Massive SQL Injection Attack Compromises 380K URLs

Orome1 writes "A massive SQL injection attack campaign has been spotted by Websense researchers, and the number of unique URLs affected by it has risen from 28,000 when first detected yesterday, to 380,000 when the researchers last checked. The injected script redirects users that have landed on the various infected pages to the domain in the script, which then redirects them further to a website simulating an anti-malware check and peddling a rogue AV solution."

380 aint so bad

[digitalsushi]

If each of those kurls is able to be refinished, I think that they could withstanding another couple injections, easily. Why is sensationalist media destroying our national merits!? Only on slashdot, and yes, I did read the article.

Redirected

[Jurramonga]

I was trying to access www.AntiVirusPro2011.com when I got redirected here.

Re:Redirected

[WrongSizeGlass]

I was trying to access www.AntiVirusPro2011.com when I got redirected here.

You should have been trying to get to lizamoon.com instead ... but it's not responding anymore. I guess it got overloaded (or shutdown).

Re:Redirected

lizamoon -- hah, you also had a customer affected by it?

Re:Redirected

[WrongSizeGlass]

lizamoon -- hah, you also had a customer affected by it?

No, it was in the article so I tried to go to the site to see what it was actually doing. Knowing what it looks like will help me spot it in case one of my client's computers (or websites) gets affected.

Some future this is...

[ackthpt]

I want my money back. This isn't the future I was promised.

I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back. I don't understand why this sort of behavior isn't being shut down promptly by the powers that be of the internet. They'll watch your music, the CIA will record every character transmitted or received (Hi, Bob!), but they can't seem to recognise the same stupid bogus anti-malware scan scam going from IP address A to IP address B.

Don't worry about 1984 and Big Brother, we aren't even close.

Re:Some future this is...

[Massacrifice]

the CIA will record every character transmitted or received (Hi, Bob!) [...] Big Brother, we aren't even close.

What if... The channels which are being used by malware were the same used by Bob and his friends? Do you think they would have an incentive to close them, or keep them open?

Re:Some future this is...

[recoiledsnake]

>I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back.

What are you talking about?

Re:Some future this is...

[ackthpt]

>I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back.

What are you talking about?

If you have all the right holes open, that Malware scan does more than just launch an page which pretends to scan for viruses, it actually rootkits Windows and you can enjoy a merry week repairing and rebuilding. Thanks to the mindbogglingly stupid way Windows installs software packages I can't just format my system partition and reinstall the OS - my registry, my documents, my program files, et al are in the same basket. Sometimes you can install software to a different drive, but the vendor puts stuff in your Registry which goes with the rebuild and you can spend lots of fun time installing software all over again. Geez. Why didn't they adopt the *nix approach to filesystems.

Re:Some future this is...

[ackthpt]

the CIA will record every character transmitted or received (Hi, Bob!) [...] Big Brother, we aren't even close.

What if... The channels which are being used by malware were the same used by Bob and his friends? Do you think they would have an incentive to close them, or keep them open?

Ironically we'll hear that 1,000 government PCs are infected. But have some stalker on Craigslist posting from a Starbucks and the cars are already on the way. Russia may be a riddle wrapped in an enigma, but how FBI/CIA/DHS/law enforcement have access to stuff so quick, but nobody can seem to prevent the same old sh*t, which has been on the internet for years, from moving around is beyond me.

Re:Some future this is...

[mspohr]

Stupidity is doing the same thing over and over and expecting a different result.

Why do people keep using Windows?

Re:Some future this is...

[recoiledsnake]

>If you have all the right holes open, that Malware scan does more than just launch an page which pretends to scan for viruses, it actually rootkits Windows and you can enjoy a merry week repairing and rebuilding.

What right holes? Are you talking about Windows 7 or XP? That malware scan can't do shit unless you click to download and install the exe from that suspect site and then click okay the UAC prompt. Even if it compromised IE, IE runs in a low permission sandbox that is extremely difficult to get out of, forget about modifying system files.

