Slashdot Mirror
500 Thousand MS Web Servers Hacked
andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that have been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."
Does it run on linux.
Unless [...] data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. As for the fact that Firefox + NoScript prevents the problems, that really isn't a surprise seeing as these specific exploits rely on executing a JScript. Any browser with scripting disabled would be immune.
The tone of the blurb is not only biased but also counter-productive to promoting open source (as this appears to be its intention): by trying to criticise closed technologies not by highlighting their actual deficiencies but instead by spreading FUD, the whole community is done a disservice.
Amnesty International
Anyone surprised?
If you haven't made a developer cry, you've wasted a day.
Lolicious.
I once spend an hour trying to explain IIS/MS SQL Server admin what PHP/MySQL addslashes()/mysql_escape_string() do - all to no avail. He was absolutely sure it is sufficient to like in VB surround any string with single quotes and it all will be fine.
Now seeing that it's real fun for guys, I can only laugh.
All hope abandon ye who enter here.
This is a SQL injection attack. IIS just happens to be the front-end of a poorly written web app.
Thus, if I'm running a web app that doesn't rely on IIS for anything more than presentation, and am not using SQL in my authentication (say something like Terminal Services or GraphOn), I should be fine.
Correct?
Chas - The one, the only.
THANK GOD!!!
Extra! Extra! Third-party software with a vulnerability is somehow M$'s fault!
SQL injection attacks can affect any platform and any database. It is the result of trusted unsanitized user input implicitly and either using it to construct a query statement or using it as data. In the first case the query can be modified to perform malicious activities, such as bypassing database-driven security in a website or modifying the database objects. In the latter case the unsanitized input could contain fragments of HTML or script that is sent back to the browser and rendered.
All of the platforms have mechanisms to prevent these issues, but the developers have to actually be intelligent enough to use them.
Solution: Upgrade to Windows Vista!
I kid! I kid!
Honestly though, this is a little humiliating. I understand that things get out of control in large projects, but I thought most people nowadays should know that database input sanitizing now fell among those universal truths, including but not limited to: brushing your teeth, wearing a condom, et al.
Its unforgiving, but you really do have to sacrifice speed for security sometimes. That being said, I feel pretty bad for all those sys-admins/developers who are probably going to have a late nights tonight...and maybe for the next week or two.
I'm 1 hundred % shocked.
If I do not have noscript for ffx, then I am vulnerable, and I am also unsure of what happens when you are infected with one of these trojans or w/e. Is it really that bad if my computer is a POS that I use for nothing important? Is there a threat of keyloggers? I have zonealarm running and AVG antivirus,,,,,,
Orbis terrarum est non altus satis
The article states a google search found over 500,000 modified pages. The post states over 500,000 servers. This is seriously misleading. If a site is hacked you could have several hundred modified pages on the site. This brings the number of servers down considerably.
PHP has pretty much fixed SQL injection hacks, at least for MySQL, something TFA you quote mentions on page 74. Given that this is the majority combination on web-facing machines, shouldn't that blunt the "LAMP installations are also susceptible to SQL injection" if only by quantity? I mean, I agree with your counter-FUD reasoning, but it seems to me that this blunts your whole sentence, MySQL+PHP being two pillars (and the last half) of LAMP.
Dog is my co-pilot.
Just 500,000? i know one exploit thats worth a cool few million ROFL isn't the www fun, bet your all glad i don't go round giving knowledge like that out let alone leave it ANYWHERE near a pc attached to the net
Canadian National Security's site is on the list. Sigh.
E.
Never rub another man's rhubarb - The Joker
www.safecanada.ca [Canadian National Security] www.n-somerset.gov.uk [UK Local Government] events.un.org [United Nations] www.unicef.org.uk [UNICEF]
These are a list of infected sites, don't click unless you know what you're doing. But I am worried when they affecting reasonably high traffic sites, whos visitors are not too likely to be running noscript.
Orbis terrarum est non altus satis
This site makes me sick sometimes. If this were a problem with PHP (which, mind you, it IS), we wouldn't be calling it a "vulnerability".
ASP.net has lots of built-in features to prevent SQL injection attacks (like bind parameters) and the ASP.net DB documentation specifically warns about this type of attack.
Anyone still getting hit with this in 2008 needs to be whacked on the head.
I would like to remind people to donate to our saviours such as the NoScript people (if you use it)
After reading this article, I'm sending in $5 right now...
...Right
I've read a similar article on theregister.com: Web infection attacks more than 100,000 pages. There are also some interesting discussions over there.
This is a SQL injection, which is not specific to IIS. Any server-side program that fails to validate the input is subjected to this kind of exploit.
