Mass Hack Infects Tens of Thousands of Sites

← Back to Stories (view on slashdot.org)

Mass Hack Infects Tens of Thousands of Sites

Posted by kdawson on Tuesday January 8, 2008 @01:09AM from the stay-safe-out-there dept.

An anonymous reader writes "Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. Hacked sites included both .edu and .gov domains, the SANS Institute's Internet Storm Center reported in a warning posted last Friday. The ISC also reported that several pages of security vendor CA's Web site had been infected. Roger Thompson, the chief research officer at Grisoft, pointed out that the hacked sites could be found via a simple Google search for the domain that hosts the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. 'This was a pretty good mass hack,' said Thompson, in a post to his blog." By Sunday a second round of the same attack had infected over 90,000 servers.

47 of 259 comments (clear)

Okay Hands Up... by AndGodSed · 2008-01-08 01:21 · Score: 2, Funny

...those of you who thought "Awesome!"

I am no fan of malicious hacking, but my inner geek always stirs when I read something like this, much like watching someone in the real world accomplishing an amazing but insane feat, like those guys with the squirrel suits base-jumping, or something *cough*

Question, where any *nix or L*X machines compromised? Might be a dumb question, so bash me all you want if it was...

--
Seven Days with Ubuntu Unity
1. Re:Okay Hands Up... by ricebowl · 2008-01-08 01:25 · Score: 4, Insightful
  
  I don't know about "awesome," my first thoughts were along the lines of "oh...for fuck's sake..." and "how do I check?"
  
  While I share your appreciation of feats, I'd prefer the feat achieved to be a positive application of the knowledge rather than a mass-hack.
  
  But hey; that's just me being a grumpy old folk I guess.
2. Re:Okay Hands Up... by slashbob22 · 2008-01-08 01:26 · Score: 3, Insightful
  
  Question, where any *nix or L*X machines compromised? Might be a dumb question, so bash me all you want if it was... Considering it is a SQL injection attack I would assume that any system (of whatever OS) which is running a SQL database and is not scrubbing their input is vulnerable.
  
  --
  Proof by very large bribes. QED.
3. Re:Okay Hands Up... by fmobus · 2008-01-08 01:28 · Score: 2, Informative
  
  TFA guesses the exploit is a simple SQL injection where the injected code consists of calls to MS SQL Server's sysobject calls. I imagine this would give the attacker some file system access, allowing for injection of script tags pointing to the attacking javascript, and so on. This is a clever attack, once again allowed only by MS insistence in allowing things like an SQL Server to execute stuff not related to its task. Note that, while this is convenient and useful, it should never be allowed by default.
4. Re:Okay Hands Up... by AndGodSed · 2008-01-08 01:34 · Score: 2, Interesting
  
  Ah there you have it then.
  
  Cue the chorus; "Windows machines are only attacked because there are so many users..."
  
  Sheesh, forgetting that 70% of servers run Linux...
  
  --
  Seven Days with Ubuntu Unity
5. Re:Okay Hands Up... by pwilli · 2008-01-08 01:37 · Score: 5, Informative
  
  It was even simpler than that (according to TFA):
  
  1. SQL-Query for all tables in the database
  2. Search for text-columns in table
  3. add script-tag to every entry in those columns
  4. hope at least some of those entries get included into the webpage without filtering (or escaping) the injected HTML
  
  No need for FS access or root rights (as another ./er suggested), but also not really spectacular creative.
6. Re:Okay Hands Up... by Bert64 · 2008-01-08 01:48 · Score: 2, Interesting
  
  Or they could have used the xp_cmdshell function of mssql to actually execute commands, often as the SYSTEM user and thus infected the servers themselves with the malware payload.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
7. Re:Okay Hands Up... by morgan_greywolf · 2008-01-08 01:57 · Score: 5, Informative
  
  I don't know about "awesome," my first thoughts were along the lines of "oh...for fuck's sake..." and "how do I check?" TFA seems to be saying that LinkScanner will check for it. Of course, it's worth noting that TFA's author is the 'Chief Research Officer' for the company that makes LinkScanner. IOW, this is a bit of a slashvertisement.
  
  --
  My blog
8. Re:Okay Hands Up... by Anonymous Coward · 2008-01-08 02:14 · Score: 5, Informative
  
  Helps to understand the database, doesn't it? The "sysobject calls" are just reads to the underlying tables that store the database schema. The injection attack uses sysobjects to determine what tables exist. They did use sysobjects which is specific to MS SQL Server and Sybase, but they could have just as easily used INFORMATION_SCHEMA which are a series of ANSI compliant views that contain the same information and work on virtually all databases.
  
