Massive SQL Injection Attack Compromises 380K URLs

Orome1 writes "A massive SQL injection attack campaign has been spotted by Websense researchers, and the number of unique URLs affected by it has risen from 28,000 when first detected yesterday, to 380,000 when the researchers last checked. The injected script redirects users that have landed on the various infected pages to the domain in the script, which then redirects them further to a website simulating an anti-malware check and peddling a rogue AV solution."

380 aint so bad

[digitalsushi]

If each of those kurls is able to be refinished, I think that they could withstanding another couple injections, easily. Why is sensationalist media destroying our national merits!? Only on slashdot, and yes, I did read the article.

Redirected

[Jurramonga]

I was trying to access www.AntiVirusPro2011.com when I got redirected here.

Re:Redirected

[WrongSizeGlass]

I was trying to access www.AntiVirusPro2011.com when I got redirected here.

You should have been trying to get to lizamoon.com instead ... but it's not responding anymore. I guess it got overloaded (or shutdown).

Re:Redirected

[WrongSizeGlass]

lizamoon -- hah, you also had a customer affected by it?

No, it was in the article so I tried to go to the site to see what it was actually doing. Knowing what it looks like will help me spot it in case one of my client's computers (or websites) gets affected.

Some future this is...

[ackthpt]

I want my money back. This isn't the future I was promised.

I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back. I don't understand why this sort of behavior isn't being shut down promptly by the powers that be of the internet. They'll watch your music, the CIA will record every character transmitted or received (Hi, Bob!), but they can't seem to recognise the same stupid bogus anti-malware scan scam going from IP address A to IP address B.

Don't worry about 1984 and Big Brother, we aren't even close.

Re:Some future this is...

[Massacrifice]

the CIA will record every character transmitted or received (Hi, Bob!) [...] Big Brother, we aren't even close.

What if... The channels which are being used by malware were the same used by Bob and his friends? Do you think they would have an incentive to close them, or keep them open?

Re:Some future this is...

[recoiledsnake]

>I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back.

What are you talking about?

Re:Some future this is...

[ackthpt]

>I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back.

What are you talking about?

If you have all the right holes open, that Malware scan does more than just launch an page which pretends to scan for viruses, it actually rootkits Windows and you can enjoy a merry week repairing and rebuilding. Thanks to the mindbogglingly stupid way Windows installs software packages I can't just format my system partition and reinstall the OS - my registry, my documents, my program files, et al are in the same basket. Sometimes you can install software to a different drive, but the vendor puts stuff in your Registry which goes with the rebuild and you can spend lots of fun time installing software all over again. Geez. Why didn't they adopt the *nix approach to filesystems.

Re:Some future this is...

[ackthpt]

the CIA will record every character transmitted or received (Hi, Bob!) [...] Big Brother, we aren't even close.

What if... The channels which are being used by malware were the same used by Bob and his friends? Do you think they would have an incentive to close them, or keep them open?

Ironically we'll hear that 1,000 government PCs are infected. But have some stalker on Craigslist posting from a Starbucks and the cars are already on the way. Russia may be a riddle wrapped in an enigma, but how FBI/CIA/DHS/law enforcement have access to stuff so quick, but nobody can seem to prevent the same old sh*t, which has been on the internet for years, from moving around is beyond me.

Re:Some future this is...

[recoiledsnake]

>If you have all the right holes open, that Malware scan does more than just launch an page which pretends to scan for viruses, it actually rootkits Windows and you can enjoy a merry week repairing and rebuilding.

What right holes? Are you talking about Windows 7 or XP? That malware scan can't do shit unless you click to download and install the exe from that suspect site and then click okay the UAC prompt. Even if it compromised IE, IE runs in a low permission sandbox that is extremely difficult to get out of, forget about modifying system files.

If you do the equivalent on Unix, you still have to wipe the system, Eg. see this http://www.linuxforums.org/forum/security/29611-rootkit-infected.html

I don't see what you're cribbing about or anything about the "(thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) ".

Re:Some future this is...

[PNutts]

Sometimes you can install software to a different drive, but the vendor puts stuff in your Registry which goes with the rebuild and you can spend lots of fun time installing software all over again.

Or you could backup the parts that are important to you.

Sweet story bro

[19thNervousBreakdown]

So, what's the attack? What SQL servers/CMS/languages are vulnerable?

Re:Sweet story bro

[an00bis]

Looking through the first several pages from Google, searching for the same string that was in the article, it's predominantly ASP/ASPX/CFM that is coming up. Probably nothing new, just taking raw user input and querying directly with that.

