Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Massive SQL Injection Attack Compromises 380K URLs

CmdrTaco posted more than 3 years ago | from the that's-a-lot-of-compromise dept.

Security 117

Orome1 writes "A massive SQL injection attack campaign has been spotted by Websense researchers, and the number of unique URLs affected by it has risen from 28,000 when first detected yesterday, to 380,000 when the researchers last checked. The injected script redirects users that have landed on the various infected pages to the domain in the script, which then redirects them further to a website simulating an anti-malware check and peddling a rogue AV solution."

Sorry! There are no comments related to the filter you selected.

In before the microsoft shills? (-1)

Anonymous Coward | more than 3 years ago | (#35678452)

Blah blah .NET blah blah resistant zomg to SQL injection yadda yadda azure etc SQL Server etc bind parameters derp herp a derp!

Re:In before the microsoft shills? (0)

Anonymous Coward | more than 3 years ago | (#35678538)

Oh...and __fr15t p057__: suck it, bill gates!!!

380 aint so bad (1)

digitalsushi (137809) | more than 3 years ago | (#35678458)

If each of those kurls is able to be refinished, I think that they could withstanding another couple injections, easily. Why is sensationalist media destroying our national merits!? Only on slashdot, and yes, I did read the article.

Redirected (5, Funny)

Jurramonga (1922438) | more than 3 years ago | (#35678468)

I was trying to access www.AntiVirusPro2011.com when I got redirected here.

Re:Redirected (1)

WrongSizeGlass (838941) | more than 3 years ago | (#35678676)

I was trying to access www.AntiVirusPro2011.com when I got redirected here.

You should have been trying to get to lizamoon.com instead ... but it's not responding anymore. I guess it got overloaded (or shutdown).

Re:Redirected (0)

Anonymous Coward | more than 3 years ago | (#35679902)

lizamoon -- hah, you also had a customer affected by it?

Re:Redirected (1)

WrongSizeGlass (838941) | more than 3 years ago | (#35679944)

lizamoon -- hah, you also had a customer affected by it?

No, it was in the article so I tried to go to the site to see what it was actually doing. Knowing what it looks like will help me spot it in case one of my client's computers (or websites) gets affected.

What are the malware URLs? (0)

Anonymous Coward | more than 3 years ago | (#35679022)

Our website was hacked recently, via sniffed FTP passwords, not SQL injection. The site that our visitors were being redirected to was voictoall.com and another domain in the .cc tld. Does anybody know what the URLs of this attack were? I would be interested in knowing if it was the same folks who attacked us.

Re:What are the malware URLs? (1)

Lumpy (12016) | more than 3 years ago | (#35679458)

sniffed FTP... wow... why were you not using sftp or ssh? you dont use FTP for ANYTHING but public file repository where anonymous is the username.

Re:What are the malware URLs? (0)

Anonymous Coward | more than 3 years ago | (#35679504)

sound advice. the only problem is that under capitalism, bosses make the calls, not the hackers who work for them.

Some future this is... (1)

ackthpt (218170) | more than 3 years ago | (#35678472)

I want my money back. This isn't the future I was promised.

I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back. I don't understand why this sort of behavior isn't being shut down promptly by the powers that be of the internet. They'll watch your music, the CIA will record every character transmitted or received (Hi, Bob!), but they can't seem to recognise the same stupid bogus anti-malware scan scam going from IP address A to IP address B.

Don't worry about 1984 and Big Brother, we aren't even close.

Re:Can't Recognize (1)

TaoPhoenix (980487) | more than 3 years ago | (#35678632)

I know! "A new attack pushes a different song to each of 380,000 users with a link to a synchronization bot so that each user winds up with the 380,000 song set."

Wanna see how fast that gets taken care of?

Re:Can't Recognize (1)

ackthpt (218170) | more than 3 years ago | (#35679398)

I know! "A new attack pushes a different song to each of 380,000 users with a link to a synchronization bot so that each user winds up with the 380,000 song set."

Wanna see how fast that gets taken care of?

Yeah, have the RIAA or MPAA on your case and you've got a trillion dollar lawsuit coming! Brr!!! I'll take my chances with teh feds.

