you guys even read that? Nevermind debug it when it gets complicated.

Then when you need to modify the query, you need to start goofing around, moving the quotes, if it was a string that became a number, you have to change it (so you have to be "type aware"). It definately is far more time consuming in anything beyond a one shot web site made by a single developer that you won't maintain.

Though if you use a database driver that force you to use "?" as placeholders, its not quite as great as I make it (such as OLE DB), but modern ones that have named place holders ("@parameterName"), definately.

Re:So this isn't an IIS attack at all. (4, Informative)

SatanicPuppy (611928) | more than 5 years ago | (#23199206)

There are several smart things that need to be done to protect yourself.

Restrict the account that is used to access the database to the absolute minimum permissions it needs to run; using one set of credentials for insert/update/delete and another for selects is enough to foil a lot of exploits (I actually never allow deletes, just out of paranoia...I just update the record with an "inactive" flag, and purge them later with a local account).

For gods sake, don't allow a single account to access multiple databases, and even within the database make sure it only has access to the tables you're going to be using. I've seen more than a few MySQL injections that just dump the user table to the screen because some joker didn't think he needed to restrict access for "SELECT" statements.

Escape ALL data that comes from userland. This is your first line of defense, and it's where most people screw up. If you let an escape character past without it being escaped, your only protection is the privileges associated with the user account.

Abstract your data methods. If you just throw out random SQL queries all through your code, you're going to make a mistake somewhere. Make a single method that does your selects. Make a single method that does your inserts, etc. If it's only in ONE PLACE you can go over the code in extreme detail. If the queries are scattered through the code, you can't.

This is all just best practice stuff. The most important thing is to PAY ATTENTION and remember that one unsecured account can screw your entire server.

It's gotta be M$'s fault somehow! (0)

Anonymous Coward | more than 5 years ago | (#23198736)

Extra! Extra! Third-party software with a vulnerability is somehow M$'s fault!

SQL injection attacks can affect any platform and any database. It is the result of trusted unsanitized user input implicitly and either using it to construct a query statement or using it as data. In the first case the query can be modified to perform malicious activities, such as bypassing database-driven security in a website or modifying the database objects. In the latter case the unsanitized input could contain fragments of HTML or script that is sent back to the browser and rendered.

All of the platforms have mechanisms to prevent these issues, but the developers have to actually be intelligent enough to use them.

Seems to be effecting older versions of IIS... (1)

mckinnsb (984522) | more than 5 years ago | (#23198752)

Solution: Upgrade to Windows Vista!

I kid! I kid!

Honestly though, this is a little humiliating. I understand that things get out of control in large projects, but I thought most people nowadays should know that database input sanitizing now fell among those universal truths, including but not limited to: brushing your teeth, wearing a condom, et al.

Its unforgiving, but you really do have to sacrifice speed for security sometimes. That being said, I feel pretty bad for all those sys-admins/developers who are probably going to have a late nights tonight...and maybe for the next week or two.

Re:Seems to be effecting older versions of IIS... (2, Insightful)

Shados (741919) | more than 5 years ago | (#23198810)

You don't even need to sanitize database input. Just use freagin prepared statements. There's no cleanup or validation necessary (for this particular vulnerability I mean, that is, sql injection).

500 Thousand?! (0)

Anonymous Coward | more than 5 years ago | (#23198754)

I'm 1 hundred % shocked.

Re:500 Thousand?! (0)

Anonymous Coward | more than 5 years ago | (#23199104)

I'm only 90 eight per $.01 shocked.

wait a second (1)

the brown guy (1235418) | more than 5 years ago | (#23198760)

If I do not have noscript for ffx, then I am vulnerable, and I am also unsure of what happens when you are infected with one of these trojans or w/e. Is it really that bad if my computer is a POS that I use for nothing important? Is there a threat of keyloggers? I have zonealarm running and AVG antivirus,,,,,,

Article is misleading (1)

Geak (790376) | more than 5 years ago | (#23198768)

The article states a google search found over 500,000 modified pages. The post states over 500,000 servers. This is seriously misleading. If a site is hacked you could have several hundred modified pages on the site. This brings the number of servers down considerably.

