500 Thousand MS Web Servers Hacked

andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that have been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."

ob...

[by Anonymous Coward]

Does it run on linux.

Re:ob...

[ArcherB (796902)]

Does it run on linux.

That is actually a good question and the first thing I thought of. While I'm not worried about my little webserver being hacked as it runs on Linux without MySQL, I am worried about my browser.

If I run Firefox on Linux without NoScript, is there a danger?

Re:ob...

[RobBebop (947356)]

In other words, you can't rely on the site you are visiting to be safe.. so the onus is on the end user to make sure their PC is fully patched and as secure as possible.

The above quote is from the article link which lists "important sites that have been compromised". I think the important thing is that any site running MSSQL could potentially be compromised in a way that would affect a reader of that site who (a) does not have an updated web browser, or (b) doesn't have script disabled.

In 2008... why is it really so easy to put a damned single or double quote into a SQL form and then make it possible to execute your malicious code on that server? Shouldn't disabling this be a fundamental security rule for databases?

Re:ob...

[keithjr (1091829)]

In 2008... why is it really so easy to put a damned single or double quote into a SQL form and then make it possible to execute your malicious code on that server? Shouldn't disabling this be a fundamental security rule for databases?

It is fundamental. It's called secure input handling, or sanitizing input. Just because it's a rule doesn't mean it is followed.

Re:ob...

[steelclash84 (1129221)]

Did you really name your kid "Robert'); DROP TABLE Students; --"?

Re:ob...

[mhall119 (1035984)]

Obligatory link:
http://xkcd.com/327/ [xkcd.com]

Re:ob...

[hclewk (1248568)]

Oh, yes. Little Bobby Tables, we call him.

Re:More data needed

[CastrTroy (595695)]

You can have SQL injection problems just as easy in stored procedures as you can in plain old code. Look at this example (pardon the probably incorrect syntax):

Create Procedure GetUserTelePhone(@UserName varchar(50))
Begin
      Declare @sql varchar(300)

      Set @sql = 'SELECT TelePhone From Users where UserName=''' + @UserName + ''''

      return exec(@sql)

END

See, there you go, completely open to sql injection, and it's a stored procedure. The problem isn't that people aren't using stored procedures, it's that people are creating queries which result from the concatenation of strings and variables, which invariably leaves them open to attack. A much better way to do things, is to use prepared queries, either in you stored procedures, or just using prepared queries directly in the code.

Re:ob...

[sm62704 (957197)]

True, but the summary could have mentioned it. As it is, it's a ripe subject for humor. Only some folks here defend their choice of operating systems like others defend their wifes and children. Anyone who would get angry because someone jokes about someone else's product has some serious issues.

"It Isn't Secure" is a tired old joke. But so is Microsoft!

Bias?

[jmpeax (936370)]

SQL injection is a result of poor data validation on the part of the web application - not, as the blurb implies, an indicator of an insecure web server. LAMP installations are also susceptible to SQL injection [mysql.com] (PDF). From TFA:

Unless [...] data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls.

As for the fact that Firefox + NoScript prevents the problems, that really isn't a surprise seeing as these specific exploits rely on executing a JScript. Any browser with scripting disabled would be immune.

The tone of the blurb is not only biased but also counter-productive to promoting open source (as this appears to be its intention): by trying to criticise closed technologies not by highlighting their actual deficiencies but instead by spreading FUD, the whole community is done a disservice.

Re:Bias?

[ischorr (657205)]

Also, is it 500,000 web *sites* identified so far, or 510,000 web *pages*?

Re:Bias?

[Mia'cova (691309)]

The blurb completely misquotes the article. The article clearly states pages as reported by google. Plus, Google is hardly a live metric for the state of the internet. It really gives us a very poor estimate of how much impact this is having.

Also, which browsers are affected? It sounds like most of the exploits being used against the browsers have already been patched. Is there a new one there?

Re:Bias?