Re:Can't Recognize (1)

BitZtream (692029) | more than 3 years ago | (#35681822)

The law suits won't start until everyone has all 380k songs. Its more profitable for them to wait to sue you than it is to start now.

You think the RIAA doesn't want you to have music, which is wrong. They want you to have all of their music, multiple times, they just want to make sure they can charge you as many ways as possible, including charging you even if you don't listen to any of their music (ref: tax on writable CDs).

They'll be happy to wait until all the transfers are complete so they can sue each infected person for illegally obtaining and distributing 380k songs at whatever the ridiculous fine per song they have is.

Re:Some future this is... (1)

Massacrifice (249974) | more than 3 years ago | (#35678824)

the CIA will record every character transmitted or received (Hi, Bob!) [...] Big Brother, we aren't even close.

What if... The channels which are being used by malware were the same used by Bob and his friends? Do you think they would have an incentive to close them, or keep them open?

Re:Some future this is... (1)

ackthpt (218170) | more than 3 years ago | (#35679374)

the CIA will record every character transmitted or received (Hi, Bob!) [...] Big Brother, we aren't even close.

What if... The channels which are being used by malware were the same used by Bob and his friends? Do you think they would have an incentive to close them, or keep them open?

Ironically we'll hear that 1,000 government PCs are infected. But have some stalker on Craigslist posting from a Starbucks and the cars are already on the way. Russia may be a riddle wrapped in an enigma, but how FBI/CIA/DHS/law enforcement have access to stuff so quick, but nobody can seem to prevent the same old sh*t, which has been on the internet for years, from moving around is beyond me.

Re:Some future this is... (1)

recoiledsnake (879048) | more than 3 years ago | (#35679198)

>I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back.

What are you talking about?

Re:Some future this is... (1)

ackthpt (218170) | more than 3 years ago | (#35679326)

>I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back.

What are you talking about?

If you have all the right holes open, that Malware scan does more than just launch an page which pretends to scan for viruses, it actually rootkits Windows and you can enjoy a merry week repairing and rebuilding. Thanks to the mindbogglingly stupid way Windows installs software packages I can't just format my system partition and reinstall the OS - my registry, my documents, my program files, et al are in the same basket. Sometimes you can install software to a different drive, but the vendor puts stuff in your Registry which goes with the rebuild and you can spend lots of fun time installing software all over again. Geez. Why didn't they adopt the *nix approach to filesystems.

Re:Some future this is... (1)

recoiledsnake (879048) | more than 3 years ago | (#35679562)

>If you have all the right holes open, that Malware scan does more than just launch an page which pretends to scan for viruses, it actually rootkits Windows and you can enjoy a merry week repairing and rebuilding.

What right holes? Are you talking about Windows 7 or XP? That malware scan can't do shit unless you click to download and install the exe from that suspect site and then click okay the UAC prompt. Even if it compromised IE, IE runs in a low permission sandbox that is extremely difficult to get out of, forget about modifying system files.

If you do the equivalent on Unix, you still have to wipe the system, Eg. see this http://www.linuxforums.org/forum/security/29611-rootkit-infected.html [linuxforums.org]

I don't see what you're cribbing about or anything about the "(thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) ".

Re:Some future this is... (0)

mspohr (589790) | more than 3 years ago | (#35679430)

Stupidity is doing the same thing over and over and expecting a different result.

Why do people keep using Windows?

Re:Some future this is... (0)

Anonymous Coward | more than 3 years ago | (#35682748)

>Why do people keep using Windows?

Because I like being employed and middle managers are easily swayed into using What Everyone Else Is Using. They use Windows, therefore I use Windows.

Sweet story bro (2)

19thNervousBreakdown (768619) | more than 3 years ago | (#35678474)

So, what's the attack? What SQL servers/CMS/languages are vulnerable?

Re:Sweet story bro (1)

an00bis (667089) | more than 3 years ago | (#35678540)

Looking through the first several pages from Google, searching for the same string that was in the article, it's predominantly ASP/ASPX/CFM that is coming up. Probably nothing new, just taking raw user input and querying directly with that.

