Slashdot Mirror

← Back to Stories (view on slashdot.org)

Relentless Web Attack Hard To Kill

Posted by kdawson on from the stay-dead-willya dept.

ancientribe writes "The thousands of Web sites infected by a new widespread SQL injection attack during the past few days aren't necessarily in the clear after they remove the malicious code from their sites. Researchers from Kaspersky Lab have witnessed the attackers quickly reinfecting those same sites all over again. Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."

4 of 218 comments (clear)

  1. Whatever happened by RaceProUK · · Score: 5, Insightful

    to fixing the hole? It's like fixing a car coolant leak by pouring more water in the radiator.

    --
    No colour or religion ever stopped the bullet from a gun
  2. Re:Kaspersky by Arancaytar · · Score: 4, Insightful

    It's a bloody SQL injection attack. I'd like to see your virus checker automatically rewrite your web application to use input filtering.

    What these people need is a real web application instead of some self-built PHP script - not a virus scanner, whether free or expensive.

  3. Re:This disgusts me by Emb3rz · · Score: 4, Insightful

    The idea of a SQL Injection attack is to pass a parameter in such a way that it changes the structure of the query itself. Typical beginner's SQL query:

    sql = "SELECT * FROM Users WHERE Username = '" & Request.Form("Username") & "' AND Password = '" & Request.Form("Password") & "';"

    This uses 'String Concatenation' to build a line of text from several smaller parts. The completed string is then, in this example executed by a database. A new query is dynamically created and executed based on the text passed to it. Thus, we are able to at this point change what query will be run. Form data:

    Username = "Admin"
    Password = "x' OR 'e' = 'e"

    So when the string is being put together, we get:

    SELECT * FROM Users WHERE Username = 'Admin' AND Password = 'x' OR 'e' = 'e';

    Certainly, even with no programming experience, one can see that the letter E will always be equivalent to the letter E. Thus, any validation of the password will return a false positive.

    Prepared statements avoid this whole deal by only allowing you to pass parameters. The query is already set in stone. You cannot change how it basically works, only its criteria / filtering / etc. A prepared statement would execute basically:

    SELECT * FROM Users WHERE Username = "Admin" AND Password = "x' OR 'e' = 'e";

    Since the query does not change dynamically when it's executed as a prepared statement, you can't add your logical 'OR' operator after having broken out of your parameter. You just get no rows returned, as should be the case.

  4. Re:This disgusts me by Emb3rz · · Score: 4, Insightful

    You're working off of the false assumption that security is about knowledge.

    We know abundantly well exactly how SQL injection attacks occur, and we also have many tools at our disposal to -absolutely- prevent them. What we don't have is the cooperation or effort from programmers on a widespread basis. Many are simply too lazy to research and implement reasonable security measures. It's easier to pretend that there are no ways whatsoever that anything can go wrong with your code because when you tested it it worked right. This willfull turning a blind eye to well-established security caveats is what has given us this terrible and prevalent security problem. It's easier to write code that checks nothing, it's quicker to do so, and it requires less think-juice on the part of the lazy programmer.