Forgot your password?
typodupeerror
Security The Internet News IT

Massive SQL Injection Attack Compromises 380K URLs 117

Posted by CmdrTaco
from the that's-a-lot-of-compromise dept.
Orome1 writes "A massive SQL injection attack campaign has been spotted by Websense researchers, and the number of unique URLs affected by it has risen from 28,000 when first detected yesterday, to 380,000 when the researchers last checked. The injected script redirects users that have landed on the various infected pages to the domain in the script, which then redirects them further to a website simulating an anti-malware check and peddling a rogue AV solution."
This discussion has been archived. No new comments can be posted.

Massive SQL Injection Attack Compromises 380K URLs

Comments Filter:
  • If each of those kurls is able to be refinished, I think that they could withstanding another couple injections, easily. Why is sensationalist media destroying our national merits!? Only on slashdot, and yes, I did read the article.

  • Redirected (Score:5, Funny)

    by Jurramonga (1922438) on Thursday March 31, 2011 @11:36AM (#35678468)
    I was trying to access www.AntiVirusPro2011.com when I got redirected here.
    • I was trying to access www.AntiVirusPro2011.com when I got redirected here.

      You should have been trying to get to lizamoon.com instead ... but it's not responding anymore. I guess it got overloaded (or shutdown).

  • I want my money back. This isn't the future I was promised.

    I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back. I don't understand why this sort of behavior isn't being shut down promptly by the powers that be of the internet. They'll watch your music, the CIA will record every character transmitted or received (Hi, Bob!), but they can't seem to recognise the same stupid b

    • I know! "A new attack pushes a different song to each of 380,000 users with a link to a synchronization bot so that each user winds up with the 380,000 song set."

      Wanna see how fast that gets taken care of?

      • by ackthpt (218170)

        I know! "A new attack pushes a different song to each of 380,000 users with a link to a synchronization bot so that each user winds up with the 380,000 song set."

        Wanna see how fast that gets taken care of?

        Yeah, have the RIAA or MPAA on your case and you've got a trillion dollar lawsuit coming! Brr!!! I'll take my chances with teh feds.

      • by BitZtream (692029)

        The law suits won't start until everyone has all 380k songs. Its more profitable for them to wait to sue you than it is to start now.

        You think the RIAA doesn't want you to have music, which is wrong. They want you to have all of their music, multiple times, they just want to make sure they can charge you as many ways as possible, including charging you even if you don't listen to any of their music (ref: tax on writable CDs).

        They'll be happy to wait until all the transfers are complete so they can sue eac

    • the CIA will record every character transmitted or received (Hi, Bob!) [...] Big Brother, we aren't even close.

      What if... The channels which are being used by malware were the same used by Bob and his friends? Do you think they would have an incentive to close them, or keep them open?

      • by ackthpt (218170)

        the CIA will record every character transmitted or received (Hi, Bob!) [...] Big Brother, we aren't even close.

        What if... The channels which are being used by malware were the same used by Bob and his friends? Do you think they would have an incentive to close them, or keep them open?

        Ironically we'll hear that 1,000 government PCs are infected. But have some stalker on Craigslist posting from a Starbucks and the cars are already on the way. Russia may be a riddle wrapped in an enigma, but how FBI/CIA/DHS/law enforcement have access to stuff so quick, but nobody can seem to prevent the same old sh*t, which has been on the internet for years, from moving around is beyond me.

    • >I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back.

      What are you talking about?

      • by ackthpt (218170)

        >I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back.

        What are you talking about?

        If you have all the right holes open, that Malware scan does more than just launch an page which pretends to scan for viruses, it actually rootkits Windows and you can enjoy a merry week repairing and rebuilding. Thanks to the mindbogglingly stupid way Windows installs software packages I can't just format my system partition and reinstall the OS - my registry, my documents, my program files, et al are in the same basket. Sometimes you can install software to a different drive, but the vendor puts stuff

        • >If you have all the right holes open, that Malware scan does more than just launch an page which pretends to scan for viruses, it actually rootkits Windows and you can enjoy a merry week repairing and rebuilding.

          What right holes? Are you talking about Windows 7 or XP? That malware scan can't do shit unless you click to download and install the exe from that suspect site and then click okay the UAC prompt. Even if it compromised IE, IE runs in a low permission sandbox that is extremely difficult to get o

        • by PNutts (199112)

          Sometimes you can install software to a different drive, but the vendor puts stuff in your Registry which goes with the rebuild and you can spend lots of fun time installing software all over again.

