Massive SQL Injection Attack Compromises 380K URLs 117
Orome1 writes "A massive SQL injection attack campaign has been spotted by Websense researchers, and the number of unique URLs affected by it has risen from 28,000 when first detected yesterday, to 380,000 when the researchers last checked. The injected script redirects users that have landed on the various infected pages to the domain in the script, which then redirects them further to a website simulating an anti-malware check and peddling a rogue AV solution."
380 aint so bad (Score:2)
If each of those kurls is able to be refinished, I think that they could withstanding another couple injections, easily. Why is sensationalist media destroying our national merits!? Only on slashdot, and yes, I did read the article.
Obligatory (Score:1)
Re: (Score:2)
Redirected (Score:5, Funny)
Re: (Score:1)
I was trying to access www.AntiVirusPro2011.com when I got redirected here.
You should have been trying to get to lizamoon.com instead ... but it's not responding anymore. I guess it got overloaded (or shutdown).
Re: (Score:1)
lizamoon -- hah, you also had a customer affected by it?
No, it was in the article so I tried to go to the site to see what it was actually doing. Knowing what it looks like will help me spot it in case one of my client's computers (or websites) gets affected.
Re: (Score:2)
sniffed FTP... wow... why were you not using sftp or ssh? you dont use FTP for ANYTHING but public file repository where anonymous is the username.
Some future this is... (Score:2)
I want my money back. This isn't the future I was promised.
I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back. I don't understand why this sort of behavior isn't being shut down promptly by the powers that be of the internet. They'll watch your music, the CIA will record every character transmitted or received (Hi, Bob!), but they can't seem to recognise the same stupid b
Re:Can't Recognize (Score:2)
I know! "A new attack pushes a different song to each of 380,000 users with a link to a synchronization bot so that each user winds up with the 380,000 song set."
Wanna see how fast that gets taken care of?
Re: (Score:2)
I know! "A new attack pushes a different song to each of 380,000 users with a link to a synchronization bot so that each user winds up with the 380,000 song set."
Wanna see how fast that gets taken care of?
Yeah, have the RIAA or MPAA on your case and you've got a trillion dollar lawsuit coming! Brr!!! I'll take my chances with teh feds.
Re: (Score:2)
The law suits won't start until everyone has all 380k songs. Its more profitable for them to wait to sue you than it is to start now.
You think the RIAA doesn't want you to have music, which is wrong. They want you to have all of their music, multiple times, they just want to make sure they can charge you as many ways as possible, including charging you even if you don't listen to any of their music (ref: tax on writable CDs).
They'll be happy to wait until all the transfers are complete so they can sue eac
Re: (Score:2)
the CIA will record every character transmitted or received (Hi, Bob!) [...] Big Brother, we aren't even close.
What if... The channels which are being used by malware were the same used by Bob and his friends? Do you think they would have an incentive to close them, or keep them open?
Re: (Score:2)
the CIA will record every character transmitted or received (Hi, Bob!) [...] Big Brother, we aren't even close.
What if... The channels which are being used by malware were the same used by Bob and his friends? Do you think they would have an incentive to close them, or keep them open?
Ironically we'll hear that 1,000 government PCs are infected. But have some stalker on Craigslist posting from a Starbucks and the cars are already on the way. Russia may be a riddle wrapped in an enigma, but how FBI/CIA/DHS/law enforcement have access to stuff so quick, but nobody can seem to prevent the same old sh*t, which has been on the internet for years, from moving around is beyond me.
Re: (Score:2)
>I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back.
What are you talking about?
Re: (Score:2)
>I had that phoney malware thing come in through a Flash/Javascript hole (thanks Microsoft for not rewriting or adopting Google's re-write, you jerks) and totally hose my PC a while back.
What are you talking about?
