Slashdot Mirror

← Back to Stories (view on slashdot.org)

Relentless Web Attack Hard To Kill

Posted by kdawson on from the stay-dead-willya dept.

ancientribe writes "The thousands of Web sites infected by a new widespread SQL injection attack during the past few days aren't necessarily in the clear after they remove the malicious code from their sites. Researchers from Kaspersky Lab have witnessed the attackers quickly reinfecting those same sites all over again. Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."

15 of 218 comments (clear)

  1. noscript by Manfre · · Score: 5, Informative

    NoScript is one of the best ways to avoid viruses that are distributed from the web.

    1. Re:noscript by RpiMatty · · Score: 1, Informative

      SO WHY CAN'T YOU WHITELIST THE SITE THAT YOU HAVE TO SUPPORT? Along with any other sites you support?

      Its not that hard to build up a whitelist. The first time you visit a "trusted" or regular site, add it to the white list. Does it have any subdomains, or "partner" domains that you also need to add? Go ahead and add them.

      So many people complain about how NoScript breaks pages, but its really not that hard at all to setup a whitelist.

      Now when your redirected/accidentally click on a link to dgdrklgdr.com/e3rer it can't run any javascript on your pc.

    2. Re:noscript by Manfre · · Score: 3, Informative

      I've been developing with ASP.NET (c#) since its initial beta and am very familiar with how it functions. This discussion would go a bit smoother if you would read a comment before replying to it. Noscript prevents javascript from loading on any site, until the site is explicitly given permission by the user. Approve your CRM domain(s), which will allow it to work properly. Then if it is compromised, noscript will block the javascript on the destination domain. If your server is compromised to the point where it is hosting exploits, then the IT staff needs to spend a bit more effort patching and locking things down. Noscript is not the only protection that should be used, but it greatly helps. It's like driving a car a little bit slower. You've still got a seatbelt to help keep you alive, but you should be less likely to hit something.

    3. Re:noscript by Anonymous Coward · · Score: 1, Informative

      It's really irritating because it always brings up their website every time it gets updated

      Easily fixable: about:config -> noscript.firstRunRedirection = false

  2. Re:Kaspersky by mfh · · Score: 4, Informative

    Kaspersky is so brilliant, it locks up every time I try to do anything with it.

    Then again, my AVG hasn't updated properly all week...

    You're not supposed to run them at the same time. They fight for control and eventually stalemate. Uninstall AVG and reinstall Kaspersky, but by now you may have damaged your system configuration. Kaspersky is pretty brutal if it gets unhinged, but it's unstoppable if you get it configured correctly.

    --
    The dangers of knowledge trigger emotional distress in human beings.
  3. Re:Whatever happened by compro01 · · Score: 2, Informative

    AFAICT, they are patching the hole, they're just finding even more holes of the same type.

    --
    upon the advice of my lawyer, i have no sig at this time
  4. Re:first post by martinw89 · · Score: 2, Informative

    Don't worry, your "-1 fail"® moderation is being applied at this moment. Thank you for using Slashdot©, please come again.

  5. Comment removed by account_deleted · · Score: 3, Informative

    Comment removed based on user account deletion

  6. Re:This disgusts me by NNKK · · Score: 4, Informative

    You're right, you're no programmer. Go read up:

    http://en.wikipedia.org/wiki/SQL_injection

    Prepared (or parametrized) statements are an easy and absolute defense against SQL injection attacks. The OP is right, the fact that such attacks still succeed is disgusting and inexcusable.

  7. Comment removed by account_deleted · · Score: 2, Informative

    Comment removed based on user account deletion

  8. No, it's not. by Bearhouse · · Score: 3, Informative

    Your're right to publicise a good product that I also use and reccommend. However:

    Most people that get caught by malware don't understand all these arcane details.

    Most people use IE, (no noscript here..) and blindly click 'OK' when they cannot see the porn.

    Bad web sites / pages don't just install viruses.*

  9. Re:Install a proxy by merreborn · · Score: 3, Informative

    mod_security is a reactive security measure. It's blacklist based, which makes the classic error of attempting to "enumerate badness".

    While it's great if you've identified an existing threat to an application you cannot properly secure, it does nothing to protect you against future attacks using less obvious techniques.

    mod_security alone is not an adequate solution. It's still necessary to proactively write secure applications in the first place, which means making sure you're never allowing raw, unfiltered/unescaped user data into places where it shouldn't go.

  10. Re:This disgusts me by Rycross · · Score: 2, Informative

    Languages can make bad code harder or easier to write however. Its perfectly acceptable to blame a language if it makes it hard to do things the "right way." I'm not much of a PHP hater, but a lot of stuff that they've done with the language makes me roll my eyes.

  11. Re:Big Picture by Arancaytar · · Score: 2, Informative

    Sorry, I see we're talking about different user groups.

    From the user perspective a virus scanner (and NoScript) will indeed protect you from installing malware on your computer, which may be downloaded from a hijacked website (XSS is a more common attack vector for that, but I've had an Invision forum hijacked via SQL injection too).

    I was speaking more from the perspective of the web admin whose site gets defaced, who won't get around some lessons on secure input handling. ;)

  12. Re:Kaspersky by Fulcrum+of+Evil · · Score: 3, Informative

    Are you insane? Write parameterized SQL for all your queries and this just won't happen - setting your name to ';-- drop table users;' will just result in funky display logic.

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"