If you do the equivalent on Unix, you still have to wipe the system, Eg. see this http://www.linuxforums.org/forum/security/29611-rootkit-infected.html

I don't see what you're cribbing about or anything about the "(thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) ".

Re:Some future this is...

>Why do people keep using Windows?

Because I like being employed and middle managers are easily swayed into using What Everyone Else Is Using. They use Windows, therefore I use Windows.

Re:Some future this is...

[PNutts]

Sometimes you can install software to a different drive, but the vendor puts stuff in your Registry which goes with the rebuild and you can spend lots of fun time installing software all over again.

Or you could backup the parts that are important to you.

Sweet story bro

[19thNervousBreakdown]

So, what's the attack? What SQL servers/CMS/languages are vulnerable?

Re:Sweet story bro

[an00bis]

Looking through the first several pages from Google, searching for the same string that was in the article, it's predominantly ASP/ASPX/CFM that is coming up. Probably nothing new, just taking raw user input and querying directly with that.

Re:Sweet story bro

[WrongSizeGlass]

So, what's the attack? What SQL servers/CMS/languages are vulnerable?

Neither article says ... so I guess the only way to find out is to hit the internet and find out for ourselves!

Re:Sweet story bro

[shadowrat]

The article didn't really say. I went looking for the same information. All i found was a lot of talk about what you will find on an infected site. The takeaway seems to be: If your site is serving up weird links that you didn't put there, sanitize everything.

that hardly seems like news.

Re:Sweet story bro

[el_gordo101]

After a cursory glance at the search results of infected pages, I saw the following file types:
Microsoft Active Server Pages (.asp)
Microsoft ASP.NET (.aspx)
Java Server Pages (.jsp)
Cold Fusion (.cfm)

Seems mostly aimed towards .asp and .aspx pages, but I would venture to guess that any web app that doesn't scrub the form input data would be vulnerable.

Re:Sweet story bro

It is SQL injection. Any DB server and any server side Web toolkit permitting execution of raw SQL is vulnerable, subject to programmers' incompetence.

Re:Sweet story bro

[lennier1]

Not sure about the others, but in case of ColdFusion it's pure laziness, since there are tons of built-in features to prevent SQL injection. No additional and/or custom stuff necessary.

Re:Sweet story bro

[el_gordo101]

Same with ASP.NET, parametrized SQL queries are built into the ADO.NET model. Of course, some dumbass developer could be concatenating a SQL command using the raw input data without scrubbing it and running the command against the DB. Old school Active Server Pages have no such feature and any data-scrubbing had to be done in a separate function.

Re:Sweet story bro

[BitZtream]

Parametrized queries in ASP is really pretty much the same as ASP.NET pages, do it all the time myself.

Re:Sweet story bro

[Rary]

Of course, some dumbass developer could be concatenating a SQL command using the raw input data without scrubbing it and running the command against the DB.

This happens all the time. Developers need to be aware of SQL Injection and how to prevent it. You cannot just implement something like parameterized queries and assume that you're defended against the ignorance of other developers on your team. You have to train them.

Re:Sweet story bro

[CodeBuster]

It isn't always easy to get budget for training or even time for proper coding practices. Companies, especially those that use technology but are not in the technology business, want fast results and they want them on the cheap. Many business people don't understand the value prevention until they are forced to shell out for a pound of cure.

Re:Sweet story bro

[josiebgoode]

I use ASP.NET and for years I use parameters to fetch data from databases. Thus, specified values are searched in specific fields. I thought SQL injections were only possible thru user input from form fields and could only access databases. I don't understand how sites could be corrupted this way in order to redirect an URL.

Is one of those sites /.

[Tigger's+Pet]

Just wondering, coz we seem to have been infected by plenty of rogue ACs recently. Oh wait - "rogue AV" - my mistake.