Colorless green Cthulhu waits dreaming furiously.
Okay, this is sad on two levels: First SQL inject attack vulnerability is due to sloppiness by the web developers. I've seen this potential problem on code reviewed on many web servers, both Apache as well as IIS. Its well known that if you don't use proper functions to remove escape characters before processing submitted data getting hacked this is inevitable.
This has nothing to do with Apache being more secure than IIS (which is true) but truth be told neither web server is responsible for the root of this problem: Lazy web development combined with no security review. The other sad part of this is everyone wants to make websites that are "web 2.0" enabled, requiring lots of Javascript to make cool but often unnecessary functions. Many top websites (Slashdot.org is an exception thank god) are UNUSABLE without javascript enabled and this is just poor design. Combined with IE 6/7 inability to use plugins like NoScript make infections like this inevitable to people using IE. I'll grant that disabling ActiveX by default in IE 7 was an improvement but on many sites which foolishly depended on ActiveX, it caused other issues. Again, web developers need to be more dilligent in developing LONG term according to universal usability (W3C compliant) and security.
I constantly tell people to use FireFox, NOT IE in part because I know javascript is currently the big gaping hole in Internet security these days (which this article illustrates). No one, myself included has time to read every piece of javascript code going through their browser and regular users don't have the book learning to do this themselves so NoScript is truly a god send. (and I donate to them). But still its up to users to be aware, demand that websites be functional without javascript, and only use browsers that can check javascript for trojan/spyware code. Its also up to developers to take web security a LOT more seriously than they have. For any web developer, SQL inject attack vulnerabilities like this are EMBARASSING. It shows rushed work that wasn't properly reviewed or audited.
"Imagination is more important than knowledge" - Einstein
Why do you think he's a developer? He sounds more like a sysadmin to me.
Sure, he should know about SQL injection stuff - but even if he did, would he be able to fix it?
Get your own free personal location tracker
Parent -1 Flamebait. (Actually...it's more Article -1 Flamebait.)
Anyway, as it has already been noted, this problem has nothing specifically to do with the IIS servers.
Two other notes:
FOSS is good, I agree. But FOSS, by default, is not always better than closed source solutions. Making a blanket statement like that is being just as close minded as the opposite camp.
Using M$ to represent Microsoft is soooooooo 1990s.
That one made me laugh. Wasn't that Einstein's definition of insanity? Doing the same thing over and over and expecting different results?
Anyone can make a mistake; forget to taint a variable or something, but when you've obviously got an exploitable bug, you need to fix it, not just constantly rebuild the hacked database, probably losing data every time.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Sure, kid. Hey, I think your mom just called you up for lunch.
Well Computer Science Programs rairly if ever cover SQL. Or place it in the same class as web development. So you have kids just out of college with 0 SQL experience and get into business which is heavy SQL based. As well many of them are not secuirty minded. They think what does it take to get it to work and not as much as what does it take to break it. Then there is an issue of funding, pressure to get it done fast can leave such issues wide open.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
ok, story 1 is a sql injection
there seems to be a story 2 here: what the trojan will do in a few weeks to all of the IE users who visit these half a million sites
and, reading some of the links and finding that these trojan hosting domains are registered in china, there also seems to be a story 3: chinese hackers are pissed off
i got hacked shortly after the hainan island incident in 2001. that is when the us spy satellite was bumped a chinese fighter, and was forced to land on hainan island (china). there was much chinese nationalist anger then, and it was taken out by hacking western sites with "f**k usa!" and the chinese flag replacing the main page
obviously, this hack is contemporaneous with the whole tibet riots/ olympic torch protests. that's the meat of this story, and that avenue seems unexplored as of yet. similar to the russian ddos of estonia due to the deprecation of a war statue in 2007: the lesson is that, much like al qaeda and terrorism, cyber warfare is not so much a tool of any state government, but chest-thumping activity for ultranationalists and religious bigots and other organizations of cultural or national or religious chauvinism. the theme of the 21st century seems to be shaping up as partisan tribalism and extreme ideology reaching beyond the notions of sovereignty, statehood to go to war with each other in a novel ways
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
How can you blame them however? Look at what THIS site (as in Slashdot) is doing. The headline implies that its an IIS hack. If you read the posts attached to this -very- article, a significant amount of people are replying acting like it IS a server issue, related to MS or some such.
When such misconceptions are so pervasive (even in -articles- on a geek web site like here!), obviously newbies are going to be confused all over the place.
Its a bit similar on how there's still so many SQL Server DBAs who think stored procedures are faster by design than dynamic SQL.
