Slashdot Mirror
Mass Hack Infects Tens of Thousands of Sites
An anonymous reader writes "Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. Hacked sites included both .edu and .gov domains, the SANS Institute's Internet Storm Center reported in a warning posted last Friday. The ISC also reported that several pages of security vendor CA's Web site had been infected. Roger Thompson, the chief research officer at Grisoft, pointed out that the hacked sites could be found via a simple Google search for the domain that hosts the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. 'This was a pretty good mass hack,' said Thompson, in a post to his blog." By Sunday a second round of the same attack had infected over 90,000 servers.
I don't know about "awesome," my first thoughts were along the lines of "oh...for fuck's sake..." and "how do I check?"
While I share your appreciation of feats, I'd prefer the feat achieved to be a positive application of the knowledge rather than a mass-hack.
But hey; that's just me being a grumpy old folk I guess.
Proof by very large bribes. QED.
Reading the referenced article it seems to almost applaud the success of the attack. This isn't a "good" attack its a very bad attack in that it has been successful and could potentially inflict damage on thousands or even millions of users. Its like claiming that something was a very "good" fraud because it robbed thousands of old folks of their life savings.
Its a bad attack, its bad that its been successful and the people who did it are scum. These aren't some rebels fighting against the system they are criminal scum who are aiming to inflict damage on large numbers of people. Remember all those times when you have to clean up your parents/in-law/friends computers because they get compromised by this crap? Well the scum behind this have just given you a whole lot more time doing crappy boring work.
An Eye for an Eye will make the whole world blind - Gandhi
the problem is nothing that has to do with signed code. signing code "only" authenticates it and does not say that there are no security holes.
it has, however, something to do with specific precations not being taken: with selinux or apparmor for example this probably wouldn't have happended simply because they handle application privileges in a different (OMHO: better) way - through profiles.
Hypothetical signed program checklist:
* SQL server: SIGNED
* Web server: SIGNED
Well, in this case you are still vulnerable to an SQL injection attack...
A whitelist wouldn't stop this, MsSQL would run, being on it...
If the whitelist specified that MsSQL was not allowed to load and execute code from links in data, perhaps that will do it.
Separation of code and data would fix the situation. I for one would be able to live with the reduced functionality.
accept no limits but time
Nobody seems to know how the malicious code actually got into the server in the first place. Simple SQL injection is definitely a prime suspect, but it's also possible that there is some flaw in SQL Server's processing of properly parameterized code that still allows the tainted user-input to be executed.
http://www.mhall119.com
So far, so good, it's still at 1.
I am astounded at the (much more than usual) level of misunderstanding of how the attack works. I've seen one correct comment, and much blathering idiocy!
Running LAMP might protect you from this particular attack only because it is looking for table/column information the MS-SQL way. If you aren't taking effective steps to prevent SQL injection (which has nothing to do with "gaining root"), only luck is keeping it from happening to your LAMP system.
A house divided against itself cannot stand.
I'll wager that it is the same camp of people who wait until they are absolutely forced to install service packs, because they don't want them to break their applications. Nothing worse than someone putting that bug in a small business "IT person's" ear... next thing you know none of their desktops have XP service pack 2 installed because they "heard it would break stuff"...
Only this isn't a Windows virus, it's an SQL injection attack. Most likely the vulnerability isn't even in Microsoft code, but in some popular business web application that uses MS SQL for the backend. Tweaking that to exploit a PHP application that uses MySQL for the backend wouldn't be any more difficult.
http://www.mhall119.com
If you're on Firefox grab NoScript. You'd have to explicitly allow u8080.com to run scripts for this to have any effect.
// MD_Update(&m,buf,j);
ah ok let me just look this up on the vulnerability chart here ok, your server is Linux... very good, very good your databases are all only accessible to localhost, ok looks like you are EXACTLY as vulnerable to SQL injection as everyone else. Running Linux and preventing remote users on your database does NOT protect you. If you have a script on your server that doesn't sanitize even one input, you are just asking for trouble. you WILL get hacked sooner or later.
Username taken, please choose another one.