Re:Is one of those sites /.

[Massacrifice]

Just wondering, coz we seem to have been infected by plenty of rogue ACs recently. Oh wait - "rogue AV" - my mistake.

We also have plenty of rogue AC on /. lately.

Re:Is one of those sites /.

Just wondering, coz we seem to have been infected by plenty of rogue ACs recently.

:'(

Re:Is one of those sites /.

[AmonTheMetalhead]

You want rogue AC's? Talk with HBGary

SQL Injection???

[gregrah]

This seems to me like more of a JavaScript injection attack. Or am I missing something?

Very difficult to tell from the worthless article and summary.

Re:SQL Injection???

[aesiamun]

How do you get the js injection into the code? SQL injection into whatever their CMS is.

Re:SQL Injection???

The malware is a script that pretends to do an AV scan, obviously finds something and offers to sell the cure. The SQL injection is the part which makes many unrelated web sites redirect to the malware site. Let's say you have a blog which runs the version of your favorite content management system that was current when you started your blog. This software that runs on a server that's connected to the internet 24/7 and offers services to the public happens to have a bug, an SQL injection vulnerability to be precise. The attacker scans for vulnerable hosts, uses SQL injection to gain control over the content management system and then makes your blog redirect visitors to the malware site.

People install antivirus software on their PCs and keep a dozen autoupdaters running all the time, but the blog software (including add-ons) on their server is fire-and-forget. I keep recommending that people either get managed hosting or refrain from using server-side software. A blog doesn't need to be constructed dynamically on the server. Static web pages are faster and, most importantly, much more secure.

Re:SQL Injection???

[Endophage]

I'm rather confused by that too. I'd love somebody to explain how an SQL injection attack puts a new javascript tag on a page unless it's targeting some specific CMS that stores a list of required js files in the database.

Re:SQL Injection???

[aesiamun]

Actually if you look at some of the sites, it's straight from the content, not from the header.

I took a look and they are randomly placed throughout the content of a stored page.

Re:SQL Injection???

It does need server-side code if you want to let people publically comment on it.

Re:SQL Injection???

If you don't want to rely on client-side scripting for including an external comment service, then get managed hosting. Far too many people who have no clue about managing a public-facing piece of software install their own CMS on virtual servers or shared hosting without professional guidance and supervision. There's nothing wrong with having server side software, but if you do go that route, you have a responsibility and need to maintain that software. If you can not or do not want do that, then don't use server-side software.

Re:SQL Injection???

[Endophage]

Hmmm. So potentially inserting the script tag into the body portion of articles... So what is the common factor across the sites? All using some particular plugin or something (I'm hoping it's not a vulnerability in the core of some widely used CMS)?

Re:SQL Injection???

[tepples]

A blog doesn't need to be constructed dynamically on the server.

Its comments do. So does reformatting for mobile or otherwise limited devices if this involves taking things entirely out of the HTML stream. (Before you jump in and recommend separating meaning and presentation with CSS, remember that media-specific CSS can only hide elements; it can't easily reorder them or keep them from being downloaded. Sometimes you want to show less meaning at a time to a mobile user.)

Re:SQL Injection???

[recoiledsnake]

Look up XSS.

Re:SQL Injection???

[logjon]

XSS is a symptom.The vulnerability exists for SQL injection.

Re:SQL Injection???

That's what I thought when I read the article. Injecting javascript via a form probaly involves storage in an sql database but that doesn't make it an sql injection attack. This is an xss attack.

Re:SQL Injection???

[aesiamun]

There's only so many ways to write a piss poor CMS :)

Re:SQL Injection???

[Endophage]

Multiplied by the myriad of ways to write piss poor plugins :)

Re:In before the microsoft shills?

Oh...and __fr15t p057__: suck it, bill gates!!!

Binding Params

[Toreo+asesino]

Yes, I know I won't be the only one to say it.....

