Slashdot Mirror
SQL Injection Attack Claims 132,000+
An anonymous reader writes "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."
After doing a whois, I see that just about all information is described as "Unknown"
Why is this domain still in existence? Can ICANN take it down?
It looks like the sole reason for this domain is for malware.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
If they know where the site is that's hosting the payload why don't they just shut them down? I realize the locations for the hosting are carefully chosen to provide maximum insulation, but still you'd expect that by now (years after this sort of thing became common) that there'd be mechanisms and procedures in place to break these down swiftly?
I work for the Department of Redundancy Department.
The article said "SQL" in the headline, but never mentioned it again after that.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
The assumption is that once there are a hundred thousand servers hit, and maybe fewer, if the hosting company doesn't shut down the site within an hour or two a responsible upstream router blocks traffic from the site. Every delivered payload costs society more time and money.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
validate your SQL inputs before posting them against an Internet-facing database. This isn't an SQL problem. This isn't a Windows-based problem. This is a poor coders problem. If there are high-profile websites that were compromised I'd be one pissed off PHB fo sho...
The source of the attacks are servers who have been compromised through SQL injection. I get that. It's an important detail. They fail to identify what sites and/or what those sites are running that is exploitable in this way. Is it MySQL? Is it MS SQL? Oracle? Is it a particular software package running on a particular web host platform? The questions are too many and should have been answered in the article.
What is done after a server is compromised is pretty common. Microsoft components, especially those linked through ActiveX, have been not just a hole in Microsoft security, but a tunnel into the Windows kernel big enough to drive a truck through. A vulnerability in Adobe flash is only a a problem when it uses ActiveX to get there. Flash running in other ways does not seem to pose such an extreme threat otherwise. But while these are important security concerns to be aware of, it has nothing to do with the topic of the story as indicated by the headline or the first line of the story which is about compromised SERVERS, not about compromised clients.
As many have pointed out, the blog post does not offer sufficient detail, but does offer the rather sensational headline "SQL injection attack claims 132,000+". The Google Safe Browsing diagnostic page for 318x.com has it closer to 1200 or so:
http://google.com/safebrowsing/diagnostic?site=318x.com/
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, 318x.com appeared to function as an intermediary for the infection of 1202 site(s) including 37y.org/, jxagri.gov.cn/, glojj.com/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1269 domain(s), including 37y.org/, cec.org.cn/, jxagri.gov.cn/.