If you have all the right holes open, that Malware scan does more than just launch an page which pretends to scan for viruses, it actually rootkits Windows and you can enjoy a merry week repairing and rebuilding. Thanks to the mindbogglingly stupid way Windows installs software packages I can't just format my system partition and reinstall the OS - my registry, my documents, my program files, et al are in the same basket. Sometimes you can install software to a different drive, but the vendor puts stuff
Re: (Score:2)
>If you have all the right holes open, that Malware scan does more than just launch an page which pretends to scan for viruses, it actually rootkits Windows and you can enjoy a merry week repairing and rebuilding.
What right holes? Are you talking about Windows 7 or XP? That malware scan can't do shit unless you click to download and install the exe from that suspect site and then click okay the UAC prompt. Even if it compromised IE, IE runs in a low permission sandbox that is extremely difficult to get o
Re: (Score:2)
Sometimes you can install software to a different drive, but the vendor puts stuff in your Registry which goes with the rebuild and you can spend lots of fun time installing software all over again.
Or you could backup the parts that are important to you.
Re: (Score:1)
Why do people keep using Windows?
Sweet story bro (Score:3)
So, what's the attack? What SQL servers/CMS/languages are vulnerable?
Re: (Score:1)
Re: (Score:1)
So, what's the attack? What SQL servers/CMS/languages are vulnerable?
Neither article says ... so I guess the only way to find out is to hit the internet and find out for ourselves!
Re: (Score:2)
that hardly seems like news.
Re: (Score:2)
Microsoft Active Server Pages (.asp)
Microsoft ASP.NET (.aspx)
Java Server Pages (.jsp)
Cold Fusion (.cfm)
Seems mostly aimed towards
Re: (Score:2)
Not sure about the others, but in case of ColdFusion it's pure laziness, since there are tons of built-in features to prevent SQL injection. No additional and/or custom stuff necessary.
Re: (Score:2)
Re: (Score:2)
Parametrized queries in ASP is really pretty much the same as ASP.NET pages, do it all the time myself.
Re: (Score:2)
Of course, some dumbass developer could be concatenating a SQL command using the raw input data without scrubbing it and running the command against the DB.
This happens all the time. Developers need to be aware of SQL Injection and how to prevent it. You cannot just implement something like parameterized queries and assume that you're defended against the ignorance of other developers on your team. You have to train them.
Re: (Score:2)
Re: (Score:1)
WinXP SP4 on the way (Score:2)
HERE IS THE ACTUAL ATTACK CODE.... (Score:3, Informative)
The article is sorely missing any useful information as to what the attack is and how to protect against it....
http://stackoverflow.com/questions/3761064/need-help-with-this-xss-attack
Currently, it is aimed at IIS/MS-SQL web sites that have input forms that aren't validating the input and neutralizing HTML tags
Re: (Score:2)
Re: (Score:2)
To be clear, it's not targetting vulnerabilities in in IIS or MS-SQL. They're targetting Bobby Tables vulnerabilities in CMS and web apps. The same vulnerabilities exist regardless of what web server or database platform you're using. Once you've found your injection vulnerability you can just query the DB for the platform. Pretty much every platform has a built-in command for listing the attached databases. It's trivial to work back from there. Once you've established the specific CMS app (assuming t
Is one of those sites /. (Score:4, Funny)
Just wondering, coz we seem to have been infected by plenty of rogue ACs recently. Oh wait - "rogue AV" - my mistake.
Re: (Score:2)
Just wondering, coz we seem to have been infected by plenty of rogue ACs recently. Oh wait - "rogue AV" - my mistake.
We also have plenty of rogue AC on /. lately.
Re: (Score:2)
SQL Injection??? (Score:4, Interesting)
Very difficult to tell from the worthless article and summary.
Re: (Score:2)
How do you get the js injection into the code? SQL injection into whatever their CMS is.
Re: (Score:2)
Look up XSS.
Re: (Score:1)
The malware is a script that pretends to do an AV scan, obviously finds something and offers to sell the cure. The SQL injection is the part which makes many unrelated web sites redirect to the malware site. Let's say you have a blog which runs the version of your favorite content management system that was current when you started your blog. This software that runs on a server that's connected to the internet 24/7 and offers services to the public happens to have a bug, an SQL injection vulnerability to be
Re: (Score:2)
A blog doesn't need to be constructed dynamically on the server.