Re:Sweet story bro (1)

WrongSizeGlass (838941) | more than 3 years ago | (#35678554)

So, what's the attack? What SQL servers/CMS/languages are vulnerable?

Neither article says ... so I guess the only way to find out is to hit the internet and find out for ourselves!

Re:Sweet story bro (1)

shadowrat (1069614) | more than 3 years ago | (#35678896)

The article didn't really say. I went looking for the same information. All i found was a lot of talk about what you will find on an infected site. The takeaway seems to be: If your site is serving up weird links that you didn't put there, sanitize everything.

that hardly seems like news.

Re:Sweet story bro (1)

el_gordo101 (643167) | more than 3 years ago | (#35678938)

After a cursory glance at the search results of infected pages, I saw the following file types:
Microsoft Active Server Pages (.asp)
Microsoft ASP.NET (.aspx)
Java Server Pages (.jsp)
Cold Fusion (.cfm)

Seems mostly aimed towards .asp and .aspx pages, but I would venture to guess that any web app that doesn't scrub the form input data would be vulnerable.

Re:Sweet story bro (1)

lennier1 (264730) | more than 3 years ago | (#35679904)

Not sure about the others, but in case of ColdFusion it's pure laziness, since there are tons of built-in features to prevent SQL injection. No additional and/or custom stuff necessary.

Re:Sweet story bro (1)

el_gordo101 (643167) | more than 3 years ago | (#35681512)

Same with ASP.NET, parametrized SQL queries are built into the ADO.NET model. Of course, some dumbass developer could be concatenating a SQL command using the raw input data without scrubbing it and running the command against the DB. Old school Active Server Pages have no such feature and any data-scrubbing had to be done in a separate function.

Re:Sweet story bro (1)

BitZtream (692029) | more than 3 years ago | (#35681856)

Parametrized queries in ASP is really pretty much the same as ASP.NET pages, do it all the time myself.

Re:Sweet story bro (1)

Rary (566291) | more than 3 years ago | (#35683192)

Of course, some dumbass developer could be concatenating a SQL command using the raw input data without scrubbing it and running the command against the DB.

This happens all the time. Developers need to be aware of SQL Injection and how to prevent it. You cannot just implement something like parameterized queries and assume that you're defended against the ignorance of other developers on your team. You have to train them.

WinXP SP4 on the way (1)

Teun (17872) | more than 3 years ago | (#35682642)

Maybe that's why there'll be a WinXP SP4 coming out tomorrow?

Re:Sweet story bro (0)

Anonymous Coward | more than 3 years ago | (#35679798)

It is SQL injection. Any DB server and any server side Web toolkit permitting execution of raw SQL is vulnerable, subject to programmers' incompetence.

HERE IS THE ACTUAL ATTACK CODE.... (3, Informative)

Anonymous Coward | more than 3 years ago | (#35681012)

The article is sorely missing any useful information as to what the attack is and how to protect against it....

http://stackoverflow.com/questions/3761064/need-help-with-this-xss-attack

Currently, it is aimed at IIS/MS-SQL web sites that have input forms that aren't validating the input and neutralizing HTML tags

Re:HERE IS THE ACTUAL ATTACK CODE.... (1)

AmonTheMetalhead (1277044) | more than 3 years ago | (#35683378)

Heh, Deja-vu

Re:HERE IS THE ACTUAL ATTACK CODE.... (0)

Anonymous Coward | more than 3 years ago | (#35684608)

If you think you are being secure by stripping HTML from form data you are building very insecure sites. Filtering on input is near useless. Here's why:

http://acko.net/blog/safe-string-theory-for-the-web

Is one of those sites /. (3, Funny)

Tigger's Pet (130655) | more than 3 years ago | (#35678500)

Just wondering, coz we seem to have been infected by plenty of rogue ACs recently. Oh wait - "rogue AV" - my mistake.

Re:Is one of those sites /. (1)

Massacrifice (249974) | more than 3 years ago | (#35678844)

Just wondering, coz we seem to have been infected by plenty of rogue ACs recently. Oh wait - "rogue AV" - my mistake.

We also have plenty of rogue AC on /. lately.

