Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mass SQL Injection Attack Hits Sites Running IIS

Posted by Soulskill on from the oft-repeated-headlines dept.

Trailrunner7 writes "There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now. The attack, which researchers first noticed earlier this week, already has affected a few high-profile sites, including those belonging to The Wall Street Journal and The Jerusalem Post. Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites."

15 of 288 comments (clear)

  1. Sounds like by by+(1706743) · · Score: 5, Funny

    Bobby Tables strikes again.

    1. Re:Sounds like by by+(1706743) · · Score: 5, Funny

      Take it you didn't read TFA?

      Nope.

      Or just trying to be the first to jump on the Bobby Tables meme...

      Yup.

      ...without actually understanding what it means?

      It means you shouldn't name your kid with SQL in his name?

    2. Re:Sounds like by Nohea · · Score: 4, Informative

      actually, if you read the actual description of the attack is IS a SQL Injection attack on a web script. More advanced than "bobby tables", but basically the same problem.

  2. Re:Wrong tag by endikos · · Score: 4, Informative

    While the faulty script on a specific platform may be allowing the attack, it's absolutely a SQL injection attack, which is iterating through tables and appending strings to data it finds.

  3. Poor programing practices, NOT IIS or SQL at fault by CharlieHedlin · · Score: 4, Informative

    Anyone writing scripts that don't use parametrized stored procedures for the database or Linq needs to find a new line of work.

  4. Re:Wrong tag by Michael+Kristopeit · · Score: 4, Insightful

    it is due to sql... if the databases and website frameworks forced a different query language that forced variable parametrization, there wouldn't be any injection risk.

  5. graceful by MagicMerlin · · Score: 5, Funny

    It was nice of them to deallocate the cursor when done. Thanks!

  6. We Got Hit By This by Anonymous Coward · · Score: 5, Informative

    I run a site that got hit by this. It's hosted by Rackspace Cloud, so one presumes that IIS and MSSQL were patched up. We aren't using any kind of ad network, so I think the attackers were just looking for ASP sites that used queries. We got hit because we failed to sanitize inputs in one spot.

    We were lucky, though. Since the attack blasts the script code into every column of every table it can get its hands on, it actually broke the SQL queries that pull up the page content, so users just saw an error message instead of page content + malware.

    1. Re:We Got Hit By This by MisterZimbu · · Score: 4, Informative

      Just as a followup to this, it's not actually a fault or exploit in MSSQL or IIS; just that the SQL being injected is specific to MSSQL and completely valid. This can and will happen in any future version of IIS or MSSQL unless specific action is taken by Microsoft to prevent the underlying technique used to do it, which is unlikely as it will break a large percentage of perfectly legitimate applications.

      The same attack could probably be modified to hit Oracle, MySQL, or other DBMSes with minimal effort. I don't even really know why IIS is even mentioned as the actual server software is irrelevant. This attack would just as easily hit MSSQL databases with website front ends hosted on Apache or pretty much anything else, no code changes needed. This isn't even the first time this has happened. A couple years pretty much the exact same script was used to deface sites on about the same scale as this one did.

      The blame should be placed on the developers of the poorly written 3rd party software that doesn't sanitize its inputs or (preferably) use parameterized queries and stored procedures.

    2. Re:We Got Hit By This by gbrayut · · Score: 5, Informative

      Here is a great overview of the technique that was used:

      http://www.virusbtn.com/pdf/conference_slides/2009/Maciejak-Lovet-VB2009.pdf

      While they are targeting IIS and MSSQL the real issue is developers that don't sanitize the parameters that get sent to the database. The SQL is encoded in at least 2 different layers, so the only keywords that appear in the URL are ;dEcLaRe%20@s%20vArChAr(8000) and ;EXEC%20(@S); and It would be pretty difficult for Microsoft to block those without affecting legitimate usage. If you are using LINQ, Stored Procedures, or Parameterized Queries based on SqlCommand then this wouldn't work against your site or library. Mainly queries created as raw text strings have this vulnerability, and in this case it appears that some library or module used by a number of sites used raw SQL strings instead of the best practices recommended by Microsoft and every other SQL and web server vendor.

    3. Re:We Got Hit By This by butlerm · · Score: 4, Informative

      it's not actually a fault or exploit in MSSQL

      Actually, it is. Or rather MS SQL Server is much more susceptible to these kind of attacks (in combination with poorly written code) than virtually any other database.

      The reason why is because in SQL Server is perfectly legal to include more than one SQL statement at a time separated by semicolons. So if you have an incompetent programmer who doesn't bind variables or sanitize input properly, an attacker can trivially inject any SQL he wants.

      Other databases are vulnerable to SQL injection attacks to a degree. but in a much more limited fashion because an attacker *cannot* start an entirely new SQL statement in the middle of another one.

      Other databases (notably Oracle) that support multiple statement execution require you to wrap the whole thing in "begin"/"end" blocks so they are not vulnerable to the particularly severe form of this attack that SQL Server is vulnerable to. That is why if an SQL injection attack is in the news, it is inevitably an attack on a poorly written MS SQL application.

  7. Re:Poor programing practices, NOT IIS or SQL at fa by Galestar · · Score: 4, Insightful

    Here's a more accurate version: Anyone writing code that doesn't sanitize input needs to find a new line of work.

    Fixed that for you

    --
    AccountKiller
  8. Re:If it is platform independent by Dragonslicer · · Score: 4, Insightful

    SQL injection is completely independent of web server, programming language, and database system. An idiot can write vulnerable code in any language, using any database system, and run it on any web server. My guess about why this is only targeting IIS is that the attack is against some specific ASP.NET code, so the vulnerability isn't in IIS, but the vulnerable code only runs on IIS.

  9. Re:So... it is really due to CPU's? Re:Wrong tag by squiggleslash · · Score: 5, Informative

    Geez guys. There's more finger pointing in here than a meeting between BP, Transocean, and Haliburton.

    It's not a flaw in any of the technologies used, it's a flaw in how they were used together. The programmers who wrote the scripts didn't properly validate incoming data. That's all there is too it.

    Yes, aspects of SQL probably didn't help, but quite honestly, it was a programming decision to use SQL in the first place.

    Either way, fix it!

    --
    You are not alone. This is not normal. None of this is normal.
  10. Re:Wrong tag by LurkerXXX · · Score: 4, Interesting

    It certainly is SQL injection. A query was allowed to run which did bad things. I run everything through well parametrized stored procedures. The webserver client isn't allowed to look directly at any tables, insert, delete, or do ANYTHING other than run those set stored procedures. No 'bad' queries are allowed to run on my server because of that. These folks used an easy-to-use but insecure framework, and got the results that very often happen in that circumstance.