But seriously, if you don't know about binding params to SQL statements you shouldn't be writing public-facing websites. In any language. Ever.

Re:Binding Params

What's a binding para!@#$(*(!&*!&#$!! PLEASE CLICK THIS LINK for a complimentary security and malware scan. Good for today only!

Re:Binding Params

[grumbel]

Easier said that done, there seems to be quite a few SQL implementations that don't support binding to arrays:

SELECT * FROM foo WHERE bar IN (?);

Re:Binding Params

[Lord+Ender]

Just as most car drivers don't know how to design safe airbag systems, most people running public-facing websites don't know how to build proper security. They just download some free CMS and go with it.

Re:Binding Params

[Terrasque]

SQL injection? This sounds like people not sanitizing OUTPUT values, also known as XSS.

It's talk about redirect, and I would guess that's via some JS that gets displayed.

I see a script src="url" tag in the screenshot, which further lends credit to that theory.

However, other than the article text, I can't see any evidence of a SQL injection attack, which is a different kettle of fish than XSS.

The researchers also noted that some iTunes URLs have been injected with the script, but that Apple has done a good job in securing the site against this kind of attacks.

"The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer," they explained.

Sounds like XSS

Re:Binding Params

[Xenna]

I agree, I drew the same conclusion when reading the article. The JS code is entered in the database, of course, but not via an SQL injection. XSS vulnerability is much more prevalent than SQL injection vulnerability. Funny how just a few Slashdotters have picked up on this.

Re:Binding Params

[Shados]

While that is true, it is very common for vulnerable websites to have JS injected in their databases via SQL injection.

If I have, let say, a custom homegrown CMS...obviously there's going to be some JS and HTML in my data store (unless I store everything as physical files. Uncommon). So I can't exactly escape my output, since valid javascript IS the output... Compromise the database, and the whole thing is compromised.

Re:Binding Params

SELECT * FROM foo WHERE bar IN (?);
SELECT * FROM foo WHERE bar IN (?,?);
SELECT * FROM foo WHERE bar IN (?,?,?);
SELECT * FROM foo WHERE bar IN (?,?,?,?);
SELECT * FROM foo WHERE bar IN (?,?,?,?,?); ... ...

is it really that hard?

Re:Binding Params

[fatphil]

I pulled up a few infected pages, and if I were to perform the same attack, I'd want to get some kind up 'update tablename set field="payload"' being executed by the server. And that would be a SQL injection.

How do you see XSS executing on a client machine affecting every record in a database on the server?

Re:Binding Params

If that is what you are trying to do then you are doing it wrong, you are using a relational database to solve a network database problem.

You should use a database whose semantics match the problem to be solved.

When you have an SQL database in your hand everything looks like a relational query.

Re:Binding Params

[fatphil]

Well, to answer my own question, it is a SQL injection using an update, as I postulated, according to a victim:
"""
We got the same problem this morning. classic case of sql injection: you don't seem to check the parameters you got via URL. take a look to the webserver access logs - you will see update statements!
"""

Re:Binding Params

[Xenna]

Only if you consider posting on Slashdot SQL injection too... ;)

Re:Binding Params

[fatphil]

Disagree completely. SQL injection is where the payload is executed as SQL, which has happened in this defacement attack. On slashdot, if I write a line of SQL it's not executed as SQL, it's just text characters that are never executed.

Re:Binding Params

[Terrasque]

Thanks for the UPDATE; Better to know than to speculate, even if it shows that my speculations were wrong :)

mysql.com included?

should count it as one

No wonder.

I've stumbling more and more on those phony anit-virus warning and most the time they leave an executable in my temp directory - I'm always logged in as a client and MS Security essentials is pretty good at catching it - albeit long after it's on my hard drive :(

The sucky part is that it's been hitting legitimate websites - it's no longer just a problem with the porn or the naked celebrity (naked celebrity sites are the worst!)