Re:Is one of those sites /. (0)

Anonymous Coward | more than 3 years ago | (#35679660)

Just wondering, coz we seem to have been infected by plenty of rogue ACs recently.

:'(

Re:Is one of those sites /. (1)

AmonTheMetalhead (1277044) | more than 3 years ago | (#35683404)

You want rogue AC's? Talk with HBGary

SQL Injection??? (3, Interesting)

gregrah (1605707) | more than 3 years ago | (#35678528)

This seems to me like more of a JavaScript injection attack. Or am I missing something?

Very difficult to tell from the worthless article and summary.

Re:SQL Injection??? (2)

aesiamun (862627) | more than 3 years ago | (#35678686)

How do you get the js injection into the code? SQL injection into whatever their CMS is.

Re:SQL Injection??? (1)

recoiledsnake (879048) | more than 3 years ago | (#35679210)

Look up XSS.

Re:SQL Injection??? (0)

logjon (1411219) | more than 3 years ago | (#35679644)

XSS is a symptom.The vulnerability exists for SQL injection.

Re:SQL Injection??? (0)

Anonymous Coward | more than 3 years ago | (#35679824)

That's what I thought when I read the article. Injecting javascript via a form probaly involves storage in an sql database but that doesn't make it an sql injection attack. This is an xss attack.

Re:SQL Injection??? (1)

Anonymous Coward | more than 3 years ago | (#35678692)

The malware is a script that pretends to do an AV scan, obviously finds something and offers to sell the cure. The SQL injection is the part which makes many unrelated web sites redirect to the malware site. Let's say you have a blog which runs the version of your favorite content management system that was current when you started your blog. This software that runs on a server that's connected to the internet 24/7 and offers services to the public happens to have a bug, an SQL injection vulnerability to be precise. The attacker scans for vulnerable hosts, uses SQL injection to gain control over the content management system and then makes your blog redirect visitors to the malware site.

People install antivirus software on their PCs and keep a dozen autoupdaters running all the time, but the blog software (including add-ons) on their server is fire-and-forget. I keep recommending that people either get managed hosting or refrain from using server-side software. A blog doesn't need to be constructed dynamically on the server. Static web pages are faster and, most importantly, much more secure.

Re:SQL Injection??? (0)

Anonymous Coward | more than 3 years ago | (#35678828)

It does need server-side code if you want to let people publically comment on it.

Re:SQL Injection??? (0)

Anonymous Coward | more than 3 years ago | (#35678970)

If you don't want to rely on client-side scripting for including an external comment service, then get managed hosting. Far too many people who have no clue about managing a public-facing piece of software install their own CMS on virtual servers or shared hosting without professional guidance and supervision. There's nothing wrong with having server side software, but if you do go that route, you have a responsibility and need to maintain that software. If you can not or do not want do that, then don't use server-side software.

Re:SQL Injection??? (1)

tepples (727027) | more than 3 years ago | (#35679154)

A blog doesn't need to be constructed dynamically on the server.

Its comments do. So does reformatting for mobile or otherwise limited devices if this involves taking things entirely out of the HTML stream. (Before you jump in and recommend separating meaning and presentation with CSS, remember that media-specific CSS can only hide elements; it can't easily reorder them or keep them from being downloaded. Sometimes you want to show less meaning at a time to a mobile user.)

Re:SQL Injection??? (1)

Endophage (1685212) | more than 3 years ago | (#35678740)

I'm rather confused by that too. I'd love somebody to explain how an SQL injection attack puts a new javascript tag on a page unless it's targeting some specific CMS that stores a list of required js files in the database.

Re:SQL Injection??? (1)

aesiamun (862627) | more than 3 years ago | (#35678774)

Actually if you look at some of the sites, it's straight from the content, not from the header.

I took a look and they are randomly placed throughout the content of a stored page.

Re:SQL Injection??? (1)

Endophage (1685212) | more than 3 years ago | (#35679066)

Hmmm. So potentially inserting the script tag into the body portion of articles... So what is the common factor across the sites? All using some particular plugin or something (I'm hoping it's not a vulnerability in the core of some widely used CMS)?