  This attack has nothing to do with system access of the database server. Other than the fact that the specific exploit looks to sysobjects, there is nothing specific about this attack to MS SQL Server at all. This same kind of attack would work just as well on any other web server with an application using any other database. The problem isn't that the web server or the database has a vulnerability, rather that the specific web application itself does. SQL injection attacks are stupidly common because the people who write web applications, on any platform, simply ignore written secure programming conventions.
  
  For those who don't know what SQL injection is, it is caused when the web application does something stupid like concatenate unvalidated user input directly into a SQL string that is then sent to the database. This enables the attacker to pass user input which contains portions of SQL that will be also be sent to the database and executed under the security context of the web application. More often than not the developer who made this stupid mistake also made the stupid mistake of connecting to the database using significantly higher privileges than necessary, possibly even root/admin level privileges. Thus, the attacker can do virtually anything they want, from inserting new data to dropping objects and breaking the web application entirely, if they felt like it.
  
  Basic rules when developing a database-driven web site:
  
  1. Never concat input into SQL. In fact, avoid dynamic SQL entirely. Use stored procedures with parameter binding so that user input can never be used to inject SQL statements to the database.
  2. Always validate/encode user input. Even if you stave off SQL injection it's still possible for an attacker to attempt to hide HTML or JavaScript in their input. If the web application stores and displays the information as it has been entered it would be possible for the attacker to embed malicious script into the content sent to the browser. Most frameworks have the ability to find this material in user input, or you could encode it so that it's not executed by the browser and shown as plain text.
  3. Always use a database connection with the lowest necessary priveleges. This reduces the possible attack surface by preventing a successful attack from having the leverage to compromise the data or the database server itself. Couple this with item 1 and you have a security context in which the web application can only execute a handful of stored procedures and cannot directly read/write to any of the user tables.
9. Re:Okay Hands Up... by berashith · 2008-01-08 02:32 · Score: 3, Funny
  
  Even if it is an ad, they are apparently very good at what they do. I mean, infecting this many machines this quickly just so their product is needed... they are hella smart.
10. Re:Okay Hands Up... by mhall119 · 2008-01-08 02:35 · Score: 2, Insightful
  
  Nobody seems to know how the malicious code actually got into the server in the first place. Simple SQL injection is definitely a prime suspect, but it's also possible that there is some flaw in SQL Server's processing of properly parameterized code that still allows the tainted user-input to be executed.
  
  --
  http://www.mhall119.com
11. Re:Okay Hands Up... by 0100010001010011 · 2008-01-08 02:43 · Score: 4, Funny
  
  Yes, sounds like someone didn't Sanitize their input.
  
  If only they had little Bobby Tables doing the testing.
12. Re:Okay Hands Up... by kestasjk · 2008-01-08 03:46 · Score: 2, Insightful
  
  If you're on Firefox grab NoScript. You'd have to explicitly allow u8080.com to run scripts for this to have any effect.
  
  --
  // MD_Update(&m,buf,j);
13. Re:Okay Hands Up... by anotherone · 2008-01-08 03:59 · Score: 4, Insightful
  
  ah ok let me just look this up on the vulnerability chart here ok, your server is Linux... very good, very good your databases are all only accessible to localhost, ok looks like you are EXACTLY as vulnerable to SQL injection as everyone else. Running Linux and preventing remote users on your database does NOT protect you. If you have a script on your server that doesn't sanitize even one input, you are just asking for trouble. you WILL get hacked sooner or later.
  
  --
  Username taken, please choose another one.
14. Re:Okay Hands Up... by Tablizer · 2008-01-08 04:37 · Score: 3, Interesting
  
  1. Never concat input into SQL. In fact, avoid dynamic SQL entirely. Use stored procedures with parameter binding so that user input can never be used to inject SQL statements to the database.
  
  But things such as Query-By-Example with wild-card (LIKE) potential, a very powerful technique, cannot easily be done using stored procedures. We would have to cripple the power of computers and have programmers wasting time writing trivial queries/reports for users and/or a combinatorial explosion of query forms (I've seen that happen).
  
  By the way, has anybody seen any sql injection attacks that don't involve quotes?
  
  --
  Table-ized A.I.
Phew! Nothing to see here! by thechanklybore · 2008-01-08 01:21 · Score: 3, Funny

Woah, I was almost worried for a second before I read it was Microsoft specific!

My darling Apache and PostgreSQL may you never let evildoers overflow your fair buffers.

