Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mass Hack Infects Tens of Thousands of Sites

Posted by kdawson on from the stay-safe-out-there dept.

An anonymous reader writes "Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. Hacked sites included both .edu and .gov domains, the SANS Institute's Internet Storm Center reported in a warning posted last Friday. The ISC also reported that several pages of security vendor CA's Web site had been infected. Roger Thompson, the chief research officer at Grisoft, pointed out that the hacked sites could be found via a simple Google search for the domain that hosts the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. 'This was a pretty good mass hack,' said Thompson, in a post to his blog." By Sunday a second round of the same attack had infected over 90,000 servers.

2 of 259 comments (clear)

  1. Re:Not surprised by Corporate+Troll · · Score: 5, Interesting

    Do you want to know what is even scarier?

    In many corporate internal applications, SQL Injections are treated as if they do not exist. I have pointed out many times in several projects I have worked on that any malevolent person could do some very very nasty things. They don't care... "It's not open on the Internet". I just hope we'll never have a disgruntled employee that is a bit more geeky than the others.

    *sigh*

    Little Bobby Tables

  2. Re:Okay Hands Up... by Tablizer · · Score: 3, Interesting

    1. Never concat input into SQL. In fact, avoid dynamic SQL entirely. Use stored procedures with parameter binding so that user input can never be used to inject SQL statements to the database.

    But things such as Query-By-Example with wild-card (LIKE) potential, a very powerful technique, cannot easily be done using stored procedures. We would have to cripple the power of computers and have programmers wasting time writing trivial queries/reports for users and/or a combinatorial explosion of query forms (I've seen that happen).

    By the way, has anybody seen any sql injection attacks that don't involve quotes?

    --
    Table-ized A.I.