Slashdot Mirror
Relentless Web Attack Hard To Kill
ancientribe writes "The thousands of Web sites infected by a new widespread SQL injection attack during the past few days aren't necessarily in the clear after they remove the malicious code from their sites. Researchers from Kaspersky Lab have witnessed the attackers quickly reinfecting those same sites all over again. Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."
to fixing the hole? It's like fixing a car coolant leak by pouring more water in the radiator.
No colour or religion ever stopped the bullet from a gun
NoScript is one of the best ways to avoid viruses that are distributed from the web.
You're not supposed to run them at the same time. They fight for control and eventually stalemate. Uninstall AVG and reinstall Kaspersky, but by now you may have damaged your system configuration. Kaspersky is pretty brutal if it gets unhinged, but it's unstoppable if you get it configured correctly.
The dangers of knowledge trigger emotional distress in human beings.
"Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -Gene Spafford
We had this problem a few months back at work. Old but necessary asp web sites kept getting infected. It only took a few hours to install a reverse proxy with mod_security on EC2 and we were in the clear.
Full story on my blog:
http://guillaume.filion.org/blog/archives/2008/05/i_love_ec2_and_rightscale.php
Is it like Big Trouble in Little China, with the lightning ninjas and floating eye thing? Did they get Kurt Russel to help?
If so, that would be AWESOME.
sudo eat my shorts
I'd say fully half of all the programmers are going to be below average...
It doesn't mean much now, it's built for the future.
It's a bloody SQL injection attack. I'd like to see your virus checker automatically rewrite your web application to use input filtering.
What these people need is a real web application instead of some self-built PHP script - not a virus scanner, whether free or expensive.
I'd say fully half of them will be below median.
Did everyone miss the fact that the toolkit resposible includes some hefty DRM.
Where's the outrage?
Why aren't we demmanding an open source solution?
This is going to sound like a little bit of double speak but I'll remind you that Kaspersky found these attacks were happening. Also, they are studying the behavior. Furthermore, Kaspersky protects systems from nefarious things that attackers will do, regardless of how they get on the system. Nothing is perfect with Windows, but if you look at the options, Kaspersky is the best out there.
Now of course, if you want to insist that the attacks happen whether Kaspersky is running or not, you will be correct. But what you're not saying is how LIMITED the attackers are when trying to get past Kaspersky after they get on a system.
Noscript also helps, but isn't perfect either.
The dangers of knowledge trigger emotional distress in human beings.
You're right, you're no programmer. Go read up:
http://en.wikipedia.org/wiki/SQL_injection
Prepared (or parametrized) statements are an easy and absolute defense against SQL injection attacks. The OP is right, the fact that such attacks still succeed is disgusting and inexcusable.
The idea of a SQL Injection attack is to pass a parameter in such a way that it changes the structure of the query itself. Typical beginner's SQL query:
This uses 'String Concatenation' to build a line of text from several smaller parts. The completed string is then, in this example executed by a database. A new query is dynamically created and executed based on the text passed to it. Thus, we are able to at this point change what query will be run. Form data:
So when the string is being put together, we get:
Certainly, even with no programming experience, one can see that the letter E will always be equivalent to the letter E. Thus, any validation of the password will return a false positive.
Prepared statements avoid this whole deal by only allowing you to pass parameters. The query is already set in stone. You cannot change how it basically works, only its criteria / filtering / etc. A prepared statement would execute basically:
Since the query does not change dynamically when it's executed as a prepared statement, you can't add your logical 'OR' operator after having broken out of your parameter. You just get no rows returned, as should be the case.
You're working off of the false assumption that security is about knowledge.
We know abundantly well exactly how SQL injection attacks occur, and we also have many tools at our disposal to -absolutely- prevent them. What we don't have is the cooperation or effort from programmers on a widespread basis. Many are simply too lazy to research and implement reasonable security measures. It's easier to pretend that there are no ways whatsoever that anything can go wrong with your code because when you tested it it worked right. This willfull turning a blind eye to well-established security caveats is what has given us this terrible and prevalent security problem. It's easier to write code that checks nothing, it's quicker to do so, and it requires less think-juice on the part of the lazy programmer.