Re:SQL Injection??? (1)

aesiamun (862627) | more than 3 years ago | (#35680082)

There's only so many ways to write a piss poor CMS :)

Re:SQL Injection??? (1)

Endophage (1685212) | more than 2 years ago | (#35683714)

Multiplied by the myriad of ways to write piss poor plugins :)

Binding Params (4, Insightful)

Toreo asesino (951231) | more than 3 years ago | (#35678550)

Yes, I know I won't be the only one to say it.....

But seriously, if you don't know about binding params to SQL statements you shouldn't be writing public-facing websites. In any language. Ever.

Re:Binding Params (1)

Anonymous Coward | more than 3 years ago | (#35678868)

What's a binding para!@#$(*(!&*!&#$!! PLEASE CLICK THIS LINK for a complimentary security and malware scan. Good for today only!

Re:Binding Params (2)

grumbel (592662) | more than 3 years ago | (#35679116)

Easier said that done, there seems to be quite a few SQL implementations that don't support binding to arrays:

SELECT * FROM foo WHERE bar IN (?);

Construct the array and placeholders in parallel (1)

tepples (727027) | more than 3 years ago | (#35679194)

there seems to be quite a few SQL implementations that don't support binding to arrays:

SELECT * FROM foo WHERE bar IN (?)

I asked the webmaster of bobby-tables.com about this. The reply was that apparently, you're supposed to construct the list of placeholders in the statement in parallel with the array of values to be substituted into those placeholders. But under some APIs *cough*mysqli*cough*, that can be far more painful [pineight.com] than making a working function that escapes an entire array for use as right side of a WHERE expression and then carefully testing that function with every special character that your DBMS's manual mentions.

Re:Construct the array and placeholders in paralle (1)

Lumpy (12016) | more than 3 years ago | (#35679574)

You are correct sir....

in php....

$new_string = preg_replace(“/[^a-zA-Z0-9\s]/”, “”, $string);

or simply use the http://docs.php.net/manual/en/function.mysql-real-escape-string.php [php.net] function if you need full flexibility and to make sure it's clean and safe.

and done. in fact you are a lazy programmer if you dont sanitize your user input. Yes it's nice to add the extra security of setting up the DB correctly, but only a fool would not sanitize the user input to begin with.
Rule #1 is to treat all user input as hostile and dangerous. If you stick to that a lot of these pesky injection attacks go away.

Re:Construct the array and placeholders in paralle (0)

Anonymous Coward | more than 3 years ago | (#35679680)

This is the "but what about Unicode?" reply that you hoped no one would bother posting.

Re:Construct the array and placeholders in paralle (1)

tepples (727027) | more than 3 years ago | (#35679792)

making a working function that escapes an entire array for use as right side of a WHERE expression and then carefully testing that function with every special character

simply use mysql_real_escape_string() if you need full flexibility and to make sure it's clean and safe.

That's what I do inside db_escape_list(), but the bobby-tables.com guy says it's not enough: one must use ? and only ?.

Re:Construct the array and placeholders in paralle (0)

Anonymous Coward | more than 3 years ago | (#35682420)

Not sure what the exact PHP syntax is, but in Perl:
my @list;
my $places = join(",", ("?")x@list);
$dbh->prepare("SELECT stuff FROM table WHERE stuff IN ($places)");
$dbh->execute(@list);

Then I guess MySQLi is sucks (1)

tepples (727027) | more than 3 years ago | (#35682960)

$dbh->execute(@list);

If only it were that easy. In PHP MySQLi, $stmt->bind_param() wants individual variables as parameters, not a single array. They have to be variables, not values, because they're passed by reference. Moreover, the first parameter is a string with one character stating the data type of each following variable to be passed into the statement. The function bind_param() is variadic, and all three argument counts (number of ?s, number of characters in type string, and number of variables following type string) all have to match, or MySQLi raises an exception. I guess the moral is that if you have the bobby-tables.com guy on your team, MySQLi isn't the best tool. If only I'd known this at the start of the big project.

Re:Construct the array and placeholders in paralle (1)

fatphil (181876) | more than 3 years ago | (#35684338)

Replace
my $places = join(",", ("?")x@list);

With
my $places = ('?,'x$#list) . '?';

For an order of magnitude increase in efficiency. You don't want an array, don't create a temporary one, just go straight to the string you want.