Again, this has nothing to do with IIS. I'm being redundant, and MS has done some crappy things in the past, but this is due to poor web site development (specifically SQL injections) and nothing to do with IIS.
English is not my native languagem but obviosuly I can read it better than some people...
THE F-SECURE WEBSITE IS TALKING ABOUT 510,000 MODIFIED PAGES.
THAT DOESN'T MEAN 510,000 WEBSERVERS!!!
OS Security != Application Securty
Before you post such a headline, perhaps it would be a good idea to check your facts. I RTFA'ed and checked those links and there is no mention of how many servers were attacked. There were 510,000 pages mentioned, but pages do not equal servers. This a sensationalistic headline based on a sensationalistic interpretation of a Google web search.
First, as someone already stated, the vulnerabilty is in poor software development practice, and is pervasive in all environments, be in MS, Linux, Apache, IIS, PHP, ASP.NET, JAVA, whatever.
Second, IIS, since version 6, is amazingly secure, comparable with the likes of Apache. Its also the more straightforward platform to use as an ASP.NET server (obviously, unless you're into Mono), or to use along with a lot of fairly interesting technologies, such as TFS, Reporting Services, Sharepoints, etc.
On top of that, well, just by having a windows-based network, IIS is already "pre-configured". That is, aside for web server specific stuff, its already on your server, can be admin-ed the same way, etc. Adding a box with a different OS, a non-integrated web server, etc, is just overhead.
Same way as regardless of anything, if you were all java based, NOT using a java app server for your web apps would just be overhead, unless you have a damn good reasons.
This has nothing to do with IIS, nor does it have anything to do with Windows security flaws, nor does it have anything to do with ASP or ASP.net. It has to do with retarded programmers who don't know how to prevent SQL injection even after it's been heavily publicized.
But this comment isn't going to stop people from posting more of these "lol MS" comments, are they?
I googled this ("script srcscript" | "scriscript" | "scriptscript" )
and found 1,990,000 pages with this same script attack...as for how many servers this represents,
I don't know.
Gee, its 2008 already. Yet you can still search: inurl:.php form and attempt a pathetic SQL injection successfully on about 5% of your results. How pathetic. People should need a licence to write PHP/SQL.
This just goes to show you how much cheap (and clueless) web developers actually cost. This is a problem of laziness.
Actually LAMP solutions are just as vulnerable to SQL inject attacks in the hands of the wrong web developer. I love LAMP (and Ruby on Rails) and I will take it over ASP.net any day. But in all fairness (and for the record in the majority of cases I think Linux/Apache is better than IIS), neither Microsoft nor the Apache Team is responsible for this. Its careless developers who take submitted html data and send it to the database without proper checking and remove of external sql code. You can hack either web solutions without this basic security check. Just so people are clear and to be fair to MS (even though they are not the brightest bulbs in security)
"Imagination is more important than knowledge" - Einstein
FTFA: Currently, there is no such protection for IE users, and disallowing Javascript entirely isn't really an option on today's World Wide Web.
Why isn't it really an option? It sure as hell should be. Anyone interested in creating a good, accessible, usable web site would do well to make sure their site works fine without javascript or flash or java or any other embedded tech that could be used to exploit users.
As these sorts of attacks increase in popularity the awareness and education of end-users will increase as well. Eventually browsers will come stock with features similar to noscript and web pages will be loaded, by default, without javascript or any other embedded tech enabled.
More like flipping a coin and expecting it to land on it's edge.
i thought once I was found, but it was only a dream.
FUD proliferation. One must spread FUD before Microsoft spreads FUD. Just the other day, Bill Gates himself stated that you cannot make money with GPL'd products (while Redhat and SUSE and IBM and MYSQL and others continually make millions). So while we do ourselves a disservice, the only way to fight FUD is with FUD.
This is my sig. There are many like it but this one is mine.
Yes, but interestingly enough, the targets were seem to be IIS servers. The vulnerability is not IIS specific, as SQL injection can happen anywhere, on any platform, if the developer isn't paying attention.
So this prompts the following question: Why were only IIS servers targeted, if this wasn't simply an IIS vulnerability? Was this a political statement, an intentional "mudball hack" (tarnishing IIS's reputation), or simply a coincidence-that a lot of poorly trained developers maintain and develop IIS systems, even if there are many talented IIS/.ASP net developers out there?
Thoughts?
Hmmm.... nihaorr1.com? "Ni Hao" is a greating, like "Hello" in Chinese. Anyone figure out any meaning behind the other names?
(Other meanings are possible as well, due to the large number of homophones in the language, but this is by far the most obvious meaning.)