Re:Sweet story bro

[WrongSizeGlass]

So, what's the attack? What SQL servers/CMS/languages are vulnerable?

Neither article says ... so I guess the only way to find out is to hit the internet and find out for ourselves!

Re:Sweet story bro

[shadowrat]

The article didn't really say. I went looking for the same information. All i found was a lot of talk about what you will find on an infected site. The takeaway seems to be: If your site is serving up weird links that you didn't put there, sanitize everything.

that hardly seems like news.

Re:Sweet story bro

[el_gordo101]

After a cursory glance at the search results of infected pages, I saw the following file types:
Microsoft Active Server Pages (.asp)
Microsoft ASP.NET (.aspx)
Java Server Pages (.jsp)
Cold Fusion (.cfm)

Seems mostly aimed towards .asp and .aspx pages, but I would venture to guess that any web app that doesn't scrub the form input data would be vulnerable.

Re:Sweet story bro

[lennier1]

Not sure about the others, but in case of ColdFusion it's pure laziness, since there are tons of built-in features to prevent SQL injection. No additional and/or custom stuff necessary.

Re:Sweet story bro

[el_gordo101]

Same with ASP.NET, parametrized SQL queries are built into the ADO.NET model. Of course, some dumbass developer could be concatenating a SQL command using the raw input data without scrubbing it and running the command against the DB. Old school Active Server Pages have no such feature and any data-scrubbing had to be done in a separate function.

Re:Sweet story bro

[BitZtream]

Parametrized queries in ASP is really pretty much the same as ASP.NET pages, do it all the time myself.

Re:Sweet story bro

[Rary]

Of course, some dumbass developer could be concatenating a SQL command using the raw input data without scrubbing it and running the command against the DB.

This happens all the time. Developers need to be aware of SQL Injection and how to prevent it. You cannot just implement something like parameterized queries and assume that you're defended against the ignorance of other developers on your team. You have to train them.

Re:Sweet story bro

[CodeBuster]

It isn't always easy to get budget for training or even time for proper coding practices. Companies, especially those that use technology but are not in the technology business, want fast results and they want them on the cheap. Many business people don't understand the value prevention until they are forced to shell out for a pound of cure.

Re:Sweet story bro

[josiebgoode]

I use ASP.NET and for years I use parameters to fetch data from databases. Thus, specified values are searched in specific fields. I thought SQL injections were only possible thru user input from form fields and could only access databases. I don't understand how sites could be corrupted this way in order to redirect an URL.

Is one of those sites /.

[Tigger's+Pet]

Just wondering, coz we seem to have been infected by plenty of rogue ACs recently. Oh wait - "rogue AV" - my mistake.

Re:Is one of those sites /.

[Massacrifice]

Just wondering, coz we seem to have been infected by plenty of rogue ACs recently. Oh wait - "rogue AV" - my mistake.

We also have plenty of rogue AC on /. lately.

Re:Is one of those sites /.

[AmonTheMetalhead]

You want rogue AC's? Talk with HBGary

SQL Injection???

[gregrah]

This seems to me like more of a JavaScript injection attack. Or am I missing something?

Very difficult to tell from the worthless article and summary.

Re:SQL Injection???

[aesiamun]

How do you get the js injection into the code? SQL injection into whatever their CMS is.

Re:SQL Injection???

The malware is a script that pretends to do an AV scan, obviously finds something and offers to sell the cure. The SQL injection is the part which makes many unrelated web sites redirect to the malware site. Let's say you have a blog which runs the version of your favorite content management system that was current when you started your blog. This software that runs on a server that's connected to the internet 24/7 and offers services to the public happens to have a bug, an SQL injection vulnerability to be precise. The attacker scans for vulnerable hosts, uses SQL injection to gain control over the content management system and then makes your blog redirect visitors to the malware site.

People install antivirus software on their PCs and keep a dozen autoupdaters running all the time, but the blog software (including add-ons) on their server is fire-and-forget. I keep recommending that people either get managed hosting or refrain from using server-side software. A blog doesn't need to be constructed dynamically on the server. Static web pages are faster and, most importantly, much more secure.

Re:SQL Injection???

[Endophage]

I'm rather confused by that too. I'd love somebody to explain how an SQL injection attack puts a new javascript tag on a page unless it's targeting some specific CMS that stores a list of required js files in the database.

Re:SQL Injection???

[aesiamun]

Actually if you look at some of the sites, it's straight from the content, not from the header.

I took a look and they are randomly placed throughout the content of a stored page.

Re:SQL Injection???

[Endophage]

Hmmm. So potentially inserting the script tag into the body portion of articles... So what is the common factor across the sites? All using some particular plugin or something (I'm hoping it's not a vulnerability in the core of some widely used CMS)?

