Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SQL Injection Attack Claims 132,000+

CmdrTaco posted more than 4 years ago | from the check-yer-code-people dept.

Security 186

An anonymous reader writes "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."

cancel ×

186 comments

hey (2, Funny)

Spazztastic (814296) | more than 4 years ago | (#30387714)

Hey, I went to 318x.com and all of a sudden my computer is acting funny. Any suggestions?

Re:hey (0)

Anonymous Coward | more than 4 years ago | (#30387746)

*tumbleweed* ...

Re:hey (4, Funny)

jo42 (227475) | more than 4 years ago | (#30387784)

dd if=/dev/zero of=/dev/sda bs=8192 will fix it.

Re:hey (2, Funny)

unformed (225214) | more than 4 years ago | (#30387924)

dd: opening `/dev/sda` failed: Permission denied.

Re:hey (0)

Anonymous Coward | more than 4 years ago | (#30387992)

sudo !!

Re:hey (1)

unformed (225214) | more than 4 years ago | (#30388030)

Ok thanks, trying it no

CARRIER DISCONNECT

Damned whipperrsnappers.... (0)

Anonymous Coward | more than 4 years ago | (#30389260)

You're doing it wrong, it should be... NO CARRIER

Re:hey (0)

Anonymous Coward | more than 4 years ago | (#30389360)

So wait, you were trying it while multi-tasking by commenting on Slashdot at the same time (you must have been typing a few chars into the comment box, and then switching contexts to put a few at the shell prompt, and then hit enter at the shell just before you were about to switch back to Slashdot to type a "w"), and then as your drive was being zeroed out, something nicely typed CARRIER DISCONNECT into the comment box, previewed your comment, and then submitted it before crashing your system. THAT MAKES NO SENSE AT ALL!!!

Re:hey (1)

Pieroxy (222434) | more than 4 years ago | (#30389526)

Yes, all that.

Re:hey (2, Funny)

Anonymous Coward | more than 4 years ago | (#30388072)

sudo !!

sudo dd if=/dev/zero of=/dev/sda bs=8192

Nope. Just says "Bad command or file name".

Re:hey (0)

Anonymous Coward | more than 4 years ago | (#30388534)

Try this: deltree /y C:

Re:hey (1)

Runaway1956 (1322357) | more than 4 years ago | (#30389114)

Uhhhhmmmm - does deltree still exist on Windows? It's been a long time since I used it. Somewhere along the line, I called it, and it didn't exist. Windows ME? Windows XP? I don't remember, but it wasn't there. Try rd or rmdir instead. http://en.wikipedia.org/wiki/Deltree [wikipedia.org]

Re:hey (2, Funny)

Anonymous Coward | more than 4 years ago | (#30387928)

"'dd' is not recognized as an internal or external command, operable program or batch file."

Still broken! =(

Posting AC so I don't get modded to hell by people who either don't think that was funny or are simply incapable of recognizing a joke.

Re:hey (4, Funny)

Yvan256 (722131) | more than 4 years ago | (#30387866)

Call a comedy club and get your computer on stage?

Re:hey (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30388332)

Antivirus2009, that will clean it right up for you.

Little Bobby Tables (3, Funny)

bmearns (1691628) | more than 4 years ago | (#30387738)

I blame Mrs. Roberts [xkcd.com] .

Re:Little Bobby Tables (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30387864)

Go back to digg xkcd linking fag.

Re:Little Bobby Tables (2, Funny)

bmearns (1691628) | more than 4 years ago | (#30388128)

Digg? Sorry, I'm not really into Pokemon.

318x.com (2, Interesting)

NoYob (1630681) | more than 4 years ago | (#30387772)

I tried to go there and I got this from Google: Diagnostic page for 318x.com [google.com]

After doing a whois, I see that just about all information is described as "Unknown"

Why is this domain still in existence? Can ICANN take it down?

It looks like the sole reason for this domain is for malware.