From a cursory reading of the forum thread, it seems like IIS was attacked because, once the SQL Injection was made, the attackers relied on ActiveX vulnerabilities (which, I will absolutely agree - ActiveX is crap) and specific Windows applications (Real Player, Yahoo Messenger) to continue the attack.
That, IMO, is why IIS was the focus. Not specifically because of IIS, but an IIS machine is guaranteed to be running on a Windows box.
OK, so SQL Server prior to 2005 wasn't secured well by default, and xp_cmdshell() is like inviting a system-level compromise. But, as others have pointed out, ASP.NET/IIS isn't the only platform affected. In fact, this platform makes it easy to secure your scripts against most attacks, ans SQL Server 2k5 and IIS 6 and ASP.Net have added protections as well. On top of that, this platform has never been vulnerable to attacks due to superglobals, of file open functions which allow you to import remote files, even if disabled in the config (thanks PHP!) or a host of other things. And if you look at milw0rm.com and other such sites, you will see a majority of SQL injection vulnerabilities come out for open source products with a mySQL back-end these days. So somehow pointing out that this is an IIS problem, and that Firefox will protect you from evil IIS sites, just shows ignorance and bias. I love UNIX, I preffer it over Windows, but I am also grounded in reality. Yes, you will have a lot of compromised IIS servers, because you have a lot of clueless admins who write ASP scripts on their Windows boxes without paying any attention to security. But in those hands, LAMP is just as dangerous, if not even more so.
Side node: (Why was the above poster modded up?)
Admitted newbie question here, but why do people even RUN MS IIS?
Typically, people install MS IIS for a host of mostly good reasons.
1) They are a MS shop. That means they already have a big investment in MS IT training and their developers understand Windows.
2) They're using Microsoft development tools to create other parts of the application and they want the seemless integration that VS.Net and IIS give you. Good luck trying to debug PHP or other applications on Apache. It can be done, but its not nearly as easy as on Windows.
Windows XP makes a great desktop environment for the office, but where does Microsoft have any business making server software other than Domain Controllers for telling their desktop machines what to do?
By that logic, companies should never be allowed to work on anything other than their cash cow. Good job; you just destroyed capitalism with single sentence!
The real problem is not whether machines think but whether men do. - B.F. Skinner
http://xkcd.com/327/
I got hacked shortly after the hainan island incident in 2001. that is when the us spy satellite was bumped a chinese fighter, and was forced to land on hainan island (china).
:)
Is that the fighter plane with warp drive and photon torpedos?
Sorry to pick on ya dude... it was a US spy plane, not a spy satellite
"All great wisdom is contained in .signature files"
Umm, right then. I sure am glad. Rofful.
That's not "doing the same thing over and over and expecting different results".
Add a healthy dose of misrepresentation, twisting of facts and oh-so-funny exaggeration (the IIS admins are running around in circles, LOLZORZ) and people like you can feel better about yourselves, at least for a few hours.
In the meantime, it's been 5+ years and no one has found an exploitable vulnerability in IIS.
I'm sure FOSS is better off this morning, thanks to kdawson, Slashdot and this type of misguided "advocacy". Might as well have twitter control the content of the front page.
The twitter monologues. Click on my homepage and be amazed.
So much "superstition" in such a small thread... (is there a better word for doing something that you're sure will make things better but doesn't actually do anything at all?)
;--? (what about ;%20-- or ;+-- or ;%20%20%20%20%20%20--?)
Blocking urls containing
Redirecting the user to google if they use the word "cast" or "set"? (but not "CaSt"?)
Why not wave dead chickens or throw salt at the server, it'll do just as good.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Not that it's really excusable, but developers, like everyone else, only have 24 hours in a day.
You can only know so much, and when you consider how vast web development is, from security through to marketing, are you really surprized that not every end is covered properly?
Add skimpy budgets to the mix and what do you expect?
A Google search for "nihaorr1.com" brings up events.un.org as an affected site.
actually, you should be impressed with us spy satellite technology: it can swoop down into the atmosphere for closer looks ;-)
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Could someone please tell me what "as per usual" means? Does it mean, "as usual," or "per Usual"? Who is this "Usual" guy?
Gamingmuseum.com: Give your 3D accelerator a rest.
The iis.net forum is full of very interesting posts by windows admins. One guy was hacked no less than 3 times! Each time he just restored his database and thought all was well, and wondered how those dang hackers kept getting in. He even changed his passwords!
This is definitely not how most unix admins would react. If a machine is compromised (via whatever source) then a simple data restore is never good enough, unix admins know. The original vector must be identified and stopped. It's quite the contrast.
