Mass SQL Injection Attack Hits Sites Running IIS

← Back to Stories (view on slashdot.org)

Mass SQL Injection Attack Hits Sites Running IIS

Posted by Soulskill on Friday June 11, 2010 @05:41AM from the oft-repeated-headlines dept.

Trailrunner7 writes "There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now. The attack, which researchers first noticed earlier this week, already has affected a few high-profile sites, including those belonging to The Wall Street Journal and The Jerusalem Post. Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites."

20 of 288 comments (clear)

Min score:

Reason:

Sort:

Sounds like by by+(1706743) · 2010-06-11 05:43 · Score: 5, Funny

Bobby Tables strikes again.
1. Re:Sounds like by by+(1706743) · 2010-06-11 05:56 · Score: 5, Funny
  
  Take it you didn't read TFA?
  Nope.
  
  Or just trying to be the first to jump on the Bobby Tables meme...
  Yup.
  
  ...without actually understanding what it means?
  It means you shouldn't name your kid with SQL in his name?
2. Re:Sounds like by Nohea · 2010-06-11 06:07 · Score: 4, Informative
  
  actually, if you read the actual description of the attack is IS a SQL Injection attack on a web script. More advanced than "bobby tables", but basically the same problem.
Re:Wrong tag by endikos · 2010-06-11 05:49 · Score: 4, Informative

While the faulty script on a specific platform may be allowing the attack, it's absolutely a SQL injection attack, which is iterating through tables and appending strings to data it finds.
Re:Wrong tag by unity100 · 2010-06-11 05:51 · Score: 3, Informative

it is wrong to picture this as a lack or shortcoming of sql. sql is doing what query it is given to it. nothing else. its NOT related to sql. it is named a sql injection attack, but its not due to sql.

--
Read radical news here
Poor programing practices, NOT IIS or SQL at fault by CharlieHedlin · 2010-06-11 05:54 · Score: 4, Informative

Anyone writing scripts that don't use parametrized stored procedures for the database or Linq needs to find a new line of work.
Re:Wrong tag by Michael+Kristopeit · 2010-06-11 05:55 · Score: 4, Insightful

it is due to sql... if the databases and website frameworks forced a different query language that forced variable parametrization, there wouldn't be any injection risk.
Re:Poor programing practices, NOT IIS or SQL at fa by ComaVN · 2010-06-11 06:01 · Score: 3, Interesting

What is wrong with using regular parameterized queries instead of SPs?

--
Be wary of any facts that confirm your opinion.
graceful by MagicMerlin · 2010-06-11 06:04 · Score: 5, Funny

It was nice of them to deallocate the cursor when done. Thanks!
Re:Wrong tag by BitterOak · 2010-06-11 06:10 · Score: 3, Insightful

it is due to sql... if the databases and website frameworks forced a different query language that forced variable parametrization, there wouldn't be any injection risk.
Mod parent up. According to the GP "it is wrong to picture this as a lack or shortcoming of sql. sql is doing what query it is given to it. nothing else." That's precisely the problem! Most security vulnerabilities are the result of software doing exactly what it is told to do!

--
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
So... it is really due to CPU's? Re:Wrong tag by Fubari · 2010-06-11 06:10 · Score: 3, Insightful

it is due to sql...

Huh? It happened because they use sql?
Following that line of thought,
isn't it really due to the use
of CPU's in those servers?
1. Re:So... it is really due to CPU's? Re:Wrong tag by squiggleslash · 2010-06-11 06:49 · Score: 5, Informative
  
  Geez guys. There's more finger pointing in here than a meeting between BP, Transocean, and Haliburton.
  It's not a flaw in any of the technologies used, it's a flaw in how they were used together. The programmers who wrote the scripts didn't properly validate incoming data. That's all there is too it.
  Yes, aspects of SQL probably didn't help, but quite honestly, it was a programming decision to use SQL in the first place.
  Either way, fix it!
  