Re:318x.com (2, Informative)

NeverVotedBush (1041088) | more than 4 years ago | (#30387990)

318x.com is now in my hosts file. Can at least try to protect ourselves...

Re:318x.com (1)

ls671 (1122017) | more than 4 years ago | (#30389304)

318x.com zone is now defined in my DNS so I don't have to update host files on each and every one of my computers.

Just kidding, but host files are so 1980 ;-))

Come on, what a crappy article! (0)

Anonymous Coward | more than 4 years ago | (#30387778)

Doesn't say what systems are affected by this SQL Injection. What is the vulnerability? Doesn't say how to detect a compromised server. Etc...

What is the point of this?

Windoze (1, Informative)

jDeepbeep (913892) | more than 4 years ago | (#30387806)

Doesn't say what systems are affected by this SQL Injection.

All I can tell (from TFA), is it affects Windows servers.

correction (1, Troll)

jDeepbeep (913892) | more than 4 years ago | (#30387832)

Doesn't say what systems are affected by this SQL Injection.

All I can tell (from TFA), is it affects Windows

Fixed. Need coffee.

Re:Windoze (5, Informative)

TheNinjaroach (878876) | more than 4 years ago | (#30387918)

All I can tell (from TFA), is it affects Windows servers.

SQL injection attacks affect any number of platforms. It's not a Windows problem, it's not a database problem, it's a "we hired cheap, unskilled developers" problem.

Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.

Re:Windoze (2, Informative)

jDeepbeep (913892) | more than 4 years ago | (#30387968)

Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.

Yeah. I saw my error after I had posted it, so I tried to correct it with a follow up.

Re:Windoze (1, Informative)

Anonymous Coward | more than 4 years ago | (#30388574)

True, but the flash exploit is available on anything with flash it looks like (not updated, of course), so the only thing saving Linux/Mac/Sun users is lack of interest on the part of the malware writers.

Re:Windoze (1)

danlip (737336) | more than 4 years ago | (#30388710)

What really amazes me is how easy it is to avoid SQL injection attacks. You don't have to be a security genius. Use PreparedStatements in Java (or their equivalent in other languages). Problem solved.

Re:Windoze (1, Informative)

TheLink (130905) | more than 4 years ago | (#30389046)

Only easy when using sane languages.

But it used to be very difficult to do the right thing with PHP.

The PHP developers were either incompetent or malicious. Evidence: they created insane stuff like addslashes, magic_quotes and even mysql_real_escape_string.

See: http://php.net/manual/en/function.mysql-real-escape-string.php [php.net]

Fortunately they eventually introduced stuff like PDO (but there was some confusion in the days of PEAR::DB).

And we didn't get stuff like "mysql_definitely_the_real_escape_string_now_no_really" ;).

But why didn't they just copy other people and introduce stuff like PDO right at the start?

Re:Windoze (1)

Runaway1956 (1322357) | more than 4 years ago | (#30389200)

prepared statements. Damn it. I actually read that as "preparation H" the first time.

Now, I'm wondering if preparation H might be the right fix for a Windows machine......

Re:Windoze (2, Insightful)

gregarican (694358) | more than 4 years ago | (#30388602)

Uhhhhh, you really RTFA? It doesn't matter what the server is running to get compromised by an SQL injection, does it? Could be MySQL running on a RedHat server. Could be SQL Server running on a Windows server. Why would an SQL injection be platform-dependent? After all, isn't that why SQL is ANSI and _relatively_ portable betwen platforms? I did say "relatively" of course ::rollseyes::

why don't these go away? (3, Interesting)

v1 (525388) | more than 4 years ago | (#30387786)

If they know where the site is that's hosting the payload why don't they just shut them down? I realize the locations for the hosting are carefully chosen to provide maximum insulation, but still you'd expect that by now (years after this sort of thing became common) that there'd be mechanisms and procedures in place to break these down swiftly?