Re:SQL Injection???

[tepples]

A blog doesn't need to be constructed dynamically on the server.

Its comments do. So does reformatting for mobile or otherwise limited devices if this involves taking things entirely out of the HTML stream. (Before you jump in and recommend separating meaning and presentation with CSS, remember that media-specific CSS can only hide elements; it can't easily reorder them or keep them from being downloaded. Sometimes you want to show less meaning at a time to a mobile user.)

Re:SQL Injection???

[recoiledsnake]

Look up XSS.

Re:SQL Injection???

[aesiamun]

There's only so many ways to write a piss poor CMS :)

Re:SQL Injection???

[Endophage]

Multiplied by the myriad of ways to write piss poor plugins :)

Binding Params

[Toreo+asesino]

Yes, I know I won't be the only one to say it.....

But seriously, if you don't know about binding params to SQL statements you shouldn't be writing public-facing websites. In any language. Ever.

Re:Binding Params

What's a binding para!@#$(*(!&*!&#$!! PLEASE CLICK THIS LINK for a complimentary security and malware scan. Good for today only!

Re:Binding Params

[grumbel]

Easier said that done, there seems to be quite a few SQL implementations that don't support binding to arrays:

SELECT * FROM foo WHERE bar IN (?);

Re:Binding Params

[Lord+Ender]

Just as most car drivers don't know how to design safe airbag systems, most people running public-facing websites don't know how to build proper security. They just download some free CMS and go with it.

Re:Binding Params

[Terrasque]

SQL injection? This sounds like people not sanitizing OUTPUT values, also known as XSS.

It's talk about redirect, and I would guess that's via some JS that gets displayed.

I see a script src="url" tag in the screenshot, which further lends credit to that theory.

However, other than the article text, I can't see any evidence of a SQL injection attack, which is a different kettle of fish than XSS.

The researchers also noted that some iTunes URLs have been injected with the script, but that Apple has done a good job in securing the site against this kind of attacks.

"The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer," they explained.

Sounds like XSS

Re:Binding Params

[Xenna]

I agree, I drew the same conclusion when reading the article. The JS code is entered in the database, of course, but not via an SQL injection. XSS vulnerability is much more prevalent than SQL injection vulnerability. Funny how just a few Slashdotters have picked up on this.

Re:Binding Params

[Shados]

While that is true, it is very common for vulnerable websites to have JS injected in their databases via SQL injection.

If I have, let say, a custom homegrown CMS...obviously there's going to be some JS and HTML in my data store (unless I store everything as physical files. Uncommon). So I can't exactly escape my output, since valid javascript IS the output... Compromise the database, and the whole thing is compromised.

Re:Binding Params

[fatphil]

I pulled up a few infected pages, and if I were to perform the same attack, I'd want to get some kind up 'update tablename set field="payload"' being executed by the server. And that would be a SQL injection.

How do you see XSS executing on a client machine affecting every record in a database on the server?

Re:Binding Params

[fatphil]

Well, to answer my own question, it is a SQL injection using an update, as I postulated, according to a victim:
"""
We got the same problem this morning. classic case of sql injection: you don't seem to check the parameters you got via URL. take a look to the webserver access logs - you will see update statements!
"""

Re:Binding Params

[Xenna]

Only if you consider posting on Slashdot SQL injection too... ;)

Re:Binding Params

[fatphil]

Disagree completely. SQL injection is where the payload is executed as SQL, which has happened in this defacement attack. On slashdot, if I write a line of SQL it's not executed as SQL, it's just text characters that are never executed.

Re:Binding Params

[Terrasque]

Thanks for the UPDATE; Better to know than to speculate, even if it shows that my speculations were wrong :)

More Information Please?

[Haedrian]

Website use follows a Zipfian distribution. Less popular sites may be more vulnerable to attack since they'd be written by script kiddies.

So instead of telling us how many URLs have been hijacked, how about telling us how many end users are likely to be affected by this? It makes a large difference if one of the URLs is a popular website or just something a 10 year old patched together using Frontpage.

Re:More Information Please?

[John+Hasler]

It makes a large difference if one of the URLs is a popular website or just something a 10 year old patched together using Frontpage.

You make it sound as if those are mutually exclusive.

Re:More Information Please?

[poptones]

I don't do porn tgps, music sites or pretty much anything like that and yet I've seen several "possible attack site" warnings today in forefox. Weird sites, like furniture and such. I click a link and get that red screen. I was wondering what was up, it seems very strange today.

Luckily

[$RANDOMLUSER]

McAffe.com is totally safe.

