Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive SQL Injection Attack Compromises 380K URLs

Posted by CmdrTaco on from the that's-a-lot-of-compromise dept.

Orome1 writes "A massive SQL injection attack campaign has been spotted by Websense researchers, and the number of unique URLs affected by it has risen from 28,000 when first detected yesterday, to 380,000 when the researchers last checked. The injected script redirects users that have landed on the various infected pages to the domain in the script, which then redirects them further to a website simulating an anti-malware check and peddling a rogue AV solution."

13 of 117 comments (clear)

  1. Redirected by Jurramonga · · Score: 5, Funny

    I was trying to access www.AntiVirusPro2011.com when I got redirected here.

  2. Sweet story bro by 19thNervousBreakdown · · Score: 2

    So, what's the attack? What SQL servers/CMS/languages are vulnerable?

    --
    <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
  3. Is one of those sites /. by Tigger's+Pet · · Score: 3, Funny

    Just wondering, coz we seem to have been infected by plenty of rogue ACs recently. Oh wait - "rogue AV" - my mistake.

  4. SQL Injection??? by gregrah · · Score: 3, Interesting

    This seems to me like more of a JavaScript injection attack. Or am I missing something?

    Very difficult to tell from the worthless article and summary.

    1. Re:SQL Injection??? by aesiamun · · Score: 2

      How do you get the js injection into the code? SQL injection into whatever their CMS is.

  5. Binding Params by Toreo+asesino · · Score: 4, Insightful

    Yes, I know I won't be the only one to say it.....

    But seriously, if you don't know about binding params to SQL statements you shouldn't be writing public-facing websites. In any language. Ever.

    --
    throw new NoSignatureException();
    1. Re:Binding Params by grumbel · · Score: 2

      Easier said that done, there seems to be quite a few SQL implementations that don't support binding to arrays:

      SELECT * FROM foo WHERE bar IN (?);

    2. Re:Binding Params by Lord+Ender · · Score: 2

      Just as most car drivers don't know how to design safe airbag systems, most people running public-facing websites don't know how to build proper security. They just download some free CMS and go with it.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    3. Re:Binding Params by Terrasque · · Score: 2

      SQL injection? This sounds like people not sanitizing OUTPUT values, also known as XSS.

      It's talk about redirect, and I would guess that's via some JS that gets displayed.

      I see a script src="url" tag in the screenshot, which further lends credit to that theory.

      However, other than the article text, I can't see any evidence of a SQL injection attack, which is a different kettle of fish than XSS.

      The researchers also noted that some iTunes URLs have been injected with the script, but that Apple has done a good job in securing the site against this kind of attacks.

      "The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer," they explained.

      Sounds like XSS

      --
      It's The Golden Rule: "He who has the gold makes the rules."
    4. Re:Binding Params by Shados · · Score: 2

      While that is true, it is very common for vulnerable websites to have JS injected in their databases via SQL injection.

      If I have, let say, a custom homegrown CMS...obviously there's going to be some JS and HTML in my data store (unless I store everything as physical files. Uncommon). So I can't exactly escape my output, since valid javascript IS the output... Compromise the database, and the whole thing is compromised.

  6. More Information Please? by Haedrian · · Score: 3, Interesting

    Website use follows a Zipfian distribution. Less popular sites may be more vulnerable to attack since they'd be written by script kiddies.

    So instead of telling us how many URLs have been hijacked, how about telling us how many end users are likely to be affected by this? It makes a large difference if one of the URLs is a popular website or just something a 10 year old patched together using Frontpage.

  7. Here's a suggestion by smooth+wombat · · Score: 3, Interesting

    How about posting a screenshot of the anti-malware warning so we can be aware of it. I recently had to remove a piece of cruft from a user's laptop which, as far as I can tell, came from a Flash ad.

    Since I know this user doesn't go to random bobssoftware.com sites, it had to come from an ad or a compromised site.

    Also, would it have killed the editors to go to the source rather than some blog which scraped the source site?

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  8. HERE IS THE ACTUAL ATTACK CODE.... by Anonymous Coward · · Score: 3, Informative

    The article is sorely missing any useful information as to what the attack is and how to protect against it....

    http://stackoverflow.com/questions/3761064/need-help-with-this-xss-attack

    Currently, it is aimed at IIS/MS-SQL web sites that have input forms that aren't validating the input and neutralizing HTML tags