*wipes brow*
1. Re:Phew! Nothing to see here! by cHiphead · 2008-01-08 02:38 · Score: 2, Informative
  
  Almost every shared hosting and VPS out there does that... just not with MS SQL quite so often
  
  --
  
  This is my sig. There are many like it, but this one is mine.
2. Re:Phew! Nothing to see here! by mhall119 · 2008-01-08 02:53 · Score: 2, Informative
  
  70,000 server admins could just as easily leave a LAMP system unprotected from SQL injection, but you wouldn't be trolling then, would you. Yes we would, only we'd be mocking PHP coders not Microsoft.
  
  --
  http://www.mhall119.com
3. Re:Phew! Nothing to see here! by bberens · 2008-01-08 03:46 · Score: 2, Funny
  
  Microsoft has saved us all once again. If Microsoft had not trained developers all across the world to use it's proprietary extensions rather than ANSI compatible SQL then something important might have been hit by this attack rather than poorly coded webapps running MSSQL. Thank you Microsoft for taking this bullet for us.
  
  /too thick?
  
  --
  Check out my lame java blog at www.javachopshop.com
this kinda of crap anin't gonna stop until: by Grampaw+Willie · 2008-01-08 01:24 · Score: 2, Interesting

this kind of crap ain't gonna stop until we have a fundamental change in our approach to security: and that is we use a WHITELIST to authorize execution of the programs we trust and exclude EVERYTHING else.

trying to identify and exclude malware has fallen short of meeting our needs

and that demonstration continues week after week after week after week as the hacking gets worse and worse

if we are going to use the internet for business purposes this is UNACCEPTABLE. Change has to happen.

NO SIGNATURE? NO EXECUTE.
1. Re:this kinda of crap anin't gonna stop until: by Antique+Geekmeister · 2008-01-08 01:30 · Score: 3, Funny
  
  That's right. Just make sure it has a GPL or possibly an Apache license, and your security status will improve quite a bit.
2. Re:this kinda of crap anin't gonna stop until: by Anonymous Coward · 2008-01-08 01:36 · Score: 2, Insightful
  
  Hypothetical signed program checklist:
  
  * SQL server: SIGNED
  * Web server: SIGNED
  
  Well, in this case you are still vulnerable to an SQL injection attack...
3. Re:this kinda of crap anin't gonna stop until: by lhorn · 2008-01-08 01:42 · Score: 2, Insightful
  
  A whitelist wouldn't stop this, MsSQL would run, being on it...
  If the whitelist specified that MsSQL was not allowed to load and execute code from links in data, perhaps that will do it.
  Separation of code and data would fix the situation. I for one would be able to live with the reduced functionality.
  
  --
  accept no limits but time
Protect yourself with AdBlock by Yaztromo · 2008-01-08 01:24 · Score: 4, Informative

Add this simple rule:
http://*.uc8010.com/*

Yaz.
NoScript by j.sanchez1 · 2008-01-08 01:31 · Score: 2, Interesting

Wouldn't NoScript protect the Firefox users out there?

--
Speedy thing goes in; speedy thing comes out.
Good acts of violence by MosesJones · 2008-01-08 01:31 · Score: 3, Insightful

Reading the referenced article it seems to almost applaud the success of the attack. This isn't a "good" attack its a very bad attack in that it has been successful and could potentially inflict damage on thousands or even millions of users. Its like claiming that something was a very "good" fraud because it robbed thousands of old folks of their life savings.

Its a bad attack, its bad that its been successful and the people who did it are scum. These aren't some rebels fighting against the system they are criminal scum who are aiming to inflict damage on large numbers of people. Remember all those times when you have to clean up your parents/in-law/friends computers because they get compromised by this crap? Well the scum behind this have just given you a whole lot more time doing crappy boring work.

--
An Eye for an Eye will make the whole world blind - Gandhi
1. Re:Good acts of violence by AdrocK · 2008-01-08 01:51 · Score: 2, Insightful
  
  I think everyone agrees that this sort of thing is "bad". I wouldn't call it violence, but criminal nonetheless.
  
  But I also think slashdotters are amused at the continued running-amok of MS products. When the school bully gets beat up, you tend to not feel as sorry for him as you do for your friend.
  
  Besides, cleaning up the spyware keeps the fly-by-night pc repair geeks in business
  
  --
  Those who can, do. Those who can't, teach.
Re:The aim of the hack by LiquidCoooled · 2008-01-08 01:36 · Score: 2, Funny

AV firms came back to work yesterday ;)
They had a 2 week holiday.