That sucks (1)

evil-osm (203438) | more than 5 years ago | (#23198790)

Canadian National Security's site is on the list. Sigh.

serious (1)

the brown guy (1235418) | more than 5 years ago | (#23198800)

www.safecanada.ca [Canadian National Security] www.n-somerset.gov.uk [UK Local Government] events.un.org [United Nations] www.unicef.org.uk [UNICEF]
These are a list of infected sites, don't click unless you know what you're doing. But I am worried when they affecting reasonably high traffic sites, whos visitors are not too likely to be running noscript.

This site makes me sick (4, Insightful)

RzUpAnmsCwrds (262647) | more than 5 years ago | (#23198804)

This site makes me sick sometimes. If this were a problem with PHP (which, mind you, it IS), we wouldn't be calling it a "vulnerability".

ASP.net has lots of built-in features to prevent SQL injection attacks (like bind parameters) and the ASP.net DB documentation specifically warns about this type of attack.

Anyone still getting hit with this in 2008 needs to be whacked on the head.

Re:This site makes me sick (5, Insightful)

MrMunkey (1039894) | more than 5 years ago | (#23198890)

Anyone still getting hit with this in 2008 needs to be whacked on the head.
This is true of any language, not just ASP. You can easily prevent SQL injection with Perl, Python, PHP, etc.

Re:This site makes me sick (0, Flamebait)

javilon (99157) | more than 5 years ago | (#23199042)

Maybe it has to do with the average quality of windows sysadmins and programmers. You can do us all a favor and whack their heads.

But, with 500,000 websites hacked, you have a lot of whacking to do...

Re:This site makes me sick (1)

evolutionary (933064) | more than 5 years ago | (#23199108)

Uh, sorry to correct you, but indicate PHP has a problem because it doesn't automatically do idiot checking for a developer is misrepresenting the problem. For example: mysql_string_escape() could easily be called (when using mysql) on a central routine to handle all SQL code execution. In additional, making functions to find escape characters isn't that hard. I greatly respect you taking the time to comment, and commend you for pointing out premade functions do exist, but when it comes to PHP vs. ASP.net you have to be careful when you say one platform has a problem because it doesn't do everything for you that you can do yourself isn't accurate.

Re:This site makes me sick (0)

Anonymous Coward | more than 5 years ago | (#23199194)

The real problem is that the people running ISS are too stupid to write correct web applications.

I'm seriously not affiliated with them, but .. (0)

Anonymous Coward | more than 5 years ago | (#23198818)

I would like to remind people to donate to our saviours such as the NoScript people (if you use it)
After reading this article, I'm sending in $5 right now...

People need to wake up both businesses and users (1)

evolutionary (933064) | more than 5 years ago | (#23198894)

Okay, this is sad on two levels: First SQL inject attack vulnerability is due to sloppiness by the web developers. I've seen this potential problem on code reviewed on many web servers, both Apache as well as IIS. Its well known that if you don't use proper functions to remove escape characters before processing submitted data getting hacked this is inevitable.

This has nothing to do with Apache being more secure than IIS (which is true) but truth be told neither web server is responsible for the root of this problem: Lazy web development combined with no security review. The other sad part of this is everyone wants to make websites that are "web 2.0" enabled, requiring lots of Javascript to make cool but often unnecessary functions. Many top websites (Slashdot.org is an exception thank god) are UNUSABLE without javascript enabled and this is just poor design. Combined with IE 6/7 inability to use plugins like NoScript make infections like this inevitable to people using IE. I'll grant that disabling ActiveX by default in IE 7 was an improvement but on many sites which foolishly depended on ActiveX, it caused other issues. Again, web developers need to be more dilligent in developing LONG term according to universal usability (W3C compliant) and security.

