Slashdot Mirror
500 Thousand MS Web Servers Hacked
andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that have been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."
Does it run on linux.
Unless [...] data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. As for the fact that Firefox + NoScript prevents the problems, that really isn't a surprise seeing as these specific exploits rely on executing a JScript. Any browser with scripting disabled would be immune.
The tone of the blurb is not only biased but also counter-productive to promoting open source (as this appears to be its intention): by trying to criticise closed technologies not by highlighting their actual deficiencies but instead by spreading FUD, the whole community is done a disservice.
Amnesty International
Lolicious.
I once spend an hour trying to explain IIS/MS SQL Server admin what PHP/MySQL addslashes()/mysql_escape_string() do - all to no avail. He was absolutely sure it is sufficient to like in VB surround any string with single quotes and it all will be fine.
Now seeing that it's real fun for guys, I can only laugh.
All hope abandon ye who enter here.
PHP has pretty much fixed SQL injection hacks, at least for MySQL, something TFA you quote mentions on page 74. Given that this is the majority combination on web-facing machines, shouldn't that blunt the "LAMP installations are also susceptible to SQL injection" if only by quantity? I mean, I agree with your counter-FUD reasoning, but it seems to me that this blunts your whole sentence, MySQL+PHP being two pillars (and the last half) of LAMP.
Dog is my co-pilot.
This site makes me sick sometimes. If this were a problem with PHP (which, mind you, it IS), we wouldn't be calling it a "vulnerability".
ASP.net has lots of built-in features to prevent SQL injection attacks (like bind parameters) and the ASP.net DB documentation specifically warns about this type of attack.
Anyone still getting hit with this in 2008 needs to be whacked on the head.
You don't even need to sanitize database input. Just use freagin prepared statements. There's no cleanup or validation necessary (for this particular vulnerability I mean, that is, sql injection).
http://xkcd.com/327/
I've read a similar article on theregister.com: Web infection attacks more than 100,000 pages. There are also some interesting discussions over there.
This is a SQL injection, which is not specific to IIS. Any server-side program that fails to validate the input is subjected to this kind of exploit.
Colorless green Cthulhu waits dreaming furiously.
Why do you think he's a developer? He sounds more like a sysadmin to me.
Sure, he should know about SQL injection stuff - but even if he did, would he be able to fix it?
Get your own free personal location tracker
Parent -1 Flamebait. (Actually...it's more Article -1 Flamebait.)
Anyway, as it has already been noted, this problem has nothing specifically to do with the IIS servers.
Two other notes:
FOSS is good, I agree. But FOSS, by default, is not always better than closed source solutions. Making a blanket statement like that is being just as close minded as the opposite camp.
Using M$ to represent Microsoft is soooooooo 1990s.
And I'm sure you meant Turkey.(http://en.wikipedia.org/wiki/Troy).
... whenever a text is transmitted, variation occurs. This is because human beings are careless, fallible, and occasiona
ok, story 1 is a sql injection
there seems to be a story 2 here: what the trojan will do in a few weeks to all of the IE users who visit these half a million sites
and, reading some of the links and finding that these trojan hosting domains are registered in china, there also seems to be a story 3: chinese hackers are pissed off
i got hacked shortly after the hainan island incident in 2001. that is when the us spy satellite was bumped a chinese fighter, and was forced to land on hainan island (china). there was much chinese nationalist anger then, and it was taken out by hacking western sites with "f**k usa!" and the chinese flag replacing the main page
obviously, this hack is contemporaneous with the whole tibet riots/ olympic torch protests. that's the meat of this story, and that avenue seems unexplored as of yet. similar to the russian ddos of estonia due to the deprecation of a war statue in 2007: the lesson is that, much like al qaeda and terrorism, cyber warfare is not so much a tool of any state government, but chest-thumping activity for ultranationalists and religious bigots and other organizations of cultural or national or religious chauvinism. the theme of the 21st century seems to be shaping up as partisan tribalism and extreme ideology reaching beyond the notions of sovereignty, statehood to go to war with each other in a novel ways
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
How can you blame them however? Look at what THIS site (as in Slashdot) is doing. The headline implies that its an IIS hack. If you read the posts attached to this -very- article, a significant amount of people are replying acting like it IS a server issue, related to MS or some such.
When such misconceptions are so pervasive (even in -articles- on a geek web site like here!), obviously newbies are going to be confused all over the place.
Its a bit similar on how there's still so many SQL Server DBAs who think stored procedures are faster by design than dynamic SQL.
Before you post such a headline, perhaps it would be a good idea to check your facts. I RTFA'ed and checked those links and there is no mention of how many servers were attacked. There were 510,000 pages mentioned, but pages do not equal servers. This a sensationalistic headline based on a sensationalistic interpretation of a Google web search.
I agree there's no excuse for it, but in your second paragraph I don't agree with your logic 'til the final parenthetical remark.
In development, it often IS simpler to start with a single hardcoded SQL query (probably cut and paste from your DB tool, and then if your language supports + or . for string concat, it's easier to just do a "+variablename+" where the hardcoded value was -- plus, it keeps the flow of the SQL 'sentence' in correct order, rather than that kind of weird "sprintf()"ness you get when you have placeholder ?s in your string and a list of variables at the end.
Mind you, I'm not defending this; it's still a D,U,M thing to do, but also it is a lazier route, it doesn't really "take more time to develop, harder to read and maintain" like you said.
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
There are several smart things that need to be done to protect yourself.