However, if you've got such long lists that even that 'x' is expensive - just have a prepared string of ?,?,?,?,?,?,?.... and use substr of the appropriate length.

Re:Construct the array and placeholders in paralle (1)

AmonTheMetalhead (1277044) | more than 3 years ago | (#35683454)

Not sanitizing input (any input, be it from a user or a remote site or a webservice or what have you) is asking for trouble, i see shit like this daily.

Re:Construct the array and placeholders in paralle (1)

VDizzle (995599) | more than 3 years ago | (#35682796)

my $col_a_criteria = ' AND COLUMN_A IN (' . join(",", ('?') x @bind) . ') ' if scalar @bind;

$sth->prepare("select column_B from my_table where column_z = ? $col_a_criteria");

scalar @bind ? $sth->execute($col_z, @bind) : $sth->execute($col_z);

# It also wouldn't hurt to make sure that you are not exceeding the max SQL length or max values in an IN clause...

Re:Binding Params (0)

Anonymous Coward | more than 2 years ago | (#35683926)

SELECT * FROM foo WHERE bar IN (?);
SELECT * FROM foo WHERE bar IN (?,?);
SELECT * FROM foo WHERE bar IN (?,?,?);
SELECT * FROM foo WHERE bar IN (?,?,?,?);
SELECT * FROM foo WHERE bar IN (?,?,?,?,?); ... ...

is it really that hard?

Re:Binding Params (0)

Anonymous Coward | more than 3 years ago | (#35684452)

If that is what you are trying to do then you are doing it wrong, you are using a relational database to solve a network database problem.

You should use a database whose semantics match the problem to be solved.

When you have an SQL database in your hand everything looks like a relational query.

Re:Binding Params (2)

Lord Ender (156273) | more than 3 years ago | (#35679356)

Just as most car drivers don't know how to design safe airbag systems, most people running public-facing websites don't know how to build proper security. They just download some free CMS and go with it.

Re:Binding Params (2)

Terrasque (796014) | more than 3 years ago | (#35679746)

SQL injection? This sounds like people not sanitizing OUTPUT values, also known as XSS.

It's talk about redirect, and I would guess that's via some JS that gets displayed.

I see a script src="url" tag in the screenshot, which further lends credit to that theory.

However, other than the article text, I can't see any evidence of a SQL injection attack, which is a different kettle of fish than XSS.

The researchers also noted that some iTunes URLs have been injected with the script, but that Apple has done a good job in securing the site against this kind of attacks.

"The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer," they explained.

Sounds like XSS

Re:Binding Params (1)

Xenna (37238) | more than 3 years ago | (#35679934)

I agree, I drew the same conclusion when reading the article. The JS code is entered in the database, of course, but not via an SQL injection. XSS vulnerability is much more prevalent than SQL injection vulnerability. Funny how just a few Slashdotters have picked up on this.

Re:Binding Params (2)

Shados (741919) | more than 3 years ago | (#35680162)

While that is true, it is very common for vulnerable websites to have JS injected in their databases via SQL injection.

If I have, let say, a custom homegrown CMS...obviously there's going to be some JS and HTML in my data store (unless I store everything as physical files. Uncommon). So I can't exactly escape my output, since valid javascript IS the output... Compromise the database, and the whole thing is compromised.

Re:Binding Params (1)

fatphil (181876) | more than 3 years ago | (#35684424)

I pulled up a few infected pages, and if I were to perform the same attack, I'd want to get some kind up 'update tablename set field="payload"' being executed by the server. And that would be a SQL injection.

How do you see XSS executing on a client machine affecting every record in a database on the server?

Re:Binding Params (1)

fatphil (181876) | more than 3 years ago | (#35684454)

Well, to answer my own question, it is a SQL injection using an update, as I postulated, according to a victim:
"""
We got the same problem this morning. classic case of sql injection: you don't seem to check the parameters you got via URL. take a look to the webserver access logs - you will see update statements!
"""

mysql.com included? (0)

Anonymous Coward | more than 3 years ago | (#35678556)

should count it as one

No wonder. (0)

Anonymous Coward | more than 3 years ago | (#35678604)

I've stumbling more and more on those phony anit-virus warning and most the time they leave an executable in my temp directory - I'm always logged in as a client and MS Security essentials is pretty good at catching it - albeit long after it's on my hard drive :(

The sucky part is that it's been hitting legitimate websites - it's no longer just a problem with the porn or the naked celebrity (naked celebrity sites are the worst!)