Its comments do. So does reformatting for mobile or otherwise limited devices if this involves taking things entirely out of the HTML stream. (Before you jump in and recommend separating meaning and presentation with CSS, remember that media-specific CSS can only hide elements; it can't easily reorder them or keep them from being downloaded. Sometimes you want to show less meaning at a time to a mobile user.)
Re: (Score:1)
Re: (Score:1)
Actually if you look at some of the sites, it's straight from the content, not from the header.
I took a look and they are randomly placed throughout the content of a stored page.
Re: (Score:1)
Re: (Score:1)
There's only so many ways to write a piss poor CMS :)
Re: (Score:1)
Binding Params (Score:5, Insightful)
Yes, I know I won't be the only one to say it.....
But seriously, if you don't know about binding params to SQL statements you shouldn't be writing public-facing websites. In any language. Ever.
Re: (Score:1)
Re: (Score:3)
Easier said that done, there seems to be quite a few SQL implementations that don't support binding to arrays:
SELECT * FROM foo WHERE bar IN (?);
Construct the array and placeholders in parallel (Score:2)
there seems to be quite a few SQL implementations that don't support binding to arrays:
SELECT * FROM foo WHERE bar IN (?)
I asked the webmaster of bobby-tables.com about this. The reply was that apparently, you're supposed to construct the list of placeholders in the statement in parallel with the array of values to be substituted into those placeholders. But under some APIs *cough*mysqli*cough*, that can be far more painful [pineight.com] than making a working function that escapes an entire array for use as right side of a WHERE expression and then carefully testing that function with every special character that your DBMS's manual mention
Re: (Score:2)
You are correct sir....
in php....
$new_string = preg_replace(“/[^a-zA-Z0-9\s]/”, “”, $string);
or simply use the http://docs.php.net/manual/en/function.mysql-real-escape-string.php [php.net] function if you need full flexibility and to make sure it's clean and safe.
and done. in fact you are a lazy programmer if you dont sanitize your user input. Yes it's nice to add the extra security of setting up the DB correctly, but only a fool would not sanitize the user input to begin with.
Rule #1 is to
Re: (Score:2)
making a working function that escapes an entire array for use as right side of a WHERE expression and then carefully testing that function with every special character
simply use mysql_real_escape_string() if you need full flexibility and to make sure it's clean and safe.
That's what I do inside db_escape_list(), but the bobby-tables.com guy says it's not enough: one must use ? and only ?.
Then I guess MySQLi is sucks (Score:2)
$dbh->execute(@list);
If only it were that easy. In PHP MySQLi, $stmt->bind_param() wants individual variables as parameters, not a single array. They have to be variables, not values, because they're passed by reference. Moreover, the first parameter is a string with one character stating the data type of each following variable to be passed into the statement. The function bind_param() is variadic, and all three argument counts (number of ?s, number of characters in type string, and number of variables following type string
Re: (Score:1)
my $places = join(",", ("?")x@list);
With
my $places = ('?,'x$#list) . '?';
For an order of magnitude increase in efficiency. You don't want an array, don't create a temporary one, just go straight to the string you want.
However, if you've got such long lists that even that 'x' is expensive - just have a prepared string of ?,?,?,?,?,?,?.... and use substr of the appropriate length.
Re: (Score:2)
Re: (Score:1)
$sth->prepare("select column_B from my_table where column_z = ? $col_a_criteria");
scalar @bind ? $sth->execute($col_z, @bind) : $sth->execute($col_z);
# It also wouldn't hurt to make sure that you are not exceeding the max SQL length or max values in an IN clause...
Re: (Score:2)
Re: (Score:3)
Just as most car drivers don't know how to design safe airbag systems, most people running public-facing websites don't know how to build proper security. They just download some free CMS and go with it.