I was looking at something completely innocuous (I think it was home improvement things) and I got that phony anti virus screen.

It's spreading.....

The fun part: it's kind of a hoot when the phony antivirus screen comes up showing a Windows XP window and file system ..... and you're on fedora 14/GNOME ...

Re:No wonder.

[psyclone]

Maybe you should try noscript to block unwanted 3rd party scripts.

More Information Please?

[Haedrian]

Website use follows a Zipfian distribution. Less popular sites may be more vulnerable to attack since they'd be written by script kiddies.

So instead of telling us how many URLs have been hijacked, how about telling us how many end users are likely to be affected by this? It makes a large difference if one of the URLs is a popular website or just something a 10 year old patched together using Frontpage.

Re:More Information Please?

[John+Hasler]

It makes a large difference if one of the URLs is a popular website or just something a 10 year old patched together using Frontpage.

You make it sound as if those are mutually exclusive.

Re:More Information Please?

[poptones]

I don't do porn tgps, music sites or pretty much anything like that and yet I've seen several "possible attack site" warnings today in forefox. Weird sites, like furniture and such. I click a link and get that red screen. I was wondering what was up, it seems very strange today.

Luckily

[$RANDOMLUSER]

McAffe.com is totally safe.

Re:Luckily

Except of course the Vulnerabilities that remain unpatched - as reported on seclists.org [http://seclists.org/fulldisclosure/2011/Mar/313]

Re:Can't Recognize

[TaoPhoenix]

I know! "A new attack pushes a different song to each of 380,000 users with a link to a synchronization bot so that each user winds up with the 380,000 song set."

Wanna see how fast that gets taken care of?

Here's a suggestion

[smooth+wombat]

How about posting a screenshot of the anti-malware warning so we can be aware of it. I recently had to remove a piece of cruft from a user's laptop which, as far as I can tell, came from a Flash ad.

Since I know this user doesn't go to random bobssoftware.com sites, it had to come from an ad or a compromised site.

Also, would it have killed the editors to go to the source rather than some blog which scraped the source site?

Re:Here's a suggestion

[Megahard]

I had the misfortune to run into it yesterday. It continuously runs a fake scan, asks you to download an executable, and doesn't let you navigate away from the page. The only way I got rid of it was by shutting down JavaScript then closing the tab.

Re:Here's a suggestion

[Lumpy]

alt-F4 conquers ANY of these.

Re:Here's a suggestion

[Xenna]

I've seen one of those when a colleague asked for my help. It looks deceptively realistic, technically unsophisticated users could easily be fooled.

Re:Here's a suggestion

I've run into a couple of these. Just type in an actress' name into Google Images using default search settings. Scroll down until you see the one image that is... {ahem} "out-of-place". Right-click and open in new tab. Watch the hilarity ensue.

I say hilarity, as it pops up what looks like the XP file manager/explorer, pretends to scan your PC, and tells you that files are infected.

I run Fedora, so it's highly unlikely my "svchost.exe" has a problem. Also, XP is not Gnome. Yeah, I got a good chuckle out of that, closed the tab, and kept browsing.

Yet, I have to admit, an inexperienced user would very well be defecating rectangular solids upon seeing that. So, there are now three reasons I still have an XP box around: Virus scanning of other HDs, Malware scanning of other HDs, and Irfanview (fsck Photoshop - I can use the GIMP, but nothing compares to the speed, small size, and versatility of Irfanview. Sadly, there's no Linux version of it.).

Re:Here's a suggestion

You really think that the user tells you about every site, even the kinky donkey kong sites?

LOL@Slashdot

Let me inject my useless comment to a useles story using SQL right now...

yawn... this site is the FOX NEWS of tech... but people know that by now...

hah...

[koan]

I often get my security software from pop ups.

You know...I would say people need to take a test and get a license before they can "surf the net" but look at how well that turned out for cars.