[Shados (741919)]

I agree, and that was my first reaction: "Wtf does IIS have to do with SQL injection". If nothing else, a LAMP stack would be more susceptible, not because of the servers, but because PHP didn't have mainstream prepared statements as part of a default standard install in its earlier versions, and now that it DOES have it, a lot of script kiddies or peanut gallery programmers aren't using them, as opposed to Java/.NET/Whatever which, while still having some issues with the same group of newbie developers, are prepared-statement centric in their development paradigms and documentation, thus reducing the amount of possible SQL injection significantly, unless the apps are made in legacy environments too.

Its such a rediculous flamebait, I don't know what to say.

Re:Bias?

[Shados (741919)]

No, i'm not trolling. My point is that the story itself is trolling. This isn't an IIS directed attack, it is a "bad programming" directed attack. The -same- attack, exactly, would work -regardless- of the server. You don't even need to CHECK which server is running on the machine for this attack to work, since the server is IRRELEVENT, and I was trying to demonstrate that. Nothing more.

It is NOT an IIS directed attack. At best, its a loose corelation statistic, and one thats pretty useless without comparing it to other references, such as other web servers.

Re:Bias?

[Stellian (673475)]

In fact, the attack enumerates all ASP variables and tries to force a SQL payload in them, that in turn if executed adds the link to the malicious script to every textfield in the database. A very simple vulnerability scanner, if you like, targeting only ASP applications - thus the ISS spin.
Since we don't see the LAMP version spreading I think we can safely conclude that no web application written in PHP with a MySQL back-end is currently vulnerable to any type of SQL injection.

Re:Bias?

[Col. Klink (retired) (11632)]

> "Wtf does IIS have to do with SQL injection". RTFA:

the attackers looked for ASP or ASPX pages containing any type of querystring

This specific attack, of which google has found over half a million affected pages, is targeted at IIS.

Re:Bias?

[Shados (741919)]

Doesn't change that IIS doesn't have anything to do with it. If you take aside that both ASP and ASP.NET (more ASP though) aren't IIS specific by a long shot, the attack is targeting specific technologies, then targetting specific software development flaws within the boundaries of those technologies. If I'm running PERL/PHP on my server, it won't see it. If I'm running an ASP page on Apache, it will, and even if my server hasn't been patched for the last 5 years, I'm no more or less vulnerable to that attack.

If the attackers looked for servers that were advertising themselves as IIS, and/or attacked IIS vulnerabilities or bad administration practices, you'd have a point. But the fact that the servers were running IIS was little beyond a strong corelation.

Re:Bias?

[Facetious (710885)]

The admins on the ground seem to disagree [iis.net] with you. From that page, "Our initial investigations are pointing at an attack through IIS using ASP in an overload."

Looking at the IIS forum...

[jd (1658)]

...the first person to google for attacked pages only turned up ASP pages as cracked. Later on, they say that the javascript attempts to use an ActiveX control. If I am exceedingly generous, I'll allow for the possibility that the story was written by someone who saw just these two comments and assumed that since both of these are generally run on Microsft OS', that this was an IIS problem. (Actually, more than a few people using Microsoft OS' run other web servers. There's quite a selection to choose from. Also, both ASP and ActiveX are usable under Linux, well, ish.)

However, it is now abundantly clear that the attack is NOT ASP-specific, and just because one of the vectors it tries is based on ActiveX does NOT mean it doesn't try other methods. It only means that the people who spotted it early spotted it trying that method. Although it's unlikely to have an attack library for multiple OS', it would be surprising if it didn't have some alternative action for when ActiveX isn't available.

I'm concerned about the number of Government sites that have been shown to be vulnerable, especially (as has been commented by others on Slashdot) a Canadian site dealing with national security. This attack is unlikely to cause any particular lasting harm, but stop and think. These are the sorts of sites that actually need to be secure. Even if not directly connected to internal secure networks (and I'd be willing to bet that far more are than are supposed to be), they are high-profile and for that reason alone are likely to be much more at-risk than other sites.

Most smaller websites are just point-of-presence and information sites. It's an irritant if they vanish for a while, but it's unlikely to hurt anything. Nobody is going to die if a blog site isn't available for an hour or so, unless they're a serious addict. No small vendor is going to lose business if their PDF datasheets aren't reachable for a little while. Adult sites risk making a one or two percent loss of webcam income out of their steady stream of millions. I seriously doubt anyone from the United Methodist church will suddenly become Mormon or Catholic because their primary website was hit.