I've always maintained that a good unix guy can do anything on windows with a bit of training, but a windows guy will generally be completely out of his element in unix. Not sure why, exactly, as best practices are best practices.
20 years ago it might have been said "It truly sickens me how many developers STILL don't know how to use free()." And now we have garbage collection. Web developers are like anyone else - security awareness falls along a bell curve. You can rail against the bottom half of the curve; or a few people can endeavor to improve the system, and thereby move the whole curve up. Why not just take away text SQL queries from web development environments? But I'm sure someone brighter than I could come up with a better one.
The vulnerability being exploited is documented here and shows it was "last updated" April 23. (two days ago)
My favorite amusement is:
Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Thanks for that. Now that 500k servers got owned maybe you want to move on this sort of thing a little more seriously.
At the bottom they ask, How would you rate the usefulness of this content ? But there's no option for "a little late, eh?"
Though it DOES make me wonder if the publishing of this notice gave the idea to the makers of the malware. Makes a good case for not publishing a known vulnerability until either (1) its' in the wild already, or (2) you have a fix for it. Clearly neither of these were the case on Wednesday.
I work for the Department of Redundancy Department.
Just a few months ago we had to build a small custom CMS for a client, that had to be PHP/MySQL. The specs were very specific so it had to be custom-built. Since it was a relatively small work and we were involved in some bigger projects, we hired a contractor. Good references, a few years of experience, knew javascript, so we handled the project to him.
To his credit, the site actually worked and seemed fine, until you had a peek at the PHP code, which was truly horrific. I could overlook the nonsensical use of POST for things were GET was better suited or the crap variable naming, or the generally inefficient way of doing things - but what really got me was the complete absence of ANY input checking.
Simply put, the whole thing was completely vulnerable to SQL injection of the worst kind. I even checked his other works - all sites he'd ever done were vulnerable.
In the end, I had to spend a few more days myself just to clean the mess.
So, dear reader, if you don't know what SQL injections are - stop coding in whatever language you're using, right now. It doesn't matter if it's Ruby on Rails or ASP.NET. Please, please learn to do things properly. Security is not something you can learn later.
"Just goes to show you how much better Linux, Apache, MySQL, and PHP are than the thousand dollar Windows Server, thousand dollar Microsoft SQL Server, thousand dollar Microsoft ASP.Net development tools!"
Your an idiot.. this kind of attack happens on Linux Apache PHP all the time.
Several times a year I have had to update my PHP based aps because of this kind poor programming in an open source application. I have even had my linus sever hijacked to serve pirate media for a day before I spotted it in my logs.
Those of us that undestand this just laugh at fools like you who see software as a religion and not a tool. In the last few years I have run on open internet, and Windows server and a Linux server. The Windows server has never been hacked..The linux one all the time. But the Linux server has many WEB applications on it and that is what happens. The Windows server is only Microsoft applications running in it. Web and email servers.
Its not the OS its the applications and poor programming.
If you need a religion go to church or temple.. I am tired of religious technology zelots distorting the discussion.
Like expecting the coin to stay up in the air.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Clever troll... or do you just not think before you post?
IIS has its merits, just as apache does. ASP.net and other related technologies are a mainstay in the corporate environment whether you agree with it or not. They lend themselves well to rapid application development, and are well supported. Thus, it is cheap and easy to find talent within the field.
Regardless, your hosting platform will do nothing to fix bad code. The platform in this case, is irrelevent. Dont try to turn this into a soapbox to promote your own biased opinions.
FYI, I run several linux/apache servers as well as IIS/ASP servers. I am not impartial to either, as they each have their place in our environment.
500000 servers! That means all MS servers around the world are compromised! Well... hu... it's sensible, 100% of MS servers are expected to be compromised.
Interestingly (and I've been looking at this attack all day) it seems to overwrite itself in the middle.
Andy
From the Washington Post story referenced in TFA: On Thursday, Spanish anti-virus vendor Panda Security said that it had alerted Microsoft that a flaw IIS was the cause of all the break-ins. When I asked Microsoft whether they'd heard from Panda or if the hundreds of thousands of sites were hacked from a patched or unpatched flaw in IIS, a spokesman for the company didn't offer much more information.
"Microsoft is currently aware of and is receiving reports regarding public claims of attacks on IIS Web servers," said Bill Sisk, a security response manager at Microsoft, in a statement e-mailed to Security Fix. "While we have not be [sic] contacted directly regarding these reports, we will continue to monitor all reports either publically [sic] shared or responsibly disclosed and investigate once sufficient details are provided. We have not yet determined whether or not these reports are related to Microsoft Security Advisory (951306) released last week."