Kind of amusing

I can't help but smile when I hear about how this kind of intrusion trouble hits those who have actually done it wrong. That's what they have done, otherwise they wouldn't be vulnerable to SQL injections (even aside from the fact that they are using SQL). I cringe when I see people do it so it feels good when they are punished. They don't know what they are doing, or at least they don't understand what they are doing well enough. What happens when I take in this parameter from there and use it over here as a part of my code? They don't seem to have thought that through, which I find intellectually evil.

Doing it wrong can still pass your test cases, if you are unlucky.

Ooh, Shiny! =Click-ety=

[iiiears]

Firefox and NoScript to the rescue. Again...

If your server was one of the 380,000 hacked. I hope you will be back online soon.

What are the malware URLs?

Our website was hacked recently, via sniffed FTP passwords, not SQL injection. The site that our visitors were being redirected to was voictoall.com and another domain in the .cc tld. Does anybody know what the URLs of this attack were? I would be interested in knowing if it was the same folks who attacked us.

Re:What are the malware URLs?

[Lumpy]

sniffed FTP... wow... why were you not using sftp or ssh? you dont use FTP for ANYTHING but public file repository where anonymous is the username.

Re:What are the malware URLs?

sound advice. the only problem is that under capitalism, bosses make the calls, not the hackers who work for them.

As always, NoScript to the rescue

[ArcCoyote]

NoScript will protect you from this and all 3rd-party script injection, even when set very permissive (allow all scripts from the base domain)

Re:As always, NoScript to the rescue

It doesn't protect the site from becoming infected in the first place which is the real problem here. Often NoScript is like AV. It treats the symptoms of the problem and not the problems themselves. Don't get me wrong, NoScript is an excellent tool (I use it myself and I recommend it to many). I just think that too often it gets promoted as a cure all at the expense of giving the real problem some thoughtful discussion.

And really does NoScript protect you here? SQL injection is a method of compromising servers. The third party content is served up by the compromised server in the same way as the first party content (which you probably already told NoScript to trust).

Re:As always, NoScript to the rescue

IE 8 and IE 9 both have XSS protection and should be safe. I am curious if Firefox 4 has this as well?

Re:As always, NoScript to the rescue

Not this is why I allways return to slashdot. There's nerds here with real knowledge!

Construct the array and placeholders in parallel

[tepples]

there seems to be quite a few SQL implementations that don't support binding to arrays:

SELECT * FROM foo WHERE bar IN (?)

I asked the webmaster of bobby-tables.com about this. The reply was that apparently, you're supposed to construct the list of placeholders in the statement in parallel with the array of values to be substituted into those placeholders. But under some APIs *cough*mysqli*cough*, that can be far more painful than making a working function that escapes an entire array for use as right side of a WHERE expression and then carefully testing that function with every special character that your DBMS's manual mentions.

Here, have a massive XSS vulnerability

http://digg.com/eyewonder/interim.html?url=http://example.com/bad.js
cnn.com/eyewonder/interim.html
foxnews.com/eyewonder/interim.html
www.nbc.com/eyewonder/interim.html
news.cnet.com/eyewonder/interim.html
www.myspace.com/eyewonder/interim.html
You get the idea..

There's also another vulnerable file /flashtalking/ftlocal.html on many sites

Re:Here, have a massive XSS vulnerability

WTF? Amateur hour at the mega sites?

Re:Here, have a massive XSS vulnerability

Fuck me. That is really, really appalling. Endless target opportunity.

Re:Here, have a massive XSS vulnerability

[Kalriath]

No, Eyewonder is one of their advertising providers. And we all know how shitty advertising providers are.

Re:Can't Recognize

[ackthpt]

I know! "A new attack pushes a different song to each of 380,000 users with a link to a synchronization bot so that each user winds up with the 380,000 song set."

Wanna see how fast that gets taken care of?

