Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mass SQL Injection Attack Hits Sites Running IIS

Posted by Soulskill on from the oft-repeated-headlines dept.

Trailrunner7 writes "There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now. The attack, which researchers first noticed earlier this week, already has affected a few high-profile sites, including those belonging to The Wall Street Journal and The Jerusalem Post. Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites."

6 of 288 comments (clear)

  1. Sounds like by by+(1706743) · · Score: 5, Funny

    Bobby Tables strikes again.

    1. Re:Sounds like by by+(1706743) · · Score: 5, Funny

      Take it you didn't read TFA?

      Nope.

      Or just trying to be the first to jump on the Bobby Tables meme...

      Yup.

      ...without actually understanding what it means?

      It means you shouldn't name your kid with SQL in his name?

  2. graceful by MagicMerlin · · Score: 5, Funny

    It was nice of them to deallocate the cursor when done. Thanks!

  3. We Got Hit By This by Anonymous Coward · · Score: 5, Informative

    I run a site that got hit by this. It's hosted by Rackspace Cloud, so one presumes that IIS and MSSQL were patched up. We aren't using any kind of ad network, so I think the attackers were just looking for ASP sites that used queries. We got hit because we failed to sanitize inputs in one spot.

    We were lucky, though. Since the attack blasts the script code into every column of every table it can get its hands on, it actually broke the SQL queries that pull up the page content, so users just saw an error message instead of page content + malware.

    1. Re:We Got Hit By This by gbrayut · · Score: 5, Informative

      Here is a great overview of the technique that was used:

      http://www.virusbtn.com/pdf/conference_slides/2009/Maciejak-Lovet-VB2009.pdf

      While they are targeting IIS and MSSQL the real issue is developers that don't sanitize the parameters that get sent to the database. The SQL is encoded in at least 2 different layers, so the only keywords that appear in the URL are ;dEcLaRe%20@s%20vArChAr(8000) and ;EXEC%20(@S); and It would be pretty difficult for Microsoft to block those without affecting legitimate usage. If you are using LINQ, Stored Procedures, or Parameterized Queries based on SqlCommand then this wouldn't work against your site or library. Mainly queries created as raw text strings have this vulnerability, and in this case it appears that some library or module used by a number of sites used raw SQL strings instead of the best practices recommended by Microsoft and every other SQL and web server vendor.

  4. Re:So... it is really due to CPU's? Re:Wrong tag by squiggleslash · · Score: 5, Informative

    Geez guys. There's more finger pointing in here than a meeting between BP, Transocean, and Haliburton.

    It's not a flaw in any of the technologies used, it's a flaw in how they were used together. The programmers who wrote the scripts didn't properly validate incoming data. That's all there is too it.

    Yes, aspects of SQL probably didn't help, but quite honestly, it was a programming decision to use SQL in the first place.

    Either way, fix it!

    --
    You are not alone. This is not normal. None of this is normal.