I was looking at something completely innocuous (I think it was home improvement things) and I got that phony anti virus screen.

It's spreading.....

The fun part: it's kind of a hoot when the phony antivirus screen comes up showing a Windows XP window and file system ..... and you're on fedora 14/GNOME ...

Re:No wonder. (1)

psyclone (187154) | more than 3 years ago | (#35679120)

Maybe you should try noscript [noscript.net] to block unwanted 3rd party scripts.

More Information Please? (3, Interesting)

Haedrian (1676506) | more than 3 years ago | (#35678622)

Website use follows a Zipfian distribution. Less popular sites may be more vulnerable to attack since they'd be written by script kiddies.

So instead of telling us how many URLs have been hijacked, how about telling us how many end users are likely to be affected by this? It makes a large difference if one of the URLs is a popular website or just something a 10 year old patched together using Frontpage.

Re:More Information Please? (1)

John Hasler (414242) | more than 3 years ago | (#35679358)

It makes a large difference if one of the URLs is a popular website or just something a 10 year old patched together using Frontpage.

You make it sound as if those are mutually exclusive.

Re:More Information Please? (1)

poptones (653660) | more than 3 years ago | (#35684306)

I don't do porn tgps, music sites or pretty much anything like that and yet I've seen several "possible attack site" warnings today in forefox. Weird sites, like furniture and such. I click a link and get that red screen. I was wondering what was up, it seems very strange today.

Luckily (1)

$RANDOMLUSER (804576) | more than 3 years ago | (#35678626)

McAffe.com is totally safe.

Here's a suggestion (3, Interesting)

smooth wombat (796938) | more than 3 years ago | (#35678690)

How about posting a screenshot of the anti-malware warning so we can be aware of it. I recently had to remove a piece of cruft from a user's laptop which, as far as I can tell, came from a Flash ad.

Since I know this user doesn't go to random bobssoftware.com sites, it had to come from an ad or a compromised site.

Also, would it have killed the editors to go to the source [websense.com] rather than some blog which scraped the source site?

Re:Here's a suggestion (1)

Megahard (1053072) | more than 3 years ago | (#35679030)

I had the misfortune to run into it yesterday. It continuously runs a fake scan, asks you to download an executable, and doesn't let you navigate away from the page. The only way I got rid of it was by shutting down JavaScript then closing the tab.

Re:Here's a suggestion (1)

Lumpy (12016) | more than 3 years ago | (#35679604)

alt-F4 conquers ANY of these.

Re:Here's a suggestion (1)

Xenna (37238) | more than 3 years ago | (#35679958)

I've seen one of those when a colleague asked for my help. It looks deceptively realistic, technically unsophisticated users could easily be fooled.

Re:Here's a suggestion (0)

Anonymous Coward | more than 3 years ago | (#35680430)

I've run into a couple of these. Just type in an actress' name into Google Images using default search settings. Scroll down until you see the one image that is... {ahem} "out-of-place". Right-click and open in new tab. Watch the hilarity ensue.

I say hilarity, as it pops up what looks like the XP file manager/explorer, pretends to scan your PC, and tells you that files are infected.

I run Fedora, so it's highly unlikely my "svchost.exe" has a problem. Also, XP is not Gnome. Yeah, I got a good chuckle out of that, closed the tab, and kept browsing.

Yet, I have to admit, an inexperienced user would very well be defecating rectangular solids upon seeing that. So, there are now three reasons I still have an XP box around: Virus scanning of other HDs, Malware scanning of other HDs, and Irfanview (fsck Photoshop - I can use the GIMP, but nothing compares to the speed, small size, and versatility of Irfanview. Sadly, there's no Linux version of it.).