Not really

[Scareduck (177470)]

PHP has pretty much fixed SQL injection hacks, at least for MySQL, something TFA you quote mentions on page 74. Given that this is the majority combination on web-facing machines, shouldn't that blunt the "LAMP installations are also susceptible to SQL injection" if only by quantity? I mean, I agree with your counter-FUD reasoning, but it seems to me that this blunts your whole sentence, MySQL+PHP being two pillars (and the last half) of LAMP.

Re:Not really

[weicco (645927)]

As so has ASP.NET. I write (almost) all my database queries parametrized like this

SqlConnection conn = ...
SqlCommand cmd = ...
cmd.CommandText = "SELECT * FROM Foo WHERE Bar = @bar";
cmd.Parameters.AddWithValue("bar", barValue);

This way I'm pretty safe from SQL injection attacks. Add all the HTML encoding/decoding stuff to that and you can rest your nights peacefully.

Then enter the PHB. Now a days we stuff all the parameters straight to the DB procedure where they aren't sanitized at all. We build SQL query inside the stored proc by concatenating strings and call sp_execute to execute them. So all my earlier input validation and parameterized queries went down the drain. PHB's reasoning? - We trust our users.

Re:Bias?

[by Anonymous Coward]

Agreed. I *hate* Microsoft and am as rabid a Free Software advocate as you will find, but code injection attacks are neither the fault of nor prevented by the OS or web server.

If users of open source software want to protect our largely well-deserved right to be smug, we have to be no less vigilant against these attacks than the proprietary chumps. This particular attack may only have hit MS servers, but this category of attack in general is frighteningly equal-opportunity.

We can't take our superiority for granted; we have to earn it every day.

Re:Bias?

[toby360 (524944)]

I have to agree that this is highly Biased.
This has nothing to do with IIS, SQL or ASP, coding against SQL injection is the responsibility of web designer. Also it should be noted that ASP was originally released way back when with NT4.0 in 1996(v1) , 2.0 in 1997 and 3.0 in 2000 http://en.wikipedia.org/wiki/Active_Server_Pages [wikipedia.org].

With the newer ASP.NET MS was kind enough to provide several layers of protection against attacks such as SQL injection with both server side and client side validation applied to controls when built in the designer (by default).

The Trojan is hosted in China

[Malevolent Tester (1201209)]

Anyone surprised?

Re:The Trojan is hosted in China

[Kong the Medium (232629)]

I'm sure you mean Persia.

And I'm sure you meant Turkey.(http://en.wikipedia.org/wiki/Troy [wikipedia.org]).

LOL

[ThePhilips (752041)]

Lolicious.

I once spend an hour trying to explain IIS/MS SQL Server admin what PHP/MySQL addslashes()/mysql_escape_string() do - all to no avail. He was absolutely sure it is sufficient to like in VB surround any string with single quotes and it all will be fine.

Now seeing that it's real fun for guys, I can only laugh.

So this isn't an IIS attack at all.

[Chas (5144)]

This is a SQL injection attack. IIS just happens to be the front-end of a poorly written web app.

Thus, if I'm running a web app that doesn't rely on IIS for anything more than presentation, and am not using SQL in my authentication (say something like Terminal Services or GraphOn), I should be fine.

Correct?

Re:So this isn't an IIS attack at all.

[SatanicPuppy (611928)]

There are several smart things that need to be done to protect yourself.

Restrict the account that is used to access the database to the absolute minimum permissions it needs to run; using one set of credentials for insert/update/delete and another for selects is enough to foil a lot of exploits (I actually never allow deletes, just out of paranoia...I just update the record with an "inactive" flag, and purge them later with a local account).

For gods sake, don't allow a single account to access multiple databases, and even within the database make sure it only has access to the tables you're going to be using. I've seen more than a few MySQL injections that just dump the user table to the screen because some joker didn't think he needed to restrict access for "SELECT" statements.

Escape ALL data that comes from userland. This is your first line of defense, and it's where most people screw up. If you let an escape character past without it being escaped, your only protection is the privileges associated with the user account.