I constantly tell people to use FireFox, NOT IE in part because I know javascript is currently the big gaping hole in Internet security these days (which this article illustrates). No one, myself included has time to read every piece of javascript code going through their browser and regular users don't have the book learning to do this themselves so NoScript is truly a god send. (and I donate to them). But still its up to users to be aware, demand that websites be functional without javascript, and only use browsers that can check javascript for trojan/spyware code. Its also up to developers to take web security a LOT more seriously than they have. For any web developer, SQL inject attack vulnerabilities like this are EMBARASSING. It shows rushed work that wasn't properly reviewed or audited.

Okay this is an honest question (-1, Flamebait)

blhack (921171) | more than 5 years ago | (#23199004)

Admitted newbie question here, but why do people even RUN MS IIS? Is there something that it does that can't be done on Apache? Windows XP makes a great desktop environment for the office, but where does Microsoft have any business making server software other than Domain Controllers for telling their desktop machines what to do?

Re:Okay this is an honest question (1)

D Ninja (825055) | more than 5 years ago | (#23199020)

Again, this has nothing to do with IIS. I'm being redundant, and MS has done some crappy things in the past, but this is due to poor web site development (specifically SQL injections) and nothing to do with IIS.

Re:Okay this is an honest question (1)

Shados (741919) | more than 5 years ago | (#23199132)

First, as someone already stated, the vulnerabilty is in poor software development practice, and is pervasive in all environments, be in MS, Linux, Apache, IIS, PHP, ASP.NET, JAVA, whatever.

Second, IIS, since version 6, is amazingly secure, comparable with the likes of Apache. Its also the more straightforward platform to use as an ASP.NET server (obviously, unless you're into Mono), or to use along with a lot of fairly interesting technologies, such as TFS, Reporting Services, Sharepoints, etc.

On top of that, well, just by having a windows-based network, IIS is already "pre-configured". That is, aside for web server specific stuff, its already on your server, can be admin-ed the same way, etc. Adding a box with a different OS, a non-integrated web server, etc, is just overhead.

Same way as regardless of anything, if you were all java based, NOT using a java app server for your web apps would just be overhead, unless you have a damn good reasons.

what does the trojan do? (4, Insightful)

circletimessquare (444983) | more than 5 years ago | (#23199016)

ok, story 1 is a sql injection

there seems to be a story 2 here: what the trojan will do in a few weeks to all of the IE users who visit these half a million sites

and, reading some of the links and finding that these trojan hosting domains are registered in china, there also seems to be a story 3: chinese hackers are pissed off

i got hacked shortly after the hainan island incident [wikipedia.org] in 2001. that is when the us spy satellite was bumped a chinese fighter, and was forced to land on hainan island (china). there was much chinese nationalist anger then, and it was taken out by hacking western sites with "f**k usa!" and the chinese flag replacing the main page

obviously, this hack is contemporaneous with the whole tibet riots/ olympic torch protests. that's the meat of this story, and that avenue seems unexplored as of yet. similar to the russian ddos of estonia due to the deprecation of a war statue in 2007 [slashdot.org] : the lesson is that, much like al qaeda and terrorism, cyber warfare is not so much a tool of any state government, but chest-thumping activity for ultranationalists and religious bigots and other organizations of cultural or national or religious chauvinism. the theme of the 21st century seems to be shaping up as partisan tribalism and extreme ideology reaching beyond the notions of sovereignty, statehood to go to war with each other in a novel ways

PLEASE LEARN TO READ!!! (0)

Anonymous Coward | more than 5 years ago | (#23199030)

English is not my native languagem but obviosuly I can read it better than some people...

THE F-SECURE WEBSITE IS TALKING ABOUT 510,000 MODIFIED PAGES.
THAT DOESN'T MEAN 510,000 WEBSERVERS!!!

The dangers of using Windows and IIS... (-1, Troll)

Doug52392 (1094585) | more than 5 years ago | (#23199046)

Just goes to show you how much better Linux, Apache, MySQL, and PHP are than the thousand dollar Windows Server, thousand dollar Microsoft SQL Server, thousand dollar Microsoft ASP.Net development tools!