--
liqbase :: faster than paper
Protect yourself with HOSTS by martyb · 2008-01-08 01:47 · Score: 4, Informative

Another approach is to just block it in your HOSTS file:
127.0.0.1 uc8010.com
Or, even better, use an updated HOSTS file which has entries to block malicious sites: (on last check, this blocked over 16,000 addresses!): http://www.mvps.org/winhelp2002/hosts.zip
Description and explanation is here.
1. Re:Protect yourself with HOSTS by Yaztromo · 2008-01-08 02:08 · Score: 2, Informative
  
  Another approach is to just block it in your HOSTS file:
  127.0.0.1 uc8010.com
  
  Just FYI, doing my own quick Google search, it appears that the hosts used by the bulk of these attacks is actually c.uc8010.com and n.uc8010.com. Indeed, it looks like all one-letter hostnames are used for this domain. So modification of your HOSTS should be made accordingly to ensure all hosts from this domain are indeed re-routed.
  Yaz.
Re:SQL injection by Fizzl · 2008-01-08 02:06 · Score: 4, Funny

sql injection to gain root

I will gnaw my leg of if this dribble gets modded up.

--
Bot Assisted Blogging
Re:dumb or troll ? by Rich0 · 2008-01-08 02:09 · Score: 4, Informative

Uh - this attack didn't involve the execution of any "code" - at least nothing that selinux/etc would recognize as such. SQL Server was hit exclusively not because of any particular vulnerability - but because the attack used syntax specific to that server only.

This is an SQL injection attack. That is when a poorly-written application does not sanitize its input, and passes it onto a database server as part of a SQL script. The malicious input terminates the command the application was running and starts some other command running. It has no access to anything in the system other than the data in the database - which is all this attack compromised. However, that data in tht database was then used by the application to render html output, which then passed the exploit scripts onto web clients.

This is analogous to a trojan that wipes out all of a user's files in ~ in unix. Simply running as non-root will do nothing to prevent it from working - the user has access to delete their own files already.

The attack merely used the applications write-access to its own database to modify the database contents - something that is nearly impossible to automatically protect against at the database server level. However, almost all database servers (including SQL Server I'm sure) does offer a semi-manual form of protection - a parametized query. If you prepare a query and put parameters in it, and then pass on user-input data in the parameters, the server will refuse to use the user-input data as anything other than data. Application authors just need to use this feature...
Re:Not surprised by Anonymous Coward · 2008-01-08 02:09 · Score: 5, Informative

SQL injection attacks are universal across database platforms. No matter what front-end and back-end you use for a database store, if you're building SQL command strings in memory with unscrubbed external inputs, you're liable for an attack. This attack relied on SQL Server's sysobjects table, but that wasn't the vulnerability, that was just the target.
This is NOT a mass attack by blast3r · 2008-01-08 02:14 · Score: 2, Informative

If you search for "uc8010.com" in Google then click on the omit link at the bottom it shows about 94,000 "PAGES". Not Servers! One server had most of the pages infected. BTW, this is NOT a compromised 'SERVER'. The SQL database got injected with content but the actual server isn't compromised. This isn't news.
I noticed some similarity... by CRX588 · 2008-01-08 02:25 · Score: 2, Interesting

Thats funny, I recently complained to a US based, MidPhase about some Chinese scam site, uer168(dot)com. I noticed some similarity in the domain with the uc8010(dot)com domain from the article. The whois data is also much alike, at least the registrar is Xin Net Technology Corp. for both.

So far Midphase has refused to take the scam site off line, even though it's seems these Chinese crackers are affiliated.
Re:You should still be careful. by Anonymous Coward · 2008-01-08 02:27 · Score: 5, Informative

The server-side exploit is not binary code. It is a SQL injection attack. The only thing that ties it to MS SQL Server is the fact that they decided to use the sysobjects table to locate other tables. They could have just as easily used the ANSI-compliant INFORMATION_SCHEMA.TABLES view, which is available in most databases including MS SQL, MySQL, Postgres, Oracle, DB2, etc.. From there they could have used ANSI standard SQL to push their updates into the database containing their malicious javascript.

This exploit did not require compromising the web server, or the database server. It required compromising the programming of the web application. Such an attack would work similarly on any combination of web server and database server, if it had been so designed.

As for the client exploit, yes that would have been tougher. They did rely on a specific ActiveX exploit to compromise the clients. But they could have just as easily use poorly written Apache/PGSQL sites to push that malicious script.
Re:Not surprised by Bigmilt8 · 2008-01-08 02:31 · Score: 3, Informative

Thank you for printing this statement. It is amazing how most "technical" people don't understand what a SQL injection attack is and that it is platform independent. These attacks have to be stopped in your front-end development and not in the database engine. If you are writing code that is this unsecure (especially in 2007) then you shouldn't be coding at all. Also the MDAC was patched more than a year ago. Why weren't the patches applied?
Re:dumb or troll ? by lrohrer · 2008-01-08 02:36 · Score: 4, Informative

Not at all impossible to prevent!

