Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mass Hack Infects Tens of Thousands of Sites

Posted by kdawson on from the stay-safe-out-there dept.

An anonymous reader writes "Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. Hacked sites included both .edu and .gov domains, the SANS Institute's Internet Storm Center reported in a warning posted last Friday. The ISC also reported that several pages of security vendor CA's Web site had been infected. Roger Thompson, the chief research officer at Grisoft, pointed out that the hacked sites could be found via a simple Google search for the domain that hosts the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. 'This was a pretty good mass hack,' said Thompson, in a post to his blog." By Sunday a second round of the same attack had infected over 90,000 servers.

9 of 259 comments (clear)

  1. this kinda of crap anin't gonna stop until: by Grampaw+Willie · · Score: 2, Interesting

    this kind of crap ain't gonna stop until we have a fundamental change in our approach to security: and that is we use a WHITELIST to authorize execution of the programs we trust and exclude EVERYTHING else.

    trying to identify and exclude malware has fallen short of meeting our needs

    and that demonstration continues week after week after week after week as the hacking gets worse and worse

    if we are going to use the internet for business purposes this is UNACCEPTABLE. Change has to happen.

    NO SIGNATURE? NO EXECUTE.

  2. NoScript by j.sanchez1 · · Score: 2, Interesting

    Wouldn't NoScript protect the Firefox users out there?

    --
    Speedy thing goes in; speedy thing comes out.
  3. Re:Okay Hands Up... by AndGodSed · · Score: 2, Interesting

    Ah there you have it then.

    Cue the chorus; "Windows machines are only attacked because there are so many users..."

    Sheesh, forgetting that 70% of servers run Linux...

    --

    Seven Days with Ubuntu Unity

  4. Re:Okay Hands Up... by Bert64 · · Score: 2, Interesting

    Or they could have used the xp_cmdshell function of mssql to actually execute commands, often as the SYSTEM user and thus infected the servers themselves with the malware payload.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  5. I noticed some similarity... by CRX588 · · Score: 2, Interesting

    Thats funny, I recently complained to a US based, MidPhase about some Chinese scam site, uer168(dot)com. I noticed some similarity in the domain with the uc8010(dot)com domain from the article. The whois data is also much alike, at least the registrar is Xin Net Technology Corp. for both.

    So far Midphase has refused to take the scam site off line, even though it's seems these Chinese crackers are affiliated.

  6. Re:Not surprised by Corporate+Troll · · Score: 5, Interesting

    Do you want to know what is even scarier?

    In many corporate internal applications, SQL Injections are treated as if they do not exist. I have pointed out many times in several projects I have worked on that any malevolent person could do some very very nasty things. They don't care... "It's not open on the Internet". I just hope we'll never have a disgruntled employee that is a bit more geeky than the others.

    *sigh*

    Little Bobby Tables

  7. Re:SQL injection by stranger_to_himself · · Score: 2, Interesting

    I would like to see computer users with more knowledge and more security awareness. However, it is easy to throw some HTML/ASP/whatever on to a website. How can we let novice users create "secure" sites without banning them the web?

    You've hit exactly on the real problem. I'm a sort of hobbyist web developer with no real training. I can hack together websites using ASP.Net and SQL server that work (that is do what they're supposed to do), but I have no idea how write secure websites. I don't even understand the sorts of attacks I should be expecting. Furthermore, the 'my first website' books I learnt from don't really cover this sort of stuff except in passing, and learning about security is frankly boring.

    Sadly I don't have a solution, and I don't think there is one. Thinking along a public health analogy, advocating 'safe web programming' is difficult because its far less fun, and advocating abstainance for those who aren't qualified isn't going to work because, well you know what kids are like. Enforcing a ban is culturally unacceptable and impossible in any case.

  8. Re:Okay Hands Up... by Tablizer · · Score: 3, Interesting

    1. Never concat input into SQL. In fact, avoid dynamic SQL entirely. Use stored procedures with parameter binding so that user input can never be used to inject SQL statements to the database.

    But things such as Query-By-Example with wild-card (LIKE) potential, a very powerful technique, cannot easily be done using stored procedures. We would have to cripple the power of computers and have programmers wasting time writing trivial queries/reports for users and/or a combinatorial explosion of query forms (I've seen that happen).

    By the way, has anybody seen any sql injection attacks that don't involve quotes?

    --
    Table-ized A.I.
  9. Re:Not surprised by orgelspieler · · Score: 2, Interesting

    I've used un-scrubbed corporate app inputs to my advantage. At GE, we had two databases that didn't talk to each other. At all. We had to manually enter the data from one into the other line by line (why they paid engineers to do such mindless work is beyond me, maybe it's because we were on salary). Eventually, I figured out that the second database didn't get rid of things like HTML tags from the company front end app. So instead of entering the data line by line in the second database (which nobody ever used, except to print one form), I just wrote a script that output the appropriate HMTL table from the first database, and just pasted that into the "Comments" section of the second database. The result was a form that looked exactly like one that was entered line by line, but it took about two hours less to do it. It printed out fine, so none of the PHBs cared / knew the difference. Also, my method allowed people to do useful stuff like link to equipment data sheets and embed Goatse pictures before they resigned.