          Or you could backup the parts that are important to you.

    • by mspohr (589790)
      Stupidity is doing the same thing over and over and expecting a different result.

      Why do people keep using Windows?

  • So, what's the attack? What SQL servers/CMS/languages are vulnerable?

    • by an00bis (667089)
      Looking through the first several pages from Google, searching for the same string that was in the article, it's predominantly ASP/ASPX/CFM that is coming up. Probably nothing new, just taking raw user input and querying directly with that.
    • So, what's the attack? What SQL servers/CMS/languages are vulnerable?

      Neither article says ... so I guess the only way to find out is to hit the internet and find out for ourselves!

    • The article didn't really say. I went looking for the same information. All i found was a lot of talk about what you will find on an infected site. The takeaway seems to be: If your site is serving up weird links that you didn't put there, sanitize everything.

      that hardly seems like news.
    • After a cursory glance at the search results of infected pages, I saw the following file types:
      Microsoft Active Server Pages (.asp)
      Microsoft ASP.NET (.aspx)
      Java Server Pages (.jsp)
      Cold Fusion (.cfm)

      Seems mostly aimed towards .asp and .aspx pages, but I would venture to guess that any web app that doesn't scrub the form input data would be vulnerable.
      • by lennier1 (264730)

        Not sure about the others, but in case of ColdFusion it's pure laziness, since there are tons of built-in features to prevent SQL injection. No additional and/or custom stuff necessary.

        • Same with ASP.NET, parametrized SQL queries are built into the ADO.NET model. Of course, some dumbass developer could be concatenating a SQL command using the raw input data without scrubbing it and running the command against the DB. Old school Active Server Pages have no such feature and any data-scrubbing had to be done in a separate function.
          • by BitZtream (692029)

            Parametrized queries in ASP is really pretty much the same as ASP.NET pages, do it all the time myself.

          • by Rary (566291)

            Of course, some dumbass developer could be concatenating a SQL command using the raw input data without scrubbing it and running the command against the DB.

            This happens all the time. Developers need to be aware of SQL Injection and how to prevent it. You cannot just implement something like parameterized queries and assume that you're defended against the ignorance of other developers on your team. You have to train them.

            • It isn't always easy to get budget for training or even time for proper coding practices. Companies, especially those that use technology but are not in the technology business, want fast results and they want them on the cheap. Many business people don't understand the value prevention until they are forced to shell out for a pound of cure.
        • I use ASP.NET and for years I use parameters to fetch data from databases. Thus, specified values are searched in specific fields. I thought SQL injections were only possible thru user input from form fields and could only access databases. I don't understand how sites could be corrupted this way in order to redirect an URL.
      • Maybe that's why there'll be a WinXP SP4 coming out tomorrow?
    • by Anonymous Coward

      The article is sorely missing any useful information as to what the attack is and how to protect against it....

      http://stackoverflow.com/questions/3761064/need-help-with-this-xss-attack

      Currently, it is aimed at IIS/MS-SQL web sites that have input forms that aren't validating the input and neutralizing HTML tags

      • Heh, Deja-vu
      • To be clear, it's not targetting vulnerabilities in in IIS or MS-SQL. They're targetting Bobby Tables vulnerabilities in CMS and web apps. The same vulnerabilities exist regardless of what web server or database platform you're using. Once you've found your injection vulnerability you can just query the DB for the platform. Pretty much every platform has a built-in command for listing the attached databases. It's trivial to work back from there. Once you've established the specific CMS app (assuming t

  • by Tigger's Pet (130655) on Thursday March 31, 2011 @11:38AM (#35678500) Homepage

    Just wondering, coz we seem to have been infected by plenty of rogue ACs recently. Oh wait - "rogue AV" - my mistake.

  • SQL Injection??? (Score:4, Interesting)

    by gregrah (1605707) on Thursday March 31, 2011 @11:43AM (#35678528)
    This seems to me like more of a JavaScript injection attack. Or am I missing something?

    Very difficult to tell from the worthless article and summary.
    • by aesiamun (862627)

      How do you get the js injection into the code? SQL injection into whatever their CMS is.

    • by Anonymous Coward

      The malware is a script that pretends to do an AV scan, obviously finds something and offers to sell the cure. The SQL injection is the part which makes many unrelated web sites redirect to the malware site. Let's say you have a blog which runs the version of your favorite content management system that was current when you started your blog. This software that runs on a server that's connected to the internet 24/7 and offers services to the public happens to have a bug, an SQL injection vulnerability to be

      • by tepples (727027)

        A blog doesn't need to be constructed dynamically on the server.