Webserver user should only have read access to only the tables required. Writes should always go through stored procedures. The SP has write access but not the user. The SP must also do a second (or third) scrubbing of the data.

It can also make sense to have to databases. One that serves the web pages and another that handles updates.
Re:SQL injection by pedestrian+crossing · 2008-01-08 02:41 · Score: 3, Insightful

sql injection to gain root
I will gnaw my leg of if this dribble gets modded up.

So far, so good, it's still at 1.

I am astounded at the (much more than usual) level of misunderstanding of how the attack works. I've seen one correct comment, and much blathering idiocy!

Running LAMP might protect you from this particular attack only because it is looking for table/column information the MS-SQL way. If you aren't taking effective steps to prevent SQL injection (which has nothing to do with "gaining root"), only luck is keeping it from happening to your LAMP system.

--
A house divided against itself cannot stand.
Re:Not surprised by Corporate+Troll · 2008-01-08 02:41 · Score: 5, Interesting

Do you want to know what is even scarier?

In many corporate internal applications, SQL Injections are treated as if they do not exist. I have pointed out many times in several projects I have worked on that any malevolent person could do some very very nasty things. They don't care... "It's not open on the Internet". I just hope we'll never have a disgruntled employee that is a bit more geeky than the others.

*sigh*

Little Bobby Tables
Just One Example by soloport · 2008-01-08 02:43 · Score: 4, Funny

Here are more details on how such an attack can take place, and the devastation it can cause.
Re:Not surprised by Wornstrom · 2008-01-08 02:46 · Score: 2, Insightful

Also the MDAC was patched more than a year ago. Why weren't the patches applied?

I'll wager that it is the same camp of people who wait until they are absolutely forced to install service packs, because they don't want them to break their applications. Nothing worse than someone putting that bug in a small business "IT person's" ear... next thing you know none of their desktops have XP service pack 2 installed because they "heard it would break stuff"...
Re:You should still be careful. by mhall119 · 2008-01-08 02:57 · Score: 2, Insightful

Only this isn't a Windows virus, it's an SQL injection attack. Most likely the vulnerability isn't even in Microsoft code, but in some popular business web application that uses MS SQL for the backend. Tweaking that to exploit a PHP application that uses MySQL for the backend wouldn't be any more difficult.

--
http://www.mhall119.com
Re:SQL injection by stranger_to_himself · 2008-01-08 03:00 · Score: 2, Interesting

I would like to see computer users with more knowledge and more security awareness. However, it is easy to throw some HTML/ASP/whatever on to a website. How can we let novice users create "secure" sites without banning them the web?
You've hit exactly on the real problem. I'm a sort of hobbyist web developer with no real training. I can hack together websites using ASP.Net and SQL server that work (that is do what they're supposed to do), but I have no idea how write secure websites. I don't even understand the sorts of attacks I should be expecting. Furthermore, the 'my first website' books I learnt from don't really cover this sort of stuff except in passing, and learning about security is frankly boring.

Sadly I don't have a solution, and I don't think there is one. Thinking along a public health analogy, advocating 'safe web programming' is difficult because its far less fun, and advocating abstainance for those who aren't qualified isn't going to work because, well you know what kids are like. Enforcing a ban is culturally unacceptable and impossible in any case.
Re:Any recommendations? by Wodin · 2008-01-08 03:55 · Score: 2, Informative

Maybe this?

sqlmap

I haven't tried it.

--
-- Wodin
Re:Not surprised by orgelspieler · 2008-01-08 07:01 · Score: 2, Interesting

I've used un-scrubbed corporate app inputs to my advantage. At GE, we had two databases that didn't talk to each other. At all. We had to manually enter the data from one into the other line by line (why they paid engineers to do such mindless work is beyond me, maybe it's because we were on salary). Eventually, I figured out that the second database didn't get rid of things like HTML tags from the company front end app. So instead of entering the data line by line in the second database (which nobody ever used, except to print one form), I just wrote a script that output the appropriate HMTL table from the first database, and just pasted that into the "Comments" section of the second database. The result was a form that looked exactly like one that was entered line by line, but it took about two hours less to do it. It printed out fine, so none of the PHBs cared / knew the difference. Also, my method allowed people to do useful stuff like link to equipment data sheets and embed Goatse pictures before they resigned.
Re:So what does it do? by mrdarreng · 2008-01-08 07:34 · Score: 2, Funny

Any idea? No fucking clue, but it managed to break out of slashdot's layout in FF. That's some powerful code!