Maybe there really IS some application that introduces the vulnerability and IIS nothing more than the required server platform. SQL injection has always been thought of as something enabled by poor programming. If this is the case, what might that application be? Whatever it is, it sure is popular because it runs on hundreds of thousands of sites.
Underneath it all, we are talking about either an MS product, or someone else's product that requires IIS. If the infected page count reaches into the millions, I think the finger points back to MS.
Aside from the obvious bias and ignorance on the subject, the real clue that the OP has no idea what he's talking about is that he writes "...an SQL..."
They are because they have execution plan and do not need to be parsed, syntax cheched etc...
I feel the same way. We ran rant all we want, but in the end, programming is going to get done by the cheapest, least-skilled people available. So we need to make the path of least resistance the correct path.
One quick and dirty idea I had for PHP was the following: Imagine a new string-like datatype, the query string. Syntactically, it works like a double-quoted string, but it's delimited by, let's say, [ and ]. Database query functions would only accept this new query-string type.
Concatenating a query string type with a regular string produces a query string type, but with the regular string quoted. String substitutions into a query string (using PHP's $ operator) would quote the strings first.
When people laugh at Linux for being an OS with a webserver which hosts compromised web pages.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
the sql injection attacks come from 219.153.46.28
which geolocates to china
there is nothing unsubstantiated or rumor about it. western sites are being attacked from china while han antiwestern ultranationalism rages
there is a difference between being impartial and being blind. these attacks are most definitely related to the torch protest and the tibet riots
It's about reality, not probability. If you throw a coin up, it will come down. Throwing it over and over, and expecting to suddenly not come down, is a good example. Yet, for some reason, I read comments every day, and still expect that everyone will "get it". Insanity indeed.
Just another ignorant American.
This is exactly what happens when you have a bunch of idiots running webservers. Come on people, it is not that hard to keep up with your updates...morons. For example, my site has been reviewed for security flaws by many, and has never had any problems, even with the php and MySql. Simply because I keep up with the patches. See for yourself: www.onesullivan.com
However, it is now abundantly clear that the attack is NOT ASP-specific, and just because one of the vectors it tries is based on ActiveX does NOT mean it doesn't try other methods. It only means that the people who spotted it early spotted it trying that method. Although it's unlikely to have an attack library for multiple OS', it would be surprising if it didn't have some alternative action for when ActiveX isn't available.
I'm concerned about the number of Government sites that have been shown to be vulnerable, especially (as has been commented by others on Slashdot) a Canadian site dealing with national security. This attack is unlikely to cause any particular lasting harm, but stop and think. These are the sorts of sites that actually need to be secure. Even if not directly connected to internal secure networks (and I'd be willing to bet that far more are than are supposed to be), they are high-profile and for that reason alone are likely to be much more at-risk than other sites.
Most smaller websites are just point-of-presence and information sites. It's an irritant if they vanish for a while, but it's unlikely to hurt anything. Nobody is going to die if a blog site isn't available for an hour or so, unless they're a serious addict. No small vendor is going to lose business if their PDF datasheets aren't reachable for a little while. Adult sites risk making a one or two percent loss of webcam income out of their steady stream of millions. I seriously doubt anyone from the United Methodist church will suddenly become Mormon or Catholic because their primary website was hit.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The real puzzle for me is *why* they haven't fixed the overwrite (unless it's a deliberate way of slowing growth).
Andy
Though it was a cross-site scripting and caused his web page to be redirected to Hillary Clinton's... http://www.usatoday.com/tech/news/computersecurity/hacking/2008-04-24-obama-website-hack_N.htm
Even DBAs seem to miss that, but it is well documented, and easy to benchmark. There is no difference between how compilation/execution plan/caching/parsing/checking/blahblahblah is done between an SP and a prepared statement. It is done the first time the query or the SP is -executed-, and its cached for all later executions as long as the only difference between queries is the filters (where clause, etc) and some other minor differences.
the summary didn't say if this was a MS SQL or My SQL attack. Picking on the MS server is the sub story. The attack was a SQL exploit. The data in the headline was pretty thin. It almost looks like a MS IIS server bash attempt instead of a story about an SQL exploit. How about better reporting?
Reading to the bottom of the article is the important stuff that should have been at the top.
"UPDATE: We've been receiving some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS webserver and Microsoft SQL Server being hit. "
It is MS SQL on IIS server that is the attack.
so to answer your question "does it run on Linux?"; the answer is it runs on Microsoft IIS server and Microsoft SQL Server.
The truth shall set you free!
Oh, here. Nevermind.
Invenio via vel creo
>> Plus, Google is hardly a live metric for the state of the internet.
You lost me there, can we go back a bit?