Re: (Score:3)
SQL injection? This sounds like people not sanitizing OUTPUT values, also known as XSS.
It's talk about redirect, and I would guess that's via some JS that gets displayed.
I see a script src="url" tag in the screenshot, which further lends credit to that theory.
However, other than the article text, I can't see any evidence of a SQL injection attack, which is a different kettle of fish than XSS.
The researchers also noted that some iTunes URLs have been injected with the script, but that Apple has done a good job in securing the site against this kind of attacks.
"The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer," they explained.
Sounds like XSS
Re: (Score:2)
I agree, I drew the same conclusion when reading the article. The JS code is entered in the database, of course, but not via an SQL injection. XSS vulnerability is much more prevalent than SQL injection vulnerability. Funny how just a few Slashdotters have picked up on this.
Re: (Score:3)
While that is true, it is very common for vulnerable websites to have JS injected in their databases via SQL injection.
If I have, let say, a custom homegrown CMS...obviously there's going to be some JS and HTML in my data store (unless I store everything as physical files. Uncommon). So I can't exactly escape my output, since valid javascript IS the output... Compromise the database, and the whole thing is compromised.
Re: (Score:1)
How do you see XSS executing on a client machine affecting every record in a database on the server?
Re: (Score:1)
"""
We got the same problem this morning. classic case of sql injection: you don't seem to check the parameters you got via URL. take a look to the webserver access logs - you will see update statements!
"""
Re: (Score:2)
Thanks for the UPDATE; Better to know than to speculate, even if it shows that my speculations were wrong :)
Re: (Score:2)
Only if you consider posting on Slashdot SQL injection too... ;)
Re: (Score:1)
Re: (Score:2)
Maybe you should try noscript [noscript.net] to block unwanted 3rd party scripts.
More Information Please? (Score:4, Interesting)
Website use follows a Zipfian distribution. Less popular sites may be more vulnerable to attack since they'd be written by script kiddies.
So instead of telling us how many URLs have been hijacked, how about telling us how many end users are likely to be affected by this? It makes a large difference if one of the URLs is a popular website or just something a 10 year old patched together using Frontpage.
Re: (Score:2)
You make it sound as if those are mutually exclusive.
Re: (Score:2)
I don't do porn tgps, music sites or pretty much anything like that and yet I've seen several "possible attack site" warnings today in forefox. Weird sites, like furniture and such. I click a link and get that red screen. I was wondering what was up, it seems very strange today.
Luckily (Score:2)
Here's a suggestion (Score:4, Interesting)
Since I know this user doesn't go to random bobssoftware.com sites, it had to come from an ad or a compromised site.
Also, would it have killed the editors to go to the source [websense.com] rather than some blog which scraped the source site?
Re: (Score:2)
Re: (Score:2)
alt-F4 conquers ANY of these.
Re: (Score:2)
I've seen one of those when a colleague asked for my help. It looks deceptively realistic, technically unsophisticated users could easily be fooled.
hah... (Score:2)
I often get my security software from pop ups.
You know...I would say people need to take a test and get a license before they can "surf the net" but look at how well that turned out for cars.
Ooh, Shiny! =Click-ety= (Score:1)
Firefox and NoScript to the rescue. Again...
If your server was one of the 380,000 hacked. I hope you will be back online soon.
Re: (Score:2)
As always, NoScript to the rescue (Score:2)
NoScript will protect you from this and all 3rd-party script injection, even when set very permissive (allow all scripts from the base domain)
Re: (Score:2)
No, Eyewonder is one of their advertising providers. And we all know how shitty advertising providers are.
Oh yes, little Bobby Tables, we call him. (Score:2, Funny)
IE 9 and Firefox 4 (Score:1)
Can the newer browsers security features that check XSS help? My parents computer still uses Firefox 3.x and they get a weird spyware bar installed that an anti virus program caught. I wonder if this has anything to do with that
Update from Websense: 500k URLs, injection code (Score:2)