Re:why don't these go away? (2, Insightful)

qazsedcft (911254) | more than 4 years ago | (#30387910)

If it were kiddy porn it would be shutdown already.

Re:why don't these go away? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30387946)

No, the real question to ask is why, after so many successful, large-scale exploitations of Windows-based servers, people can still justify using it. Not only that, but somehow they can justify paying huge licensing fees just to use it.

Now, I'm not saying that open source solutions are necessarily better. MySQL and PHP are just as shitty as anything you'll find on Windows.

But PHP and MySQL aren't the only open source options, of course. For web sites, using PostgreSQL as the database and a language like Perl, Python or Ruby often provide a much more secure and reliable platform.

Re:why don't these go away? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30389482)

Because linux sucks ass for games and is counterproductive to most users, so nobody wants to fucking use it.

Re:why don't these go away? (3, Insightful)

jimicus (737525) | more than 4 years ago | (#30388022)

You are assuming that all the systems are hosted at reputable hosting companies that pro-actively monitor all their systems.

There are millions of systems worldwide that are exposed to the public internet (even though they probably shouldn't be) that are sitting in the corner somewhere waiting for someone to "get around to decommissioning them" - and in the meantime they're pumping out spam and taking part in DDoS attacks.

No... (3, Interesting)

Oxford_Comma_Lover (1679530) | more than 4 years ago | (#30388064)

The assumption is that once there are a hundred thousand servers hit, and maybe fewer, if the hosting company doesn't shut down the site within an hour or two a responsible upstream router blocks traffic from the site. Every delivered payload costs society more time and money.

Re:No... (1)

jimicus (737525) | more than 4 years ago | (#30388746)

I think the sheer amount of shite in the form of worms, spam and DoS attacks continuing to flood the Internet kind of kills off that utopian vision, wouldn't you say?

Re:why don't these go away? (1)

sjames (1099) | more than 4 years ago | (#30389620)

The hosting company is irrelevant if the domain's NS records in the gtld-servers are pointed to nowhere. That won't help if the script uses the IP address, but in this case, it would kill it.

Where an IP address is used, null routing by an upstream provider can kill that IP. So the question stands, when the threat is this big, why is the site allowed to continue existing? Start at the colo provider/ISP and work up the chain until a reputable provider is found to null route the IP.

Re:why don't these go away? (1)

DogDude (805747) | more than 4 years ago | (#30388336)

"If they know where the site is that's hosting the payload why don't they just shut them down?"

Who is this nebulous "they" you're referring to?

Re:why don't these go away? (1)

BuddaLicious (1628555) | more than 4 years ago | (#30389472)

They = ICANN, the body legally responsible for yanking the license of a domain name registrar if they don't react quickly to this kind of BS.
SOMEONE has to first complain and ask the DomainName Registrar to revoke the domain name, if they don't comply then SOMEONE has to complain to ICANN.
So first SOMEONE has to change to real living person willing to register the complaint (should fall to the first person who finds themselves infected).

ICANN can be slow, but it has revoke Domain Name Registrar licenses and can do so pretty much at will.

Re:why don't these go away? (2, Informative)

wowbagger (69688) | more than 4 years ago | (#30388642)

You must be new here, let me welcome you to "The Internet". I hope you enjoy your visit.

Hosting companies don't give a pair of fetid dingo's kidneys about such matters, so long as the people responsible for the hosting pay good money.

Even the hosting companies [softlayer.com] that claim [softlayer.com] to be anti-spam, and who's acceptable use policies state that ANY support of spam, including hosting spamvertized web sites [softlayer.com] , when confronted with multiple, on-going violations [winehq.org] , will ignore all reports, remove all forum posts calling attention to those posts, and continue to cash the checks from the spammers.

Obligatory NoScript comment (0)

Anonymous Coward | more than 4 years ago | (#30387788)

It can't get me, I use NoScript... nana na nana

Re:Obligatory NoScript comment (0)

Anonymous Coward | more than 4 years ago | (#30388260)

Not if it uses a non-Javascript based buffer overflow exploit. Remember the SVG attribute exploit?