Re:Can't Recognize

[TaoPhoenix]

I know! "A new attack pushes a different song to each of 380,000 users with a link to a synchronization bot so that each user winds up with the 380,000 song set."

Wanna see how fast that gets taken care of?

Here's a suggestion

[smooth+wombat]

How about posting a screenshot of the anti-malware warning so we can be aware of it. I recently had to remove a piece of cruft from a user's laptop which, as far as I can tell, came from a Flash ad.

Since I know this user doesn't go to random bobssoftware.com sites, it had to come from an ad or a compromised site.

Also, would it have killed the editors to go to the source rather than some blog which scraped the source site?

Re:Here's a suggestion

[Megahard]

I had the misfortune to run into it yesterday. It continuously runs a fake scan, asks you to download an executable, and doesn't let you navigate away from the page. The only way I got rid of it was by shutting down JavaScript then closing the tab.

Re:Here's a suggestion

[Lumpy]

alt-F4 conquers ANY of these.

Re:Here's a suggestion

[Xenna]

I've seen one of those when a colleague asked for my help. It looks deceptively realistic, technically unsophisticated users could easily be fooled.

hah...

[koan]

I often get my security software from pop ups.

You know...I would say people need to take a test and get a license before they can "surf the net" but look at how well that turned out for cars.

Ooh, Shiny! =Click-ety=

[iiiears]

Firefox and NoScript to the rescue. Again...

If your server was one of the 380,000 hacked. I hope you will be back online soon.

Re:No wonder.

[psyclone]

Maybe you should try noscript to block unwanted 3rd party scripts.

As always, NoScript to the rescue

[ArcCoyote]

NoScript will protect you from this and all 3rd-party script injection, even when set very permissive (allow all scripts from the base domain)

Construct the array and placeholders in parallel

[tepples]

there seems to be quite a few SQL implementations that don't support binding to arrays:

SELECT * FROM foo WHERE bar IN (?)

I asked the webmaster of bobby-tables.com about this. The reply was that apparently, you're supposed to construct the list of placeholders in the statement in parallel with the array of values to be substituted into those placeholders. But under some APIs *cough*mysqli*cough*, that can be far more painful than making a working function that escapes an entire array for use as right side of a WHERE expression and then carefully testing that function with every special character that your DBMS's manual mentions.

Re:Can't Recognize

[ackthpt]

I know! "A new attack pushes a different song to each of 380,000 users with a link to a synchronization bot so that each user winds up with the 380,000 song set."

Wanna see how fast that gets taken care of?

Yeah, have the RIAA or MPAA on your case and you've got a trillion dollar lawsuit coming! Brr!!! I'll take my chances with teh feds.

Re:What are the malware URLs?

[Lumpy]

sniffed FTP... wow... why were you not using sftp or ssh? you dont use FTP for ANYTHING but public file repository where anonymous is the username.

Re:Construct the array and placeholders in paralle

[Lumpy]

You are correct sir....

in php....

$new_string = preg_replace(“/[^a-zA-Z0-9\s]/”, “”, $string);

or simply use the http://docs.php.net/manual/en/function.mysql-real-escape-string.php function if you need full flexibility and to make sure it's clean and safe.

and done. in fact you are a lazy programmer if you dont sanitize your user input. Yes it's nice to add the extra security of setting up the DB correctly, but only a fool would not sanitize the user input to begin with.
Rule #1 is to treat all user input as hostile and dangerous. If you stick to that a lot of these pesky injection attacks go away.

Oh yes, little Bobby Tables, we call him.

[WebManWalking]

http://xkcd.com/327/

Re:Construct the array and placeholders in paralle

[tepples]

making a working function that escapes an entire array for use as right side of a WHERE expression and then carefully testing that function with every special character

simply use mysql_real_escape_string() if you need full flexibility and to make sure it's clean and safe.

That's what I do inside db_escape_list(), but the bobby-tables.com guy says it's not enough: one must use ? and only ?.

Re:Ooh, Shiny! =Click-ety=

[wagnerrp]

The article never claimed there were 380k servers hacked, it merely claimed there were 380k compromised unique URLs. If you follow the article, they are unique URLs as determined by a Google search. It could just as well be a hundred hacked servers with several thousand compromised pages each. Many of those pages could even be duplicates of one another.

HERE IS THE ACTUAL ATTACK CODE....

The article is sorely missing any useful information as to what the attack is and how to protect against it....

http://stackoverflow.com/questions/3761064/need-help-with-this-xss-attack

Currently, it is aimed at IIS/MS-SQL web sites that have input forms that aren't validating the input and neutralizing HTML tags

Re:HERE IS THE ACTUAL ATTACK CODE....