Restrict the account that is used to access the database to the absolute minimum permissions it needs to run; using one set of credentials for insert/update/delete and another for selects is enough to foil a lot of exploits (I actually never allow deletes, just out of paranoia...I just update the record with an "inactive" flag, and purge them later with a local account).
For gods sake, don't allow a single account to access multiple databases, and even within the database make sure it only has access to the tables you're going to be using. I've seen more than a few MySQL injections that just dump the user table to the screen because some joker didn't think he needed to restrict access for "SELECT" statements.
Escape ALL data that comes from userland. This is your first line of defense, and it's where most people screw up. If you let an escape character past without it being escaped, your only protection is the privileges associated with the user account.
Abstract your data methods. If you just throw out random SQL queries all through your code, you're going to make a mistake somewhere. Make a single method that does your selects. Make a single method that does your inserts, etc. If it's only in ONE PLACE you can go over the code in extreme detail. If the queries are scattered through the code, you can't.
This is all just best practice stuff. The most important thing is to PAY ATTENTION and remember that one unsecured account can screw your entire server.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Hmmm.... nihaorr1.com? "Ni Hao" is a greating, like "Hello" in Chinese. Anyone figure out any meaning behind the other names?
(Other meanings are possible as well, due to the large number of homophones in the language, but this is by far the most obvious meaning.)
OK, so SQL Server prior to 2005 wasn't secured well by default, and xp_cmdshell() is like inviting a system-level compromise. But, as others have pointed out, ASP.NET/IIS isn't the only platform affected. In fact, this platform makes it easy to secure your scripts against most attacks, ans SQL Server 2k5 and IIS 6 and ASP.Net have added protections as well. On top of that, this platform has never been vulnerable to attacks due to superglobals, of file open functions which allow you to import remote files, even if disabled in the config (thanks PHP!) or a host of other things. And if you look at milw0rm.com and other such sites, you will see a majority of SQL injection vulnerabilities come out for open source products with a mySQL back-end these days. So somehow pointing out that this is an IIS problem, and that Firefox will protect you from evil IIS sites, just shows ignorance and bias. I love UNIX, I preffer it over Windows, but I am also grounded in reality. Yes, you will have a lot of compromised IIS servers, because you have a lot of clueless admins who write ASP scripts on their Windows boxes without paying any attention to security. But in those hands, LAMP is just as dangerous, if not even more so.
I got hacked shortly after the hainan island incident in 2001. that is when the us spy satellite was bumped a chinese fighter, and was forced to land on hainan island (china).
:)
Is that the fighter plane with warp drive and photon torpedos?
Sorry to pick on ya dude... it was a US spy plane, not a spy satellite
"All great wisdom is contained in .signature files"
Add a healthy dose of misrepresentation, twisting of facts and oh-so-funny exaggeration (the IIS admins are running around in circles, LOLZORZ) and people like you can feel better about yourselves, at least for a few hours.
In the meantime, it's been 5+ years and no one has found an exploitable vulnerability in IIS.
I'm sure FOSS is better off this morning, thanks to kdawson, Slashdot and this type of misguided "advocacy". Might as well have twitter control the content of the front page.
The twitter monologues. Click on my homepage and be amazed.
A Google search for "nihaorr1.com" brings up events.un.org as an affected site.
It's about reality, not probability. If you throw a coin up, it will come down. Throwing it over and over, and expecting to suddenly not come down, is a good example. Yet, for some reason, I read comments every day, and still expect that everyone will "get it". Insanity indeed.
Just another ignorant American.
However, it is now abundantly clear that the attack is NOT ASP-specific, and just because one of the vectors it tries is based on ActiveX does NOT mean it doesn't try other methods. It only means that the people who spotted it early spotted it trying that method. Although it's unlikely to have an attack library for multiple OS', it would be surprising if it didn't have some alternative action for when ActiveX isn't available.
I'm concerned about the number of Government sites that have been shown to be vulnerable, especially (as has been commented by others on Slashdot) a Canadian site dealing with national security. This attack is unlikely to cause any particular lasting harm, but stop and think. These are the sorts of sites that actually need to be secure. Even if not directly connected to internal secure networks (and I'd be willing to bet that far more are than are supposed to be), they are high-profile and for that reason alone are likely to be much more at-risk than other sites.
Most smaller websites are just point-of-presence and information sites. It's an irritant if they vanish for a while, but it's unlikely to hurt anything. Nobody is going to die if a blog site isn't available for an hour or so, unless they're a serious addict. No small vendor is going to lose business if their PDF datasheets aren't reachable for a little while. Adult sites risk making a one or two percent loss of webcam income out of their steady stream of millions. I seriously doubt anyone from the United Methodist church will suddenly become Mormon or Catholic because their primary website was hit.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
From an ex-user of Panda Antivirus, take what they say with a pinch of salt.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
You can have SQL injection problems just as easy in stored procedures as you can in plain old code. Look at this example (pardon the probably incorrect syntax):
Create Procedure GetUserTelePhone(@UserName varchar(50))
Begin
Declare @sql varchar(300)
Set @sql = 'SELECT TelePhone From Users where UserName=''' + @UserName + ''''
return exec(@sql)
END
See, there you go, completely open to sql injection, and it's a stored procedure. The problem isn't that people aren't using stored procedures, it's that people are creating queries which result from the concatenation of strings and variables, which invariably leaves them open to attack. A much better way to do things, is to use prepared queries, either in you stored procedures, or just using prepared queries directly in the code.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
the answer is it runs on Microsoft IIS server and Microsoft SQL Server.
Microsoft's technical team was taken by surprise, giving them fresh hope that they, too, can develop software which runs on Microsoft IIS server and Microsoft SQL Server.