"better ways of doing things eventually just replace the inferior things" - Linus Torvalds 09-08-07
In other words, it's a story perfectly suited for Slashdot and Slashdot's primary audience.
IIS has no part in resisting SQL injection attacks - it passes data to the application underneath and that app is responsible for properly escaping it before talking to the database *if* you're going to graft user data into SQL commands. And you shouldn't be - you should really be coding against stored procedures on any platform, particulary MS platforms which have supported them forever and because you get better performance that way, and you can invoke the stored procedures passing parameters directly without having to escape them at all - there's good APIs for all of that. And you should probably revoke the application user's permission to the reflection tables anyway if you can.
So now you are blaming SQL Injection on Microsoft? Get a life.
Fucking idiot.
Well, the real question is what top layer language and application
server were they using? Since this is Lemming-land where people like
to "get everything from only one vendor" there is a significant chance
that some bit of Microsoft technology is to blame.
A Pirate and a Puritan look the same on a balance sheet.
Ha, take that PHP haters .... this one is not caused by a n00b using PHP, it is caused by n00b using ASP.
Wait a minute.... could that possibly mean that PHP/ASP is not at fault when this stuff happens but the programmer(s)... where is this world coming to when the language can not be blamed anymore?
Everyone who buys Wild Hunt will receive 16 specially prepared DLCs absolutely for free, regardless of platform.
I am a member of that forum (micrsoft's official IIS portal not merely "one of the many IIS forums on the 'net.") and have posted in that thread a few times. Initially it was very confusing as to what was happening - hence why I suggested it may be a asp vulnerability as it only seems to effect asp pages. It has not happened to any of my servers. Now it has become clearer that it is an SQL injection attack but I think in conjunction with asp pages probably via forms. Many of the posters in that thread are first timers that have little idea what is happening and not experienced hosting admin. True it is funny to see them suffer from you slashdotters. Speaking as an IIS admin there is little we can do directly. SQL injection is something that I blame slack devs for and will continue to. That and companies having little to no budget for decent IIS admin/devs.
I came across this on an orphaned web server at one of our customers a little over two
weeks ago.
interrestingly, the js downloader didn't actually work, due to some malformed URL's.
funny part is its not mine but it just started working again about 6 months ago nice to have such a wonderful selection to try and see if they do or don't work haha CHRoNoSS
It is not always the individual developers fault. Clients and managers rarely want to pay for overhaul of their legacy code that a developer inherits even if it is explained to them how insecure it is. Often they would rather add another pointless widget than make the small investment to fix vulnerabilities. Best make sure your back is covered when the s hits the f.
"500 Thousand"
What an obnoxious headline. Either go with the numeric representation of the number (500,000) or spell it out properly (five hundred thousand). Didn't your English teacher tell you not to mix and match?
For it to have hit 500K sites I'd assume their all using the same toolkit/framework for their apps.
In conclusion much as I enjoy abusing MS this hasn't been proven to be their fault yet, and I'd assume it's a poorly coded toolkit from some company that's about to lose a lot of custom.
"Linux is for noobs"-The new MS fud strategy
What do you do then?
With the Magic Quotes feature (on by default), PHP is unconditionally safe against SQL injection. All input data (GET,POST,COOKIES) are automatically parsed to backslash-escape single-quote, double-quote, and backslash. So, you can just use the input data, and never worry about compromise. (In my view, this is a very good idea, and the fail-safe nature is well worth the slight-inconvenience of having to occasionally remember to call stripslashes() if your data is not going to end up a database.)
What I cannot understand is why magic-quotes has been deprecated for PHP-6. Can anyone explain?
BTW, I'm not convinced by the advantages of stored procedures. Yes, they save you from SQL-injection risk (similar to magic-quotes), but the complexity of the resulting code is higher, and the readability is lower. Debugging cpomplex queries is hard enough already!
Isn't Bill Gates one of the richest person in the world and isn't Microsoft a global Fortune 100 company ?
I mean, where's the argumentum ad crumenam logical phallacy for all the MS fanbois when they need it?
Wow. Just wow.
The ActiveX vulnerabilities exploited are on the CLIENT. An IIS machine is not guaranteed to only be visited by Windows users. The server software has nothing to do with it (other than the prevalence of moronic ASP developers who don't validate anything).
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
In the meantime, it's been 5+ years and no one has found an exploitable vulnerability in IIS.
What fantasy world do you live on? The rest of us see something different.
You can answer when you're done trolling with a user name that looks suspiciously like mine. And isn't that amusing.
The twitter monologues. Click on my homepage and be amazed.
Ah, but it assumes you can comprehend the intended meaning. Of course, we do realize you're not Einstein.
