Slashdot Mirror

← Back to Stories (view on slashdot.org)

SQL Injection Attack Claims 132,000+

Posted by CmdrTaco on from the check-yer-code-people dept.

An anonymous reader writes "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."

16 of 186 comments (clear)

  1. Re:hey by jo42 · · Score: 4, Funny

    dd if=/dev/zero of=/dev/sda bs=8192 will fix it.

  2. why don't these go away? by v1 · · Score: 3, Interesting

    If they know where the site is that's hosting the payload why don't they just shut them down? I realize the locations for the hosting are carefully chosen to provide maximum insulation, but still you'd expect that by now (years after this sort of thing became common) that there'd be mechanisms and procedures in place to break these down swiftly?

    --
    I work for the Department of Redundancy Department.
    1. Re:why don't these go away? by jimicus · · Score: 3, Insightful

      You are assuming that all the systems are hosted at reputable hosting companies that pro-actively monitor all their systems.

      There are millions of systems worldwide that are exposed to the public internet (even though they probably shouldn't be) that are sitting in the corner somewhere waiting for someone to "get around to decommissioning them" - and in the meantime they're pumping out spam and taking part in DDoS attacks.

  3. Reminds me of xkcd by BountyX · · Score: 3, Funny

    Seriously people stop naming your kids with ');DROP TABLE at the end...

    --
    Trying to install linux on my microwave, but keep getting a kernel panic...
  4. Details? by HangingChad · · Score: 3, Insightful

    I love the way they fail to mention what server systems might be effected. Is it SQL Server? MySQL? .NET? PHP? Windows servers? Linux? Both? What web sites are vulnerable?

    It's always fun to snicker when you get to the registry entries which points to Windows. Although there was a trojan for Ubuntu in a desktop theme a few days ago, so enjoy the time to mock Windows users while it lasts.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    1. Re:Details? by Yvan256 · · Score: 4, Insightful

      But a Trojan needs user access and approval to get installed. No OS on the planet can protect itself from a user with the admin password.

    2. Re:Details? by Bert64 · · Score: 4, Funny

      Windows 9x used to due a pretty good job, can't own a system once it's bluescreened.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:Details? by LordKaT · · Score: 5, Insightful

      Even still, this blog post is fucking useless. What CMS? What input is not being validated? Is it an underlying problem with Drupal? Wordpress? Joomla? What version?

      On top of that, it doesn't give any recommendations for what end users could do to protect themselves. Does anti-virus software already detect it? Can you simply alter your hosts file? Disable Javascript?

      The blog post is completely fucking useless.

  5. Re:hey by Yvan256 · · Score: 4, Funny

    Call a comedy club and get your computer on stage?

  6. How is SQL involved? by Bromskloss · · Score: 3, Interesting

    The article said "SQL" in the headline, but never mentioned it again after that.

    --
    Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
  7. Re:Windoze by TheNinjaroach · · Score: 5, Informative

    All I can tell (from TFA), is it affects Windows servers.

    SQL injection attacks affect any number of platforms. It's not a Windows problem, it's not a database problem, it's a "we hired cheap, unskilled developers" problem.

    Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.

    --
    I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
  8. Obvious, but needs to be said by GreenTom · · Score: 4, Informative

    Add to windows\system32\drivers\etc\hosts:

    127.0.0.1 318x.com

    And you should be safe, for the moment.

  9. No... by Oxford_Comma_Lover · · Score: 3, Interesting

    The assumption is that once there are a hundred thousand servers hit, and maybe fewer, if the hosting company doesn't shut down the site within an hour or two a responsible upstream router blocks traffic from the site. Every delivered payload costs society more time and money.

    --
    -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
  10. Re:Let's say it all together now... by Vellmont · · Score: 3, Informative


    validate your SQL inputs before posting them against an Internet-facing database.

    Or simply use prepared statements (or whatever the equivalent term is in your language of choice). Prepared statements are far safer and easier than trying to validate all the current potential and future potential for breaking out of a SQL statement. It won't protect you from people putting in their own parameters into your SQL statement (like say someone elses userID), but that's a different class of vulnerability.

    --
    AccountKiller
  11. Re:Lame coders who don't care about security! by DNX+Blandy · · Score: 3, Insightful

    Very true, at which point this function simply doubled up the string delimiters, breaking the SQL injection. The major problem with Classic ASP was the casting of variables, if not done properly you were asking for it. If it's numeric, check it. .NET does not suffer from this problem unless the coder specifically passes a numeric value thou to an SQL statement as a string, which would be stupid. If everyone used stored procedures to deal with the SQL data, none of this would happen. My above checks alert you to the fact that someone if having a go, you can't do that when checking for string delimiters as they are valid characters, but yes, if your code uses a shitty "execute" command, check it. If you use proper stored procedures, this will no affect you.

  12. Re:hey by Arancaytar · · Score: 3, Funny

    I actually post all my comments via a dead-man's-switch proxy that logs my keystrokes in real time and submits the post once it detects inactivity. This way I can type things like Candlejack and still publish my po