Yeah, have the RIAA or MPAA on your case and you've got a trillion dollar lawsuit coming! Brr!!! I'll take my chances with teh feds.

Re:Construct the array and placeholders in paralle

[Lumpy]

You are correct sir....

in php....

$new_string = preg_replace(“/[^a-zA-Z0-9\s]/”, “”, $string);

or simply use the http://docs.php.net/manual/en/function.mysql-real-escape-string.php function if you need full flexibility and to make sure it's clean and safe.

and done. in fact you are a lazy programmer if you dont sanitize your user input. Yes it's nice to add the extra security of setting up the DB correctly, but only a fool would not sanitize the user input to begin with.
Rule #1 is to treat all user input as hostile and dangerous. If you stick to that a lot of these pesky injection attacks go away.

Oh yes, little Bobby Tables, we call him.

[WebManWalking]

http://xkcd.com/327/

Re:Oh yes, little Bobby Tables, we call him.

ugh, rule nr 1 for posting linking to jokes in threads: NEVER INCLUDE THE PUNCHLINE IN YOUR LINK / TITLE.

Re:Construct the array and placeholders in paralle

This is the "but what about Unicode?" reply that you hoped no one would bother posting.

More info on this hack

There are two more links which get injected via this particular hack. It is pretty common to see malicious hackers inject multiple links in one hack attempt.
http://www.stopthehacker.com/2011/03/31/lizamoon-hack-mass-sql-injection/

Re:Construct the array and placeholders in paralle

[tepples]

making a working function that escapes an entire array for use as right side of a WHERE expression and then carefully testing that function with every special character

simply use mysql_real_escape_string() if you need full flexibility and to make sure it's clean and safe.

That's what I do inside db_escape_list(), but the bobby-tables.com guy says it's not enough: one must use ? and only ?.

My efforts pale in comparison

My hot beef injection attack only compromised 10-15 URL's

Re:Ooh, Shiny! =Click-ety=

[wagnerrp]

The article never claimed there were 380k servers hacked, it merely claimed there were 380k compromised unique URLs. If you follow the article, they are unique URLs as determined by a Google search. It could just as well be a hundred hacked servers with several thousand compromised pages each. Many of those pages could even be duplicates of one another.

HERE IS THE ACTUAL ATTACK CODE....

The article is sorely missing any useful information as to what the attack is and how to protect against it....

http://stackoverflow.com/questions/3761064/need-help-with-this-xss-attack

Currently, it is aimed at IIS/MS-SQL web sites that have input forms that aren't validating the input and neutralizing HTML tags

Re:HERE IS THE ACTUAL ATTACK CODE....

[AmonTheMetalhead]

Heh, Deja-vu

Re:HERE IS THE ACTUAL ATTACK CODE....

If you think you are being secure by stripping HTML from form data you are building very insecure sites. Filtering on input is near useless. Here's why:

http://acko.net/blog/safe-string-theory-for-the-web

Re:HERE IS THE ACTUAL ATTACK CODE....

[Bacon+Bits]

To be clear, it's not targetting vulnerabilities in in IIS or MS-SQL. They're targetting Bobby Tables vulnerabilities in CMS and web apps. The same vulnerabilities exist regardless of what web server or database platform you're using. Once you've found your injection vulnerability you can just query the DB for the platform. Pretty much every platform has a built-in command for listing the attached databases. It's trivial to work back from there. Once you've established the specific CMS app (assuming they didn't brand it all over the normal output pages anyways) you can figure out how to return forwarders as desired.

PostgreSQL: select datname from pg_database;
MySQL: show databases;
MS SQL Server: exec sp_databases;
Oracle: select * from user_tablespaces;

The issues that have been hitting our network (a public school district) have been the sites who only respond with malware infection when the HTTP Referer (sic) is from Google Image Search or Bing Image Search. Additionally, the software typically doesn't try to install anywhere outside of the user's home folders (which they're obviously going to have write access to). So even though only IT staff have rights above a standard User, users are able to get infected. The web-based security scans that Google and Bing do don't catch these infections at all, and so they're not removed from search results like they should be. It's quite frustrating that neither Google nor Microsoft has addressed this problem.