Just another ignorant American.
I can "comprehend the intended meaning" just fine. I am just pointing out it's a really bad saying, because a good saying will say what it means, without any need to second-guess it.
It could have been more entertaining it had done a fetch from any tables where ,combined the results and wrote it
it finds a field named user, pass, ssn etc
to all text fields in all tables.
Got Code?
You can have SQL injection problems just as easy in stored procedures as you can in plain old code. Look at this example (pardon the probably incorrect syntax):
Create Procedure GetUserTelePhone(@UserName varchar(50))
Begin
Declare @sql varchar(300)
Set @sql = 'SELECT TelePhone From Users where UserName=''' + @UserName + ''''
return exec(@sql)
END
See, there you go, completely open to sql injection, and it's a stored procedure. The problem isn't that people aren't using stored procedures, it's that people are creating queries which result from the concatenation of strings and variables, which invariably leaves them open to attack. A much better way to do things, is to use prepared queries, either in you stored procedures, or just using prepared queries directly in the code.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
You can't depend on developers any more, they are just doing the shit the easy way, no code checking, no code assessment, the business needs are more important than spending hours and hours trying to figure out where are the bugs!??? 80% of web developers are just careless. My advise is keep your windows servers up-to-date. And deploy a web app firewall from vendors like F5 or Citrix. Blocking these kinds of attacks at the gateway is faster and will cover all of the vulnerable applications. check out my blog here: http://extremesecurity.blogspot.com/2008/04/un-site-took-injection.html
In PHP for example, is mysql_real_escape_string() b0rken, or does it still do the job it's supposed to do? You can't be telling me there are actually people literally doing this:
mysql_query("SELECT * FROM tbl WHERE user = {$_GET['username']}");
Unless there is a problem with the escaping functions, I do not understand how "sql injection" can possibly be an issue in any application... anyone coding scripts that are vulnerable to sql injection should not be programming, period. Unless there are internal issues with escaping functions, the idea of sql injection is absurd.
Here is the truth on this folks. :)
http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx
http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection
;DELETE FROM table attack would not work anyway"
it also says this important thing:
"Note that MySQL does not allow stacking of queries so the
Hackers have long memories. It works both ways.
> IIS has no part in resisting SQL injection attacks - it passes data to the application
> underneath and that app is responsible for properly escaping it before talking to the database
Almost. The app is responsible, but the actual app code itself shouldn't have to manually do the escaping, because the database interface library it's using should be doing that automatically whenever parameters are bound. (The app does have to be responsible to pass user-supplied data as bound arguments, though, rather than interpolating it directly into the SQL.)
> *if* you're going to graft user data into SQL commands. And you shouldn't be
No, you shouldn't be. User data should be passed to the database interface as bound variables.
> And you shouldn't be - you should really be coding against stored procedures
No, you should be using an abstraction layer library. You shouldn't need to have any SQL, *including* stored procedure calls, embedded directly in the main code of the application itself. All of that should be in the abstraction layer library. (The abstraction layer may be prefab, like an ORM, or it may be a specifically crafted custom abstraction layer designed to meet the particular needs of the application. But it should be isolated from the rest of the application code so that the database guys can review it and maintain it without having to troll through all the application code, and also so that non-database programmers maintaining the bulk of the application codebase don't have to mess with it in detail.)
As for stored procedures, they are overused. The most common thing I've seen them used for is to embed application logic in the database, which is an inherently bad idea and harms maintainability severely. I'm not saying they can't ever have a valid use, but they *certainly* should not be used as a panacea for all database access. That's just wrong in so many ways I don't know where to start.
Cut that out, or I will ship you to Norilsk in a box.
the answer is it runs on Microsoft IIS server and Microsoft SQL Server.
Microsoft's technical team was taken by surprise, giving them fresh hope that they, too, can develop software which runs on Microsoft IIS server and Microsoft SQL Server.
SQL Server is far more vulnerable to this kind of attack because of the way it allows multiple statements to be parsed and executed together. In Oracle for example, this attack could never have occured because multiple statement execution requires creating a PL/SQL block that starts with a "begin" and terminates with an "end". Whereas in SQL Server any unvalidated semicolon is sufficient to start a new statement.
That doesn't mean that Oracle and most other databases are invulnerable to SQL injection, but rather that insecure web applications that use them are much less likely to be exploited than those that use SQL Server are. With most databases and a typical insecure web application, a thoughtful attacker can usually only compromise the database piecemeal. With SQL Server and an insecure web app its game over without a second thought.
Comment removed based on user account deletion
Why not just take away text SQL queries from web development environments?
it's all they have.