        Its comments do. So does reformatting for mobile or otherwise limited devices if this involves taking things entirely out of the HTML stream. (Before you jump in and recommend separating meaning and presentation with CSS, remember that media-specific CSS can only hide elements; it can't easily reorder them or keep them from being downloaded. Sometimes you want to show less meaning at a time to a mobile user.)

    • I'm rather confused by that too. I'd love somebody to explain how an SQL injection attack puts a new javascript tag on a page unless it's targeting some specific CMS that stores a list of required js files in the database.
      • by aesiamun (862627)

        Actually if you look at some of the sites, it's straight from the content, not from the header.

        I took a look and they are randomly placed throughout the content of a stored page.

        • Hmmm. So potentially inserting the script tag into the body portion of articles... So what is the common factor across the sites? All using some particular plugin or something (I'm hoping it's not a vulnerability in the core of some widely used CMS)?
  • Binding Params (Score:5, Insightful)

    by Toreo asesino (951231) on Thursday March 31, 2011 @11:45AM (#35678550) Journal

    Yes, I know I won't be the only one to say it.....

    But seriously, if you don't know about binding params to SQL statements you shouldn't be writing public-facing websites. In any language. Ever.

    • by Anonymous Coward
      What's a binding para!@#$(*(!&*!&#$!! PLEASE CLICK THIS LINK for a complimentary security and malware scan. Good for today only!
    • by grumbel (592662)

      Easier said that done, there seems to be quite a few SQL implementations that don't support binding to arrays:

      SELECT * FROM foo WHERE bar IN (?);

      • there seems to be quite a few SQL implementations that don't support binding to arrays:

        SELECT * FROM foo WHERE bar IN (?)

        I asked the webmaster of bobby-tables.com about this. The reply was that apparently, you're supposed to construct the list of placeholders in the statement in parallel with the array of values to be substituted into those placeholders. But under some APIs *cough*mysqli*cough*, that can be far more painful [pineight.com] than making a working function that escapes an entire array for use as right side of a WHERE expression and then carefully testing that function with every special character that your DBMS's manual mention

        • by Lumpy (12016)

          You are correct sir....

          in php....

          $new_string = preg_replace(“/[^a-zA-Z0-9\s]/”, “”, $string);

          or simply use the http://docs.php.net/manual/en/function.mysql-real-escape-string.php [php.net] function if you need full flexibility and to make sure it's clean and safe.

          and done. in fact you are a lazy programmer if you dont sanitize your user input. Yes it's nice to add the extra security of setting up the DB correctly, but only a fool would not sanitize the user input to begin with.
          Rule #1 is to

          • by tepples (727027)

            making a working function that escapes an entire array for use as right side of a WHERE expression and then carefully testing that function with every special character

            simply use mysql_real_escape_string() if you need full flexibility and to make sure it's clean and safe.

            That's what I do inside db_escape_list(), but the bobby-tables.com guy says it's not enough: one must use ? and only ?.

          • Not sanitizing input (any input, be it from a user or a remote site or a webservice or what have you) is asking for trouble, i see shit like this daily.
        • by VDizzle (995599)
          my $col_a_criteria = ' AND COLUMN_A IN (' . join(",", ('?') x @bind) . ') ' if scalar @bind;

          $sth->prepare("select column_B from my_table where column_z = ? $col_a_criteria");

          scalar @bind ? $sth->execute($col_z, @bind) : $sth->execute($col_z);

          # It also wouldn't hurt to make sure that you are not exceeding the max SQL length or max values in an IN clause...
    • Just as most car drivers don't know how to design safe airbag systems, most people running public-facing websites don't know how to build proper security. They just download some free CMS and go with it.

    • by Terrasque (796014)

      SQL injection? This sounds like people not sanitizing OUTPUT values, also known as XSS.

      It's talk about redirect, and I would guess that's via some JS that gets displayed.

      I see a script src="url" tag in the screenshot, which further lends credit to that theory.

      However, other than the article text, I can't see any evidence of a SQL injection attack, which is a different kettle of fish than XSS.

      The researchers also noted that some iTunes URLs have been injected with the script, but that Apple has done a good job in securing the site against this kind of attacks.

      "The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer," they explained.