  --
  You are not alone. This is not normal. None of this is normal.
We Got Hit By This by Anonymous Coward · 2010-06-11 06:14 · Score: 5, Informative

I run a site that got hit by this. It's hosted by Rackspace Cloud, so one presumes that IIS and MSSQL were patched up. We aren't using any kind of ad network, so I think the attackers were just looking for ASP sites that used queries. We got hit because we failed to sanitize inputs in one spot.
We were lucky, though. Since the attack blasts the script code into every column of every table it can get its hands on, it actually broke the SQL queries that pull up the page content, so users just saw an error message instead of page content + malware.
1. Re:We Got Hit By This by MisterZimbu · 2010-06-11 06:41 · Score: 4, Informative
  
  Just as a followup to this, it's not actually a fault or exploit in MSSQL or IIS; just that the SQL being injected is specific to MSSQL and completely valid. This can and will happen in any future version of IIS or MSSQL unless specific action is taken by Microsoft to prevent the underlying technique used to do it, which is unlikely as it will break a large percentage of perfectly legitimate applications.
  The same attack could probably be modified to hit Oracle, MySQL, or other DBMSes with minimal effort. I don't even really know why IIS is even mentioned as the actual server software is irrelevant. This attack would just as easily hit MSSQL databases with website front ends hosted on Apache or pretty much anything else, no code changes needed. This isn't even the first time this has happened. A couple years pretty much the exact same script was used to deface sites on about the same scale as this one did.
  The blame should be placed on the developers of the poorly written 3rd party software that doesn't sanitize its inputs or (preferably) use parameterized queries and stored procedures.
2. Re:We Got Hit By This by gbrayut · 2010-06-11 08:48 · Score: 5, Informative
  
  Here is a great overview of the technique that was used:
  http://www.virusbtn.com/pdf/conference_slides/2009/Maciejak-Lovet-VB2009.pdf
  While they are targeting IIS and MSSQL the real issue is developers that don't sanitize the parameters that get sent to the database. The SQL is encoded in at least 2 different layers, so the only keywords that appear in the URL are ;dEcLaRe%20@s%20vArChAr(8000) and ;EXEC%20(@S); and It would be pretty difficult for Microsoft to block those without affecting legitimate usage. If you are using LINQ, Stored Procedures, or Parameterized Queries based on SqlCommand then this wouldn't work against your site or library. Mainly queries created as raw text strings have this vulnerability, and in this case it appears that some library or module used by a number of sites used raw SQL strings instead of the best practices recommended by Microsoft and every other SQL and web server vendor.
3. Re:We Got Hit By This by butlerm · 2010-06-11 10:44 · Score: 4, Informative
  
  it's not actually a fault or exploit in MSSQL
  Actually, it is. Or rather MS SQL Server is much more susceptible to these kind of attacks (in combination with poorly written code) than virtually any other database.
  The reason why is because in SQL Server is perfectly legal to include more than one SQL statement at a time separated by semicolons. So if you have an incompetent programmer who doesn't bind variables or sanitize input properly, an attacker can trivially inject any SQL he wants.
  Other databases are vulnerable to SQL injection attacks to a degree. but in a much more limited fashion because an attacker *cannot* start an entirely new SQL statement in the middle of another one.
  Other databases (notably Oracle) that support multiple statement execution require you to wrap the whole thing in "begin"/"end" blocks so they are not vulnerable to the particularly severe form of this attack that SQL Server is vulnerable to. That is why if an SQL injection attack is in the news, it is inevitably an attack on a poorly written MS SQL application.
Back to Basics by achbed · 2010-06-11 06:20 · Score: 3, Informative

http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
How many times do we need to say the same thing before people start listening? Oh, that's why we still have STDs. Because people don't take basic steps to reduce risk by orders of magnitude.
Re:Poor programing practices, NOT IIS or SQL at fa by Galestar · 2010-06-11 06:26 · Score: 4, Insightful

Here's a more accurate version: Anyone writing code that doesn't sanitize input needs to find a new line of work.
Fixed that for you

--
AccountKiller
Re:If it is platform independent by Dragonslicer · 2010-06-11 06:39 · Score: 4, Insightful

SQL injection is completely independent of web server, programming language, and database system. An idiot can write vulnerable code in any language, using any database system, and run it on any web server. My guess about why this is only targeting IIS is that the attack is against some specific ASP.NET code, so the vulnerability isn't in IIS, but the vulnerable code only runs on IIS.
Re:Wrong tag by LurkerXXX · 2010-06-11 07:10 · Score: 4, Interesting

It certainly is SQL injection. A query was allowed to run which did bad things. I run everything through well parametrized stored procedures. The webserver client isn't allowed to look directly at any tables, insert, delete, or do ANYTHING other than run those set stored procedures. No 'bad' queries are allowed to run on my server because of that. These folks used an easy-to-use but insecure framework, and got the results that very often happen in that circumstance.