Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mass SQL Injection Attack Hits Sites Running IIS

Posted by Soulskill on from the oft-repeated-headlines dept.

Trailrunner7 writes "There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now. The attack, which researchers first noticed earlier this week, already has affected a few high-profile sites, including those belonging to The Wall Street Journal and The Jerusalem Post. Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites."

27 of 288 comments (clear)

  1. Sounds like by by+(1706743) · · Score: 5, Funny

    Bobby Tables strikes again.

    1. Re:Sounds like by by+(1706743) · · Score: 5, Funny

      Take it you didn't read TFA?

      Nope.

      Or just trying to be the first to jump on the Bobby Tables meme...

      Yup.

      ...without actually understanding what it means?

      It means you shouldn't name your kid with SQL in his name?

    2. Re:Sounds like by Nohea · · Score: 4, Informative

      actually, if you read the actual description of the attack is IS a SQL Injection attack on a web script. More advanced than "bobby tables", but basically the same problem.

  2. Re:Wrong tag by endikos · · Score: 4, Informative

    While the faulty script on a specific platform may be allowing the attack, it's absolutely a SQL injection attack, which is iterating through tables and appending strings to data it finds.

  3. Re:Wrong tag by unity100 · · Score: 3, Informative

    it is wrong to picture this as a lack or shortcoming of sql. sql is doing what query it is given to it. nothing else. its NOT related to sql. it is named a sql injection attack, but its not due to sql.

    --
    Read radical news here
  4. Poor programing practices, NOT IIS or SQL at fault by CharlieHedlin · · Score: 4, Informative

    Anyone writing scripts that don't use parametrized stored procedures for the database or Linq needs to find a new line of work.

  5. Re:Wrong tag by Michael+Kristopeit · · Score: 4, Insightful

    it is due to sql... if the databases and website frameworks forced a different query language that forced variable parametrization, there wouldn't be any injection risk.

  6. Re:Wrong tag by endikos · · Score: 2, Insightful

    Not saying it is a problem with SQL. Some SQL statements are being injected into a script, which is then happily executing them. The problem is with the script, but SQL is being injected into it... which is why its known as SQL injection. The term does not imply that the root of the problem is with SQL itself. It's a variant of Code Injection, but with SQL instead...

  7. Re:Poor programing practices, NOT IIS or SQL at fa by ComaVN · · Score: 3, Interesting

    What is wrong with using regular parameterized queries instead of SPs?

    --
    Be wary of any facts that confirm your opinion.
  8. graceful by MagicMerlin · · Score: 5, Funny

    It was nice of them to deallocate the cursor when done. Thanks!

  9. Re:Wrong tag by BitterOak · · Score: 3, Insightful

    it is due to sql... if the databases and website frameworks forced a different query language that forced variable parametrization, there wouldn't be any injection risk.

    Mod parent up. According to the GP "it is wrong to picture this as a lack or shortcoming of sql. sql is doing what query it is given to it. nothing else." That's precisely the problem! Most security vulnerabilities are the result of software doing exactly what it is told to do!

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  10. So... it is really due to CPU's? Re:Wrong tag by Fubari · · Score: 3, Insightful

    it is due to sql...

    Huh? It happened because they use sql?
    Following that line of thought,
    isn't it really due to the use
    of CPU's in those servers?

    1. Re:So... it is really due to CPU's? Re:Wrong tag by squiggleslash · · Score: 5, Informative

      Geez guys. There's more finger pointing in here than a meeting between BP, Transocean, and Haliburton.

      It's not a flaw in any of the technologies used, it's a flaw in how they were used together. The programmers who wrote the scripts didn't properly validate incoming data. That's all there is too it.

      Yes, aspects of SQL probably didn't help, but quite honestly, it was a programming decision to use SQL in the first place.

      Either way, fix it!

      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:So... it is really due to CPU's? Re:Wrong tag by DaTroof · · Score: 2, Insightful

      How about we try an analogy that's a little closer to the original topic? Let's say the exploit injected system commands instead of SQL commands. The fault wouldn't lie with the operating system, even though that's what was ultimately compromised. It would lie with the script that failed to sanitize input properly.

      Same thing with SQL. The problem isn't the query language itself. The problem is how the script executes queries.

  11. We Got Hit By This by Anonymous Coward · · Score: 5, Informative

    I run a site that got hit by this. It's hosted by Rackspace Cloud, so one presumes that IIS and MSSQL were patched up. We aren't using any kind of ad network, so I think the attackers were just looking for ASP sites that used queries. We got hit because we failed to sanitize inputs in one spot.

    We were lucky, though. Since the attack blasts the script code into every column of every table it can get its hands on, it actually broke the SQL queries that pull up the page content, so users just saw an error message instead of page content + malware.

    1. Re:We Got Hit By This by MisterZimbu · · Score: 4, Informative

      Just as a followup to this, it's not actually a fault or exploit in MSSQL or IIS; just that the SQL being injected is specific to MSSQL and completely valid. This can and will happen in any future version of IIS or MSSQL unless specific action is taken by Microsoft to prevent the underlying technique used to do it, which is unlikely as it will break a large percentage of perfectly legitimate applications.

      The same attack could probably be modified to hit Oracle, MySQL, or other DBMSes with minimal effort. I don't even really know why IIS is even mentioned as the actual server software is irrelevant. This attack would just as easily hit MSSQL databases with website front ends hosted on Apache or pretty much anything else, no code changes needed. This isn't even the first time this has happened. A couple years pretty much the exact same script was used to deface sites on about the same scale as this one did.