On the plus side, only teachers and elementary students are gullible enough to actually install the software. Older students know it's a scam.

Re:Can't Recognize

[BitZtream]

The law suits won't start until everyone has all 380k songs. Its more profitable for them to wait to sue you than it is to start now.

You think the RIAA doesn't want you to have music, which is wrong. They want you to have all of their music, multiple times, they just want to make sure they can charge you as many ways as possible, including charging you even if you don't listen to any of their music (ref: tax on writable CDs).

They'll be happy to wait until all the transfers are complete so they can sue each infected person for illegally obtaining and distributing 380k songs at whatever the ridiculous fine per song they have is.

Re:Construct the array and placeholders in paralle

Not sure what the exact PHP syntax is, but in Perl:
my @list;
my $places = join(",", ("?")x@list);
$dbh->prepare("SELECT stuff FROM table WHERE stuff IN ($places)");
$dbh->execute(@list);

WinXP SP4 on the way

[Teun]

Maybe that's why there'll be a WinXP SP4 coming out tomorrow?

Re:Construct the array and placeholders in paralle

[VDizzle]

my $col_a_criteria = ' AND COLUMN_A IN (' . join(",", ('?') x @bind) . ') ' if scalar @bind;

$sth->prepare("select column_B from my_table where column_z = ? $col_a_criteria");

scalar @bind ? $sth->execute($col_z, @bind) : $sth->execute($col_z);

# It also wouldn't hurt to make sure that you are not exceeding the max SQL length or max values in an IN clause...

Then I guess MySQLi is sucks

[tepples]

$dbh->execute(@list);

If only it were that easy. In PHP MySQLi, $stmt->bind_param() wants individual variables as parameters, not a single array. They have to be variables, not values, because they're passed by reference. Moreover, the first parameter is a string with one character stating the data type of each following variable to be passed into the statement. The function bind_param() is variadic, and all three argument counts (number of ?s, number of characters in type string, and number of variables following type string) all have to match, or MySQLi raises an exception. I guess the moral is that if you have the bobby-tables.com guy on your team, MySQLi isn't the best tool. If only I'd known this at the start of the big project.

Re:Construct the array and placeholders in paralle

[tepples]

Please see my reply to Anonymous Coward who suggested the same thing.

Re:Construct the array and placeholders in paralle

[AmonTheMetalhead]

Not sanitizing input (any input, be it from a user or a remote site or a webservice or what have you) is asking for trouble, i see shit like this daily.

Re:Construct the array and placeholders in paralle

[fatphil]

Replace
my $places = join(",", ("?")x@list);

With
my $places = ('?,'x$#list) . '?';

For an order of magnitude increase in efficiency. You don't want an array, don't create a temporary one, just go straight to the string you want.

However, if you've got such long lists that even that 'x' is expensive - just have a prepared string of ?,?,?,?,?,?,?.... and use substr of the appropriate length.

IE 9 and Firefox 4

[Billly+Gates]

Can the newer browsers security features that check XSS help? My parents computer still uses Firefox 3.x and they get a weird spyware bar installed that an anti virus program caught. I wonder if this has anything to do with that

Obligatory

[Nefarious+Wheel]

http://xkcd.com/327/ Young Bobby Tables

Re:Obligatory

[ciderbrew]

now in 3D :)

Update from Websense: 500k URLs, injection code

[Kolargol00]

Websense published an update to their previous article with more information about the attack. It includes the SQL injection code.

Re:Ooh, Shiny! =Click-ety=

Relax, Is it possible for anyone to know how many machines or pages?
Approximation is an art with numbers like IP addresses and servers..

(Psst.. Give others the benefit of a doubt.)