Re:Obligatory NoScript comment (1)

maxume (22995) | more than 4 years ago | (#30388304)

The article says that the exploit uses multiple layers of scripts hosted on several different sites...

Reminds me of xkcd (3, Funny)

BountyX (1227176) | more than 4 years ago | (#30387846)

Seriously people stop naming your kids with ');DROP TABLE [xkcd.com] at the end...

Re:Reminds me of xkcd (0)

Anonymous Coward | more than 4 years ago | (#30388782)

Stop all these xkcd references. They're so 2000 and late.

I've got that boom boom boom.

Gotta get get!

Details? (3, Insightful)

HangingChad (677530) | more than 4 years ago | (#30387848)

I love the way they fail to mention what server systems might be effected. Is it SQL Server? MySQL? .NET? PHP? Windows servers? Linux? Both? What web sites are vulnerable?

It's always fun to snicker when you get to the registry entries which points to Windows. Although there was a trojan for Ubuntu in a desktop theme a few days ago, so enjoy the time to mock Windows users while it lasts.

Re:Details? (4, Insightful)

Yvan256 (722131) | more than 4 years ago | (#30387896)

But a Trojan needs user access and approval to get installed. No OS on the planet can protect itself from a user with the admin password.

Re:Details? (4, Funny)

Bert64 (520050) | more than 4 years ago | (#30387916)

Windows 9x used to due a pretty good job, can't own a system once it's bluescreened.

Re:Details? (1)

BlackSnake112 (912158) | more than 4 years ago | (#30388692)

Actually windows 9x did not have services, so there was less to hack into.

Re:Details? (0)

Anonymous Coward | more than 4 years ago | (#30389400)

Whoosh!

Re:Details? (0)

Anonymous Coward | more than 4 years ago | (#30389490)

Whoosh

Re:Details? (0)

Anonymous Coward | more than 4 years ago | (#30388592)

Set the location of the trojan site, 318x.com, to point to localhost in your host file. Done.

Re:Details? (1)

ShOOf (201960) | more than 4 years ago | (#30387956)

And in the case of SQL injections it's usually not the fault of the underlying database, it's stupid coders who don't validate their inputs.

Re:Details? (5, Insightful)

LordKaT (619540) | more than 4 years ago | (#30388090)

Even still, this blog post is fucking useless. What CMS? What input is not being validated? Is it an underlying problem with Drupal? Wordpress? Joomla? What version?

On top of that, it doesn't give any recommendations for what end users could do to protect themselves. Does anti-virus software already detect it? Can you simply alter your hosts file? Disable Javascript?

The blog post is completely fucking useless.

AV Detection (0, Offtopic)

I)_MaLaClYpSe_(I (447961) | more than 4 years ago | (#30388632)

according to TFA:

Malware description
Threatname: Backdoor.Win32.Buzus.croo
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

Re:AV Detection (2, Informative)

REggert (823158) | more than 4 years ago | (#30389082)

according to TFA:

Malware description

Threatname: Backdoor.Win32.Buzus.croo

Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

That's the trojan that's being installed by the exploits served up by the injected IFRAME. It is not the vulnerability that is allowing the IFRAME to be injected to begin with.

Re:AV Detection (1)

LordSnooty (853791) | more than 4 years ago | (#30389152)

to repeat comments I made months ago... why don't these people agree on a common naming convention for new threats? 11 different names here!

Re:Details? (2, Informative)

necrogram (675897) | more than 4 years ago | (#30388368)

They didn't mention it because it doesn't matter. Its the result of bad coding practices. A sql injection attack is caused by the front end application accepting whatever input its given and using to generate the sql statements. You stop these attacks by sanitizing your input, use stored procedures to do the database work, and possibly stick in a middle ware tear to handle database access, ie apache -> websphere -> database.