Re:The dangers of using Windows and IIS... (0)

Anonymous Coward | more than 5 years ago | (#23199178)

This just goes to show you how much cheap (and clueless) web developers actually cost. This is a problem of laziness.

Re:The dangers of using Windows and IIS... (1)

evolutionary (933064) | more than 5 years ago | (#23199224)

Actually LAMP solutions are just as vulnerable to SQL inject attacks in the hands of the wrong web developer. I love LAMP (and Ruby on Rails) and I will take it over ASP.net any day. But in all fairness (and for the record in the majority of cases I think Linux/Apache is better than IIS), neither Microsoft nor the Apache Team is responsible for this. Its careless developers who take submitted html data and send it to the database without proper checking and remove of external sql code. You can hack either web solutions without this basic security check. Just so people are clear and to be fair to MS (even though they are not the brightest bulbs in security)

500,000? Where'd that number come from? (5, Informative)

Robotron2084 (262343) | more than 5 years ago | (#23199076)

Before you post such a headline, perhaps it would be a good idea to check your facts. I RTFA'ed and checked those links and there is no mention of how many servers were attacked. There were 510,000 pages mentioned, but pages do not equal servers. This a sensationalistic headline based on a sensationalistic interpretation of a Google web search.

Re:500,000? Where'd that number come from? (2, Insightful)

Unnngh! (731758) | more than 5 years ago | (#23199278)

Yep...too bad there's not a firehose or some other way to vote to pull existing posts. This is wrong through and through and is just confusing and misleading.

Re:500,000? Where'd that number come from? (1)

FurtiveGlancer (1274746) | more than 5 years ago | (#23199322)

Remember, this is /. not CNN. Nothing but characters here....

Maintain your sense of humor: come Friday, it may be all you have left!

Problem exists between keyboard and chair (0)

Anonymous Coward | more than 5 years ago | (#23199156)

This has nothing to do with IIS, nor does it have anything to do with Windows security flaws, nor does it have anything to do with ASP or ASP.net. It has to do with retarded programmers who don't know how to prevent SQL injection even after it's been heavily publicized.

But this comment isn't going to stop people from posting more of these "lol MS" comments, are they?

I am not sure (1)

hesaigo999ca (786966) | more than 5 years ago | (#23199160)

I googled this ("script srcscript" | "scriscript" | "scriptscript" )
and found 1,990,000 pages with this same script attack...as for how many servers this represents,
I don't know.

Re:I am not sure (1)

hesaigo999ca (786966) | more than 5 years ago | (#23199180)

Actually slashdot removed the open html tag bracket so right before each 's'
  put an open tag and it will work

Still? (1)

xSacha (1000771) | more than 5 years ago | (#23199166)

Gee, its 2008 already. Yet you can still search: inurl:.php form and attempt a pathetic SQL injection successfully on about 5% of your results. How pathetic. People should need a licence to write PHP/SQL.

Javascript (0)

_bug_ (112702) | more than 5 years ago | (#23199236)

FTFA: Currently, there is no such protection for IE users, and disallowing Javascript entirely isn't really an option on today's World Wide Web.

Why isn't it really an option? It sure as hell should be. Anyone interested in creating a good, accessible, usable web site would do well to make sure their site works fine without javascript or flash or java or any other embedded tech that could be used to exploit users.

As these sorts of attacks increase in popularity the awareness and education of end-users will increase as well. Eventually browsers will come stock with features similar to noscript and web pages will be loaded, by default, without javascript or any other embedded tech enabled.

Any meaning to the site names? (3, Interesting)

Guppy (12314) | more than 5 years ago | (#23199324)

Hmmm.... nihaorr1.com? "Ni Hao" is a greating, like "Hello" in Chinese. Anyone figure out any meaning behind the other names?

(Other meanings are possible as well, due to the large number of homophones in the language, but this is by far the most obvious meaning.)
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...