      The blame should be placed on the developers of the poorly written 3rd party software that doesn't sanitize its inputs or (preferably) use parameterized queries and stored procedures.

    2. Re:We Got Hit By This by gbrayut · · Score: 5, Informative

      Here is a great overview of the technique that was used:

      http://www.virusbtn.com/pdf/conference_slides/2009/Maciejak-Lovet-VB2009.pdf

      While they are targeting IIS and MSSQL the real issue is developers that don't sanitize the parameters that get sent to the database. The SQL is encoded in at least 2 different layers, so the only keywords that appear in the URL are ;dEcLaRe%20@s%20vArChAr(8000) and ;EXEC%20(@S); and It would be pretty difficult for Microsoft to block those without affecting legitimate usage. If you are using LINQ, Stored Procedures, or Parameterized Queries based on SqlCommand then this wouldn't work against your site or library. Mainly queries created as raw text strings have this vulnerability, and in this case it appears that some library or module used by a number of sites used raw SQL strings instead of the best practices recommended by Microsoft and every other SQL and web server vendor.

    3. Re:We Got Hit By This by butlerm · · Score: 4, Informative

      it's not actually a fault or exploit in MSSQL

      Actually, it is. Or rather MS SQL Server is much more susceptible to these kind of attacks (in combination with poorly written code) than virtually any other database.

      The reason why is because in SQL Server is perfectly legal to include more than one SQL statement at a time separated by semicolons. So if you have an incompetent programmer who doesn't bind variables or sanitize input properly, an attacker can trivially inject any SQL he wants.

      Other databases are vulnerable to SQL injection attacks to a degree. but in a much more limited fashion because an attacker *cannot* start an entirely new SQL statement in the middle of another one.

      Other databases (notably Oracle) that support multiple statement execution require you to wrap the whole thing in "begin"/"end" blocks so they are not vulnerable to the particularly severe form of this attack that SQL Server is vulnerable to. That is why if an SQL injection attack is in the news, it is inevitably an attack on a poorly written MS SQL application.

  12. Back to Basics by achbed · · Score: 3, Informative

    http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

    How many times do we need to say the same thing before people start listening? Oh, that's why we still have STDs. Because people don't take basic steps to reduce risk by orders of magnitude.

  13. Re:Poor programing practices, NOT IIS or SQL at fa by Galestar · · Score: 4, Insightful

    Here's a more accurate version: Anyone writing code that doesn't sanitize input needs to find a new line of work.

    Fixed that for you

    --
    AccountKiller
  14. Re:Poor programing practices, NOT IIS or SQL at fa by PolyDwarf · · Score: 2, Informative

    I think he was more asking about a parameterized-SP vs parameterized-TSQL, not a SP vs LINQ debate (which is what you linked)

  15. Re:If it is platform independent by Dragonslicer · · Score: 4, Insightful

    SQL injection is completely independent of web server, programming language, and database system. An idiot can write vulnerable code in any language, using any database system, and run it on any web server. My guess about why this is only targeting IIS is that the attack is against some specific ASP.NET code, so the vulnerability isn't in IIS, but the vulnerable code only runs on IIS.

  16. Re:I suspect.... by Lou57 · · Score: 2, Interesting
    Technically, you are correct. But in this incident, the web server being used IS relevant.

    1. The payload is IIS/MSSQL specific. The author WANTS that platform.
    2. The method of injection normally doesn't work on mySQL. jameswilkes over at http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html stated it quite well:

    "Also, the SQL contains multiple SQL statements. I use PHP and MySQL databases which by default will only execute one command. That makes it much harder to hack. So switching to PHP and MySQL might be a good security choice."

    --
    Lou
  17. Re:Wrong tag by LurkerXXX · · Score: 4, Interesting

    It certainly is SQL injection. A query was allowed to run which did bad things. I run everything through well parametrized stored procedures. The webserver client isn't allowed to look directly at any tables, insert, delete, or do ANYTHING other than run those set stored procedures. No 'bad' queries are allowed to run on my server because of that. These folks used an easy-to-use but insecure framework, and got the results that very often happen in that circumstance.

  18. AGAIN! AGAIN! by Ashcrow · · Score: 2, Informative

    It happened again since the 8th: http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-2677-inyahoo-js.html

  19. Re:Wrong tag by t33jster · · Score: 2, Informative

    SELECT * FROM Foods WHERE type = "hamburger" It'd have to be SELECT * FROM Foods WHERE type = "$1" PARAM1 = "hamburger"

    This functionality you propose is available today, although not required (at least in Oracle where I'm familiar). Look into bind variables. in fact, let me google it for anybody reading this who wants to know how to prevent sql injection. http://www.lmgtfy.com/?q=bind+variables The positive side effect (again in Oracle) is that use of bind variables reduces the CPU cost of parsing SQL statements, so not only should you use bind variables, you should REALLY use bind variables.

    --
    Take off every 'sig' for great justice.
  20. Re:holy shit. by omni123 · · Score: 2, Insightful

    Perhaps someone should describe variable parametrization to you? A language that implemented it would take a variable in place of the 'userid' statement from the DELETE FROM users WHERE userid = userid; this variable would not allow any escape characters to be a part of it and therefore destroy injection possibilities.

    When was the last time C had injection (buffer overflows are another story!)? It doesn't. Because if you have void func(int arg) you can't call func(1; exit(1)). This is a fundamental flaw in SQL and technologies that use ORM (i.e. a variable parametrization layer on top) do not regularly deal with issues like this.