Re:Details? (0)

Anonymous Coward | more than 4 years ago | (#30388540)

Yes it does matter! It's quite one thing if they're individually targeting poorly written bespoke web applications. It's quite another if they're attacking sites with something in common, such as running popular applications such as Wordpress, phpBB, vBulletin etc.

Some of us use FOSS scripts to run our sites, and would quite like to know if we're vulnerable here.

Re:Details? (1)

Bengie (1121981) | more than 4 years ago | (#30388576)

paramerterized inputs?

The only times I EVER pass a value as a concatenated string is if it goes along these lines..

try
query = "select [columns] from table where iTableID = "+INT64.Parse(strInput).ToString();
catch

^^
My lazy code. I only do internal utilities on side projects, so I can get away with this since these utilities are seldom used by anyway except when crap goes wrong. My primary job is SQL.

otherwise it's always the

string strSelectQry = "Select [columns] from schooltable where ischoolguid = @ischoolguid";
cmd = new SqlCommand(strSelectQry, cnn);

SqlParameter schoolguild = cmd.Parameters.Add("@ischoolguid", SqlDbType.UniqueIdentifier);
                                                schoolguild.Value = new Guid(strSchoolGUID);

Re:Details? (2, Informative)

HangingChad (677530) | more than 4 years ago | (#30389188)

They didn't mention it because it doesn't matter. Its the result of bad coding practices.

It does too matter. You don't infect 132,000 web sites with separate injection attacks. That's automated. Lot of the people running forums and CMS-driven web sites don't understand the code well enough to fix anything.

Heck, one of my sites was hacked once, through the forum software. I'm not in the habit of combing through forum code looking for unvalidated inputs. So if someone could mention what the parent exploit is, what versions of that software are effected and whether the operating system OS makes a difference, then those same webmasters could make sure their software was up to date. This article describes the client exploit. I don't care about that, surf with Windows and that's going to happen. I do care that crap isn't originating with any of my web sites.

Maybe it's a British thing (0)

Anonymous Coward | more than 4 years ago | (#30387868)

but when I see "claims " I think of deaths, not malware infections.

How is SQL involved? (3, Interesting)

Bromskloss (750445) | more than 4 years ago | (#30387874)

The article said "SQL" in the headline, but never mentioned it again after that.

Re:How is SQL involved? (2, Interesting)

jDeepbeep (913892) | more than 4 years ago | (#30387922)

The article said "SQL" in the headline, but never mentioned it again after that.

My guess is that the compromised websites all have something in common, such as running the same CMS for example. You're right though, the article is short on details of the injection itself.

Re:How is SQL involved? (0, Offtopic)

Anonymous Coward | more than 4 years ago | (#30387974)

If you would have read TFA you would have seen that:

The combined action results in checks for MDAC, OWC10, and various versions of Adobe Flash. Depending on the results, the malcode then delivers one of several possible exploits.

Observed exploits include:
Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
Microsoft Office Web Components vulnerabilities described in MS09-043
Microsoft video ActiveX vulnerability described in MS09-032
Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.

Re:How is SQL involved? (1, Informative)

Anonymous Coward | more than 4 years ago | (#30388276)

How the hell is this +1 informative? If you comprehended (step 2, after read) the article, you would understand that you have listed the client-side exploits that the payload delivered by the SQL injection. You have not addressed the grandparent, who CLEARLY (as in, in the title AND single line of content) requested more information regarding host profiles that may have been affected by the SQL injection itself.

Re:How is SQL involved? (1)

Gary van der Merwe (831179) | more than 4 years ago | (#30387984)

You are right, that's not SQL Injection attacks, rather a HTML+script injection. A SQL Injection allows you to meddle with the sites database.

Re:How is SQL involved? (1)

LordKaT (619540) | more than 4 years ago | (#30388102)

AFAIK there are two exploits:

On the users end there are several MS and Adobe scripting exploits being taken advantage of, all of which start inside the browser.

