Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mass SQL Injection Attack Hits Sites Running IIS

Posted by Soulskill on from the oft-repeated-headlines dept.

Trailrunner7 writes "There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now. The attack, which researchers first noticed earlier this week, already has affected a few high-profile sites, including those belonging to The Wall Street Journal and The Jerusalem Post. Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites."

4 of 288 comments (clear)

  1. Wrong tag by unity100 · · Score: 1, Interesting

    its not 'sql'. its IIS. sql accepts any query given to it by the program. its the script's job not to let in any malicious queries. its a script fault.

    --
    Read radical news here
    1. Re:Wrong tag by LurkerXXX · · Score: 4, Interesting

      It certainly is SQL injection. A query was allowed to run which did bad things. I run everything through well parametrized stored procedures. The webserver client isn't allowed to look directly at any tables, insert, delete, or do ANYTHING other than run those set stored procedures. No 'bad' queries are allowed to run on my server because of that. These folks used an easy-to-use but insecure framework, and got the results that very often happen in that circumstance.

  2. Re:Poor programing practices, NOT IIS or SQL at fa by ComaVN · · Score: 3, Interesting

    What is wrong with using regular parameterized queries instead of SPs?

    --
    Be wary of any facts that confirm your opinion.
  3. Re:I suspect.... by Lou57 · · Score: 2, Interesting
    Technically, you are correct. But in this incident, the web server being used IS relevant.

    1. The payload is IIS/MSSQL specific. The author WANTS that platform.
    2. The method of injection normally doesn't work on mySQL. jameswilkes over at http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html stated it quite well:

    "Also, the SQL contains multiple SQL statements. I use PHP and MySQL databases which by default will only execute one command. That makes it much harder to hack. So switching to PHP and MySQL might be a good security choice."

    --
    Lou