Abstract your data methods. If you just throw out random SQL queries all through your code, you're going to make a mistake somewhere. Make a single method that does your selects. Make a single method that does your inserts, etc. If it's only in ONE PLACE you can go over the code in extreme detail. If the queries are scattered through the code, you can't.

This is all just best practice stuff. The most important thing is to PAY ATTENTION and remember that one unsecured account can screw your entire server.

Seems to be effecting older versions of IIS...

[mckinnsb (984522)]

Solution: Upgrade to Windows Vista!

I kid! I kid!

Honestly though, this is a little humiliating. I understand that things get out of control in large projects, but I thought most people nowadays should know that database input sanitizing now fell among those universal truths, including but not limited to: brushing your teeth, wearing a condom, et al.

Its unforgiving, but you really do have to sacrifice speed for security sometimes. That being said, I feel pretty bad for all those sys-admins/developers who are probably going to have a late nights tonight...and maybe for the next week or two.

Re:Seems to be effecting older versions of IIS...

[geminidomino (614729)]

http://xkcd.com/327/ [xkcd.com]

wait a second

[the brown guy (1235418)]

If I do not have noscript for ffx, then I am vulnerable, and I am also unsure of what happens when you are infected with one of these trojans or w/e. Is it really that bad if my computer is a POS that I use for nothing important? Is there a threat of keyloggers? I have zonealarm running and AVG antivirus,,,,,,

Article is misleading

[Geak (790376)]

The article states a google search found over 500,000 modified pages. The post states over 500,000 servers. This is seriously misleading. If a site is hacked you could have several hundred modified pages on the site. This brings the number of servers down considerably.

That sucks

[evil-osm (203438)]

Canadian National Security's site is on the list. Sigh.

serious

[the brown guy (1235418)]

www.safecanada.ca [Canadian National Security] www.n-somerset.gov.uk [UK Local Government] events.un.org [United Nations] www.unicef.org.uk [UNICEF]
These are a list of infected sites, don't click unless you know what you're doing. But I am worried when they affecting reasonably high traffic sites, whos visitors are not too likely to be running noscript.

This site makes me sick

[RzUpAnmsCwrds (262647)]

This site makes me sick sometimes. If this were a problem with PHP (which, mind you, it IS), we wouldn't be calling it a "vulnerability".

ASP.net has lots of built-in features to prevent SQL injection attacks (like bind parameters) and the ASP.net DB documentation specifically warns about this type of attack.

Anyone still getting hit with this in 2008 needs to be whacked on the head.

Re:This site makes me sick

[MrMunkey (1039894)]

Anyone still getting hit with this in 2008 needs to be whacked on the head.

This is true of any language, not just ASP. You can easily prevent SQL injection with Perl, Python, PHP, etc.

IIS bashing

[gzipped_tar (1151931)]

I've read a similar article on theregister.com: Web infection attacks more than 100,000 pages [theregister.co.uk]. There are also some interesting discussions over there.

This is a SQL injection, which is not specific to IIS. Any server-side program that fails to validate the input is subjected to this kind of exploit.

what does the trojan do?

[circletimessquare (444983)]

ok, story 1 is a sql injection

there seems to be a story 2 here: what the trojan will do in a few weeks to all of the IE users who visit these half a million sites

and, reading some of the links and finding that these trojan hosting domains are registered in china, there also seems to be a story 3: chinese hackers are pissed off

i got hacked shortly after the hainan island incident [wikipedia.org] in 2001. that is when the us spy satellite was bumped a chinese fighter, and was forced to land on hainan island (china). there was much chinese nationalist anger then, and it was taken out by hacking western sites with "f**k usa!" and the chinese flag replacing the main page

obviously, this hack is contemporaneous with the whole tibet riots/ olympic torch protests. that's the meat of this story, and that avenue seems unexplored as of yet. similar to the russian ddos of estonia due to the deprecation of a war statue in 2007 [slashdot.org]: the lesson is that, much like al qaeda and terrorism, cyber warfare is not so much a tool of any state government, but chest-thumping activity for ultranationalists and religious bigots and other organizations of cultural or national or religious chauvinism. the theme of the 21st century seems to be shaping up as partisan tribalism and extreme ideology reaching beyond the notions of sovereignty, statehood to go to war with each other in a novel ways

Re:what does the trojan do?