On the server end there is a SQL injection exploit being used to get the malicious code out there.

Re:How is SQL involved? (0)

Anonymous Coward | more than 4 years ago | (#30388232)

AFAIK there are two exploits:

On the users end there are several MS and Adobe scripting exploits being taken advantage of, all of which start inside the browser.

On the server end there is a SQL injection exploit being used to get the malicious code out there.

Yes this is right.

I presume as info is taken from ScanSafe (Cisco's company that does internet transport scanning/filtering) they don't have details on the actual SQL injection exploit, but the article focuses on the payload caused first by SQL injection and then local exploits.

Re:How is SQL involved? (2, Informative)

Gary van der Merwe (831179) | more than 4 years ago | (#30388298)

On the server end there is a SQL injection exploit being used to get the malicious code out there.

My point being that you don't need to do a SQL injection to do this.

To prevent a SQL injection, you need to change ' to '' on input from the user that you pass to sql.

To prevent a HTML+script injection, you need to change < to &lt;, > to &gt; & to &amp; etc. on input from the user that render to the browser. The sites in question are not doing this, hence, just stick the code you wish to inject into at comment or some other user field. This has nothing to do with SQL.

Re:How is SQL involved? (0)

Anonymous Coward | more than 4 years ago | (#30388342)

Just another Slashdot submission where the "editor" (CmdrTaco in this case) didn't RTFA.

Re:How is SQL involved? (0)

Anonymous Coward | more than 4 years ago | (#30388388)

Unfortunately, the article states that an SQL injection attack occured. Unless you have something to substantiate your claim that this is an XSS attack, you should probably shut the fuck up.

In fact, you should probably just shut the fuck up regardless as your post is full of misinformation. You shouldn't be attempting to escape SQL yourself, because you don't know every current and future character sequence that will escape the parser. You should use the library function included with your SQL binding layer, (e.g. mysql_real_escape_string), and/or bound variables.

Re:How is SQL involved? (1)

gregarican (694358) | more than 4 years ago | (#30388306)

The SQL injection allows the malware scripts to be placed on websites. Then website visitors get hit with the malware the scripts facilitate. Of course, silly me, I went and RTFA. Half of the headlines on /. are either grammatically incorrect, sensationalized, or just plain silly...

The real problem (2, Informative)

Anonymous Coward | more than 4 years ago | (#30387878)

So it's MS and Adobe vulnerabilities that actually let the malware onto your system.
FTA:

Observed exploits include:

        * Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
        * MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
        * Microsoft Office Web Components vulnerabilities described in MS09-043
        * Microsoft video ActiveX vulnerability described in MS09-032
        * Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.

Re:The real problem (1)

wjsteele (255130) | more than 4 years ago | (#30388210)

Which, of course, have already been addressed by the respective companies. Only unpatched systems would be affected.

This is actualy a stupid article, as it doensn't even bother to describe the platform which has the vulnerability in it. It's not a platform or database issue if it's a SQL Injection, so it must be some app that is common... like a CMS package or blog engine... something like that.

Bill

Re:The real problem (1)

gmuslera (3436) | more than 4 years ago | (#30388532)

Which, of course, have already been addressed by the respective companies. Only unpatched systems would be affected.

In official packages of a linux distribution, i would say that almost all would be patched so shouldn't be affected. But we are talking about Windows world here. Im not sure how automatic are the updates for flash player (just today got one in my ubuntu box), Windows updates are known to add functionality (sometimes unwanted, so people could disable automatic updates after something "misbehaves"), and the MS fixes there probably arent for IE6 (still used by 20% of internet), maybe some for IE7 that is more widely used or older version of Office.

About the article, yes, it seriously lacks showing how the servers got intruded, it went more to the symptoms (in a google search were found to have that exploit link). But is useful to know for the people that claim that they are safe even running windows without latest patches or versions of software could get into trouble visiting normal/regular sites.