LOL@Slashdot (0)

Anonymous Coward | more than 3 years ago | (#35678718)

Let me inject my useless comment to a useles story using SQL right now...

yawn... this site is the FOX NEWS of tech... but people know that by now...

hah... (1)

koan (80826) | more than 3 years ago | (#35678790)

I often get my security software from pop ups.

You know...I would say people need to take a test and get a license before they can "surf the net" but look at how well that turned out for cars.

Kind of amusing (0)

Anonymous Coward | more than 3 years ago | (#35678922)

I can't help but smile when I hear about how this kind of intrusion trouble hits those who have actually done it wrong. That's what they have done, otherwise they wouldn't be vulnerable to SQL injections (even aside from the fact that they are using SQL). I cringe when I see people do it so it feels good when they are punished. They don't know what they are doing, or at least they don't understand what they are doing well enough. What happens when I take in this parameter from there and use it over here as a part of my code? They don't seem to have thought that through, which I find intellectually evil.

Doing it wrong can still pass your test cases, if you are unlucky.

Ooh, Shiny! =Click-ety= (1)

iiiears (987462) | more than 3 years ago | (#35679000)

Firefox and NoScript to the rescue. Again...

If your server was one of the 380,000 hacked. I hope you will be back online soon.

Re:Ooh, Shiny! =Click-ety= (1)

wagnerrp (1305589) | more than 3 years ago | (#35680060)

The article never claimed there were 380k servers hacked, it merely claimed there were 380k compromised unique URLs. If you follow the article, they are unique URLs as determined by a Google search. It could just as well be a hundred hacked servers with several thousand compromised pages each. Many of those pages could even be duplicates of one another.

As always, NoScript to the rescue (1)

ArcCoyote (634356) | more than 3 years ago | (#35679152)

NoScript will protect you from this and all 3rd-party script injection, even when set very permissive (allow all scripts from the base domain)

Re:As always, NoScript to the rescue (0)

Anonymous Coward | more than 3 years ago | (#35679796)

It doesn't protect the site from becoming infected in the first place which is the real problem here. Often NoScript is like AV. It treats the symptoms of the problem and not the problems themselves. Don't get me wrong, NoScript is an excellent tool (I use it myself and I recommend it to many). I just think that too often it gets promoted as a cure all at the expense of giving the real problem some thoughtful discussion.

And really does NoScript protect you here? SQL injection is a method of compromising servers. The third party content is served up by the compromised server in the same way as the first party content (which you probably already told NoScript to trust).

Here, have a massive XSS vulnerability (0)

Anonymous Coward | more than 3 years ago | (#35679276)

http://digg.com/eyewonder/interim.html?url=http://example.com/bad.js
cnn.com/eyewonder/interim.html
foxnews.com/eyewonder/interim.html
www.nbc.com/eyewonder/interim.html
news.cnet.com/eyewonder/interim.html
www.myspace.com/eyewonder/interim.html
You get the idea..

There's also another vulnerable file /flashtalking/ftlocal.html on many sites

Re:Here, have a massive XSS vulnerability (0)

Anonymous Coward | more than 3 years ago | (#35679762)

WTF? Amateur hour at the mega sites?

Re:Here, have a massive XSS vulnerability (0)

Anonymous Coward | more than 3 years ago | (#35683394)

Fuck me. That is really, really appalling. Endless target opportunity.

Oh yes, little Bobby Tables, we call him. (1, Funny)

WebManWalking (1225366) | more than 3 years ago | (#35679638)

Re:Oh yes, little Bobby Tables, we call him. (0)

Anonymous Coward | more than 2 years ago | (#35683720)

ugh, rule nr 1 for posting linking to jokes in threads: NEVER INCLUDE THE PUNCHLINE IN YOUR LINK / TITLE.

More info on this hack (0)

Anonymous Coward | more than 3 years ago | (#35679784)

There are two more links which get injected via this particular hack. It is pretty common to see malicious hackers inject multiple links in one hack attempt.
http://www.stopthehacker.com/2011/03/31/lizamoon-hack-mass-sql-injection/

My efforts pale in comparison (0)

Anonymous Coward | more than 3 years ago | (#35679806)

My hot beef injection attack only compromised 10-15 URL's

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?