      Sounds like XSS

      • by Xenna (37238)

        I agree, I drew the same conclusion when reading the article. The JS code is entered in the database, of course, but not via an SQL injection. XSS vulnerability is much more prevalent than SQL injection vulnerability. Funny how just a few Slashdotters have picked up on this.

        • by Shados (741919)

          While that is true, it is very common for vulnerable websites to have JS injected in their databases via SQL injection.

          If I have, let say, a custom homegrown CMS...obviously there's going to be some JS and HTML in my data store (unless I store everything as physical files. Uncommon). So I can't exactly escape my output, since valid javascript IS the output... Compromise the database, and the whole thing is compromised.

        • by fatphil (181876)
          I pulled up a few infected pages, and if I were to perform the same attack, I'd want to get some kind up 'update tablename set field="payload"' being executed by the server. And that would be a SQL injection.

          How do you see XSS executing on a client machine affecting every record in a database on the server?
          • by fatphil (181876)
            Well, to answer my own question, it is a SQL injection using an update, as I postulated, according to a victim:
            """
            We got the same problem this morning. classic case of sql injection: you don't seem to check the parameters you got via URL. take a look to the webserver access logs - you will see update statements!
            """
            • by Terrasque (796014)

              Thanks for the UPDATE; Better to know than to speculate, even if it shows that my speculations were wrong :)

          • by Xenna (37238)

            Only if you consider posting on Slashdot SQL injection too... ;)

            • by fatphil (181876)
              Disagree completely. SQL injection is where the payload is executed as SQL, which has happened in this defacement attack. On slashdot, if I write a line of SQL it's not executed as SQL, it's just text characters that are never executed.
  • by Haedrian (1676506) on Thursday March 31, 2011 @11:51AM (#35678622)

    Website use follows a Zipfian distribution. Less popular sites may be more vulnerable to attack since they'd be written by script kiddies.

    So instead of telling us how many URLs have been hijacked, how about telling us how many end users are likely to be affected by this? It makes a large difference if one of the URLs is a popular website or just something a 10 year old patched together using Frontpage.

    • It makes a large difference if one of the URLs is a popular website or just something a 10 year old patched together using Frontpage.

      You make it sound as if those are mutually exclusive.

    • by poptones (653660)

      I don't do porn tgps, music sites or pretty much anything like that and yet I've seen several "possible attack site" warnings today in forefox. Weird sites, like furniture and such. I click a link and get that red screen. I was wondering what was up, it seems very strange today.

  • McAffe.com is totally safe.
  • Here's a suggestion (Score:4, Interesting)

    by smooth wombat (796938) on Thursday March 31, 2011 @11:56AM (#35678690) Homepage Journal
    How about posting a screenshot of the anti-malware warning so we can be aware of it. I recently had to remove a piece of cruft from a user's laptop which, as far as I can tell, came from a Flash ad.

    Since I know this user doesn't go to random bobssoftware.com sites, it had to come from an ad or a compromised site.

    Also, would it have killed the editors to go to the source [websense.com] rather than some blog which scraped the source site?
    • by Megahard (1053072)
      I had the misfortune to run into it yesterday. It continuously runs a fake scan, asks you to download an executable, and doesn't let you navigate away from the page. The only way I got rid of it was by shutting down JavaScript then closing the tab.
    • by Xenna (37238)

      I've seen one of those when a colleague asked for my help. It looks deceptively realistic, technically unsophisticated users could easily be fooled.

  • by koan (80826)

    I often get my security software from pop ups.

    You know...I would say people need to take a test and get a license before they can "surf the net" but look at how well that turned out for cars.

  • Firefox and NoScript to the rescue. Again...

    If your server was one of the 380,000 hacked. I hope you will be back online soon.

    • by wagnerrp (1305589)
      The article never claimed there were 380k servers hacked, it merely claimed there were 380k compromised unique URLs. If you follow the article, they are unique URLs as determined by a Google search. It could just as well be a hundred hacked servers with several thousand compromised pages each. Many of those pages could even be duplicates of one another.
  • NoScript will protect you from this and all 3rd-party script injection, even when set very permissive (allow all scripts from the base domain)

  • Can the newer browsers security features that check XSS help? My parents computer still uses Firefox 3.x and they get a weird spyware bar installed that an anti virus program caught. I wonder if this has anything to do with that

  • Websense published an update [websense.com] to their previous article [websense.com] with more information about the attack. It includes the SQL injection code.

"The value of marriage is not that adults produce children, but that children produce adults." -- Peter De Vries

Working...