Re:The real problem (1)

MisterZimbu (302338) | more than 4 years ago | (#30388908)

This is actualy a stupid article, as it doensn't even bother to describe the platform which has the vulnerability in it. It's not a platform or database issue if it's a SQL Injection, so it must be some app that is common... like a CMS package or blog engine... something like that.

It doesn't matter. It's not an attack on a specific web server, CMS, or even database engine. The ONLY thing that matters is if the underlying scripts driving the website are poorly written and vulnerable themselves.

It's not difficult to write something that spiders websites and attempts injection attacks against querystring variables that that individual site commonly uses. The exact same thing happened either late last year or early this year. Now in that instance, that was specifically targeted for MS Sql Server, but it's not hard to imagine a completely platform-independent version.

Obvious, but needs to be said (4, Informative)

GreenTom (1352587) | more than 4 years ago | (#30387988)

Add to windows\system32\drivers\etc\hosts:

127.0.0.1 318x.com

And you should be safe, for the moment.

Re:Obvious, but needs to be said (1)

AA Wulf (1657459) | more than 4 years ago | (#30388702)

Good plan, except some services need that loopback address. Wikipedia says use 0.0.0.0 [wikipedia.org]

Don't worry, that site is slashdotted. (1)

neo (4625) | more than 4 years ago | (#30389124)

It's already under a huge DOS attack by the readers of Slashdot. There's no need to block it, in fact you should be attempting to load that page in concert with all the other members of the Slashbot.

Use MongoDB instead (0)

Anonymous Coward | more than 4 years ago | (#30387998)

Just one more reason to use MongoDB (http://www.mongodb.org/) No SQL injection type problems. Along with all the other reasons as well of course.

Re:Use MongoDB instead (1)

asdf7890 (1518587) | more than 4 years ago | (#30388226)

I wouldn't be happy with the in-place updates and lazy writing (http://blog.mongodb.org/post/248614779/fast-updates-with-mongodb-update-in-place) for anything of noticeable importance. Though for some tasks I'm sure the performance boost is worth the potential corruption suseptability this implies.

Slashdot Effect - Mirror (1)

moj0e (812361) | more than 4 years ago | (#30388168)

It looks like the page serving out malware is suffering from the Slashdot effect.
You will have to manually install the trojan.

You can get it here:
http://microsoft.com/ [microsoft.com] :)

Let's say it all together now... (2, Interesting)

gregarican (694358) | more than 4 years ago | (#30388258)

validate your SQL inputs before posting them against an Internet-facing database. This isn't an SQL problem. This isn't a Windows-based problem. This is a poor coders problem. If there are high-profile websites that were compromised I'd be one pissed off PHB fo sho...

Re:Oblig (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#30388474)

Exactly!

Obligatory [xkcd.com]

Re:Let's say it all together now... (3, Informative)

Vellmont (569020) | more than 4 years ago | (#30388778)


validate your SQL inputs before posting them against an Internet-facing database.

Or simply use prepared statements (or whatever the equivalent term is in your language of choice). Prepared statements are far safer and easier than trying to validate all the current potential and future potential for breaking out of a SQL statement. It won't protect you from people putting in their own parameters into your SQL statement (like say someone elses userID), but that's a different class of vulnerability.

Re:Let's say it all together now... (0)

Anonymous Coward | more than 4 years ago | (#30388910)

Damm you could be preaching to the choir; ever thought of posting this on digg...just have a good scrubdown, prison-style, afterwards

Re:Let's say it all together now... (1)

DNX Blandy (666359) | more than 4 years ago | (#30389322)

Lame coders who either 1) Just don't understand, so are fucking stupid! 2) Just don't care, so are fucking stupid! Note: I'm a coder, but I've always taken security very seriously, hence I get emails everytime someone trys :) and the sites I manage are OK.

