500 Thousand MS Web Servers Hacked

andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that have been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."

Bias?

[jmpeax]

SQL injection is a result of poor data validation on the part of the web application - not, as the blurb implies, an indicator of an insecure web server. LAMP installations are also susceptible to SQL injection (PDF). From TFA:

Unless [...] data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. As for the fact that Firefox + NoScript prevents the problems, that really isn't a surprise seeing as these specific exploits rely on executing a JScript. Any browser with scripting disabled would be immune.

The tone of the blurb is not only biased but also counter-productive to promoting open source (as this appears to be its intention): by trying to criticise closed technologies not by highlighting their actual deficiencies but instead by spreading FUD, the whole community is done a disservice.

Re:Bias?

[Mia'cova]

The blurb completely misquotes the article. The article clearly states pages as reported by google. Plus, Google is hardly a live metric for the state of the internet. It really gives us a very poor estimate of how much impact this is having.

Also, which browsers are affected? It sounds like most of the exploits being used against the browsers have already been patched. Is there a new one there?

Re:Bias?

[Col.+Klink+(retired)]

> "Wtf does IIS have to do with SQL injection". RTFA:

the attackers looked for ASP or ASPX pages containing any type of querystring

This specific attack, of which google has found over half a million affected pages, is targeted at IIS.

Re:Bias?

[Facetious]

The admins on the ground seem to disagree with you. From that page, "Our initial investigations are pointing at an attack through IIS using ASP in an overload."

Re:epic lol

[James+Kilton]

Wow. The responses on the forum http://forums.iis.net/t/1148917.aspx?PageIndex=1 are sad indeed. Windows Security patches DON'T protect against shittily built websites. My favorite:

I also have been hit by this attack on Saturday 4/12/08. It compromised our database and overwritten that script into all of your products. Luckily a database restore fixed the problem. Two days later the same thing happened, I have changed all the database and login passwords and did another db restore. Now today 4/18/08 we got hit again by the same thing but this time as the pages are loaded ActivX is activated and wants to run but of course I did not allow it. Anybody has successfully solved this situation? It truely sickens me how many web developers STILL don't know about SQL Injection.

500,000? Where'd that number come from?

[Robotron2084]

Before you post such a headline, perhaps it would be a good idea to check your facts. I RTFA'ed and checked those links and there is no mention of how many servers were attacked. There were 510,000 pages mentioned, but pages do not equal servers. This a sensationalistic headline based on a sensationalistic interpretation of a Google web search.

Re:So this isn't an IIS attack at all.

[SatanicPuppy]

There are several smart things that need to be done to protect yourself.

Restrict the account that is used to access the database to the absolute minimum permissions it needs to run; using one set of credentials for insert/update/delete and another for selects is enough to foil a lot of exploits (I actually never allow deletes, just out of paranoia...I just update the record with an "inactive" flag, and purge them later with a local account).

For gods sake, don't allow a single account to access multiple databases, and even within the database make sure it only has access to the tables you're going to be using. I've seen more than a few MySQL injections that just dump the user table to the screen because some joker didn't think he needed to restrict access for "SELECT" statements.

Escape ALL data that comes from userland. This is your first line of defense, and it's where most people screw up. If you let an escape character past without it being escaped, your only protection is the privileges associated with the user account.

Abstract your data methods. If you just throw out random SQL queries all through your code, you're going to make a mistake somewhere. Make a single method that does your selects. Make a single method that does your inserts, etc. If it's only in ONE PLACE you can go over the code in extreme detail. If the queries are scattered through the code, you can't.

This is all just best practice stuff. The most important thing is to PAY ATTENTION and remember that one unsecured account can screw your entire server.

Re:ob...

[mhall119]

Obligatory link:
http://xkcd.com/327/