[AmonTheMetalhead]

Heh, Deja-vu

Re:HERE IS THE ACTUAL ATTACK CODE....

[Bacon+Bits]

To be clear, it's not targetting vulnerabilities in in IIS or MS-SQL. They're targetting Bobby Tables vulnerabilities in CMS and web apps. The same vulnerabilities exist regardless of what web server or database platform you're using. Once you've found your injection vulnerability you can just query the DB for the platform. Pretty much every platform has a built-in command for listing the attached databases. It's trivial to work back from there. Once you've established the specific CMS app (assuming they didn't brand it all over the normal output pages anyways) you can figure out how to return forwarders as desired.

PostgreSQL: select datname from pg_database;
MySQL: show databases;
MS SQL Server: exec sp_databases;
Oracle: select * from user_tablespaces;

The issues that have been hitting our network (a public school district) have been the sites who only respond with malware infection when the HTTP Referer (sic) is from Google Image Search or Bing Image Search. Additionally, the software typically doesn't try to install anywhere outside of the user's home folders (which they're obviously going to have write access to). So even though only IT staff have rights above a standard User, users are able to get infected. The web-based security scans that Google and Bing do don't catch these infections at all, and so they're not removed from search results like they should be. It's quite frustrating that neither Google nor Microsoft has addressed this problem.

On the plus side, only teachers and elementary students are gullible enough to actually install the software. Older students know it's a scam.

Re:Can't Recognize

[BitZtream]

The law suits won't start until everyone has all 380k songs. Its more profitable for them to wait to sue you than it is to start now.

You think the RIAA doesn't want you to have music, which is wrong. They want you to have all of their music, multiple times, they just want to make sure they can charge you as many ways as possible, including charging you even if you don't listen to any of their music (ref: tax on writable CDs).

They'll be happy to wait until all the transfers are complete so they can sue each infected person for illegally obtaining and distributing 380k songs at whatever the ridiculous fine per song they have is.

WinXP SP4 on the way

[Teun]

Maybe that's why there'll be a WinXP SP4 coming out tomorrow?

Re:Construct the array and placeholders in paralle

[VDizzle]

my $col_a_criteria = ' AND COLUMN_A IN (' . join(",", ('?') x @bind) . ') ' if scalar @bind;

$sth->prepare("select column_B from my_table where column_z = ? $col_a_criteria");

scalar @bind ? $sth->execute($col_z, @bind) : $sth->execute($col_z);

# It also wouldn't hurt to make sure that you are not exceeding the max SQL length or max values in an IN clause...

Then I guess MySQLi is sucks

[tepples]

$dbh->execute(@list);

If only it were that easy. In PHP MySQLi, $stmt->bind_param() wants individual variables as parameters, not a single array. They have to be variables, not values, because they're passed by reference. Moreover, the first parameter is a string with one character stating the data type of each following variable to be passed into the statement. The function bind_param() is variadic, and all three argument counts (number of ?s, number of characters in type string, and number of variables following type string) all have to match, or MySQLi raises an exception. I guess the moral is that if you have the bobby-tables.com guy on your team, MySQLi isn't the best tool. If only I'd known this at the start of the big project.

Re:Construct the array and placeholders in paralle

[tepples]

Please see my reply to Anonymous Coward who suggested the same thing.

Re:Construct the array and placeholders in paralle

[AmonTheMetalhead]

Not sanitizing input (any input, be it from a user or a remote site or a webservice or what have you) is asking for trouble, i see shit like this daily.

Re:Construct the array and placeholders in paralle

[fatphil]

Replace
my $places = join(",", ("?")x@list);

With
my $places = ('?,'x$#list) . '?';

For an order of magnitude increase in efficiency. You don't want an array, don't create a temporary one, just go straight to the string you want.

However, if you've got such long lists that even that 'x' is expensive - just have a prepared string of ?,?,?,?,?,?,?.... and use substr of the appropriate length.

Re:Here, have a massive XSS vulnerability

[Kalriath]

No, Eyewonder is one of their advertising providers. And we all know how shitty advertising providers are.

IE 9 and Firefox 4

[Billly+Gates]

Can the newer browsers security features that check XSS help? My parents computer still uses Firefox 3.x and they get a weird spyware bar installed that an anti virus program caught. I wonder if this has anything to do with that

Update from Websense: 500k URLs, injection code

[Kolargol00]

Websense published an update to their previous article with more information about the attack. It includes the SQL injection code.

Re:Obligatory

[ciderbrew]

now in 3D :)