Solution (0)

Anonymous Coward | more than 4 years ago | (#30388400)

whois 121.14.136.5
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
CIDR: 121.0.0.0/8

nslookup aa1100.2288.org
Name: aa1100.2288.org
Address: 121.12.116.32

whois 121.12.116.32
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
CIDR: 121.0.0.0/8

cmd drop log all from 121.0.0.0/8 to any via $OutsideNic

Let's see (1)

zefciu (1654897) | more than 4 years ago | (#30388412)

Hmmm...;)UPDATE users SET isAdmin='1' WHERE users.login='zefciu';

Looks like IIS (1)

tom1974 (413939) | more than 4 years ago | (#30388590)

Hit Google, you'll get things like this [209.85.229.132]

Looks like Windows IIS + MSSQL again.

Still a question about the SQL part of this... (0)

Anonymous Coward | more than 4 years ago | (#30389190)

From TFA:
"A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites."

Anybody know what made these thousands of websites susceptible?!?

Useless article for us admins...

Lame coders who don't care about security! (1)

DNX Blandy (666359) | more than 4 years ago | (#30389232)

Lame, or just to stupid to understand! OK, I'm a coder but I take security very seriously. Why are sites still prone to this type of attack? I used to work with Classic ASP scripts, (I use .NET now obviously), which were very prone to SQL injection attacks but I had no problems, mainly because on all pages, I simply check the query string for the following: char( cast( convert( If it contained any of these, add IP to bad list and redirect to /banned.htm page. SIMPLE!!

Re:Lame coders who don't care about security! (1)

mrt_2394871 (1174545) | more than 4 years ago | (#30389556)

... I simply check the query string for the following:

char(
cast(
convert(

If it contained any of these, add IP to bad list and redirect to /banned.htm page.

SIMPLE!!

Simple, and wrong. Do not enumerate badness when filtering.

Whatever interface you are using to whatever SQL database, there should be an "escape" function that lets you store strings containing string delimiters.

Find that function. Use that function.

Terrible article, inappropriate headline (2, Interesting)

erroneus (253617) | more than 4 years ago | (#30389308)

The source of the attacks are servers who have been compromised through SQL injection. I get that. It's an important detail. They fail to identify what sites and/or what those sites are running that is exploitable in this way. Is it MySQL? Is it MS SQL? Oracle? Is it a particular software package running on a particular web host platform? The questions are too many and should have been answered in the article.

What is done after a server is compromised is pretty common. Microsoft components, especially those linked through ActiveX, have been not just a hole in Microsoft security, but a tunnel into the Windows kernel big enough to drive a truck through. A vulnerability in Adobe flash is only a a problem when it uses ActiveX to get there. Flash running in other ways does not seem to pose such an extreme threat otherwise. But while these are important security concerns to be aware of, it has nothing to do with the topic of the story as indicated by the headline or the first line of the story which is about compromised SERVERS, not about compromised clients.

132,000 hits on Google 132,000 infections (1)

shdragon (1797) | more than 4 years ago | (#30389330)

I must disagree with the way they calculated infections. Counting the number of times something comes up on Google does not equal the number of infections.

132,000? Try 1269. (2, Interesting)

milesw (91604) | more than 4 years ago | (#30389606)

As many have pointed out, the blog post does not offer sufficient detail, but does offer the rather sensational headline "SQL injection attack claims 132,000+". The Google Safe Browsing diagnostic page for 318x.com has it closer to 1200 or so:

http://google.com/safebrowsing/diagnostic?site=318x.com/

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, 318x.com appeared to function as an intermediary for the infection of 1202 site(s) including 37y.org/, jxagri.gov.cn/, glojj.com/.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1269 domain(s), including 37y.org/, cec.org.cn/, jxagri.gov.cn/.

Sorry I'm confused... (1)

Kc_spot (1677970) | more than 4 years ago | (#30389636)

so if your site gets infected will you lose control of what goes on it or will it look like the "Hackers movie" MS paint thing, just be a pain in the a**?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...