[Deanalator (806515)]

Please do not perpetuate hysteria.

The "Russian DDoS attacks of Estonia" were done by a few Estonian kids mad about some statues being moved around.

http://www.theregister.co.uk/2008/01/24/estonian_ddos_fine/ [theregister.co.uk]

There was no cyberwar, the Russian government had nothing to do with it, and every media source that mentioned it really needs to update their articles because the misinformation is causing far more harm than good.

500,000? Where'd that number come from?

[Robotron2084 (262343)]

Before you post such a headline, perhaps it would be a good idea to check your facts. I RTFA'ed and checked those links and there is no mention of how many servers were attacked. There were 510,000 pages mentioned, but pages do not equal servers. This a sensationalistic headline based on a sensationalistic interpretation of a Google web search.

I am not sure

[hesaigo999ca (786966)]

I googled this ("script srcscript" | "scriscript" | "scriptscript" )
and found 1,990,000 pages with this same script attack...as for how many servers this represents,
I don't know.

Still?

[xSacha (1000771)]

Gee, its 2008 already. Yet you can still search: inurl:.php form and attempt a pathetic SQL injection successfully on about 5% of your results. How pathetic. People should need a licence to write PHP/SQL.

Any meaning to the site names?

[Guppy (12314)]

Hmmm.... nihaorr1.com? "Ni Hao" is a greating, like "Hello" in Chinese. Anyone figure out any meaning behind the other names?

(Other meanings are possible as well, due to the large number of homophones in the language, but this is by far the most obvious meaning.)

SQL injection is not platform dependent

[twistah (194990)]

OK, so SQL Server prior to 2005 wasn't secured well by default, and xp_cmdshell() is like inviting a system-level compromise. But, as others have pointed out, ASP.NET/IIS isn't the only platform affected. In fact, this platform makes it easy to secure your scripts against most attacks, ans SQL Server 2k5 and IIS 6 and ASP.Net have added protections as well. On top of that, this platform has never been vulnerable to attacks due to superglobals, of file open functions which allow you to import remote files, even if disabled in the config (thanks PHP!) or a host of other things. And if you look at milw0rm.com and other such sites, you will see a majority of SQL injection vulnerabilities come out for open source products with a mySQL back-end these days. So somehow pointing out that this is an IIS problem, and that Firefox will protect you from evil IIS sites, just shows ignorance and bias. I love UNIX, I preffer it over Windows, but I am also grounded in reality. Yes, you will have a lot of compromised IIS servers, because you have a lot of clueless admins who write ASP scripts on their Windows boxes without paying any attention to security. But in those hands, LAMP is just as dangerous, if not even more so.

Oblig. XKCD

[eggnoglatte (1047660)]

http://xkcd.com/327/ [xkcd.com]

It's even on the UN's website

[probityrules (971026)]

A Google search for "nihaorr1.com" brings up events.un.org as an affected site.

" As per usual?"

[operagost (62405)]

Could someone please tell me what "as per usual" means? Does it mean, "as usual," or "per Usual"? Who is this "Usual" guy?

Interesting to note Windows admin responses

[caseih (160668)]

The iis.net forum is full of very interesting posts by windows admins. One guy was hacked no less than 3 times! Each time he just restored his database and thought all was well, and wondered how those dang hackers kept getting in. He even changed his passwords!

This is definitely not how most unix admins would react. If a machine is compromised (via whatever source) then a simple data restore is never good enough, unix admins know. The original vector must be identified and stopped. It's quite the contrast.

I've always maintained that a good unix guy can do anything on windows with a bit of training, but a windows guy will generally be completely out of his element in unix. Not sure why, exactly, as best practices are best practices.

following the breadcrumbs

[v1 (525388)]

The vulnerability being exploited is documented here [microsoft.com] and shows it was "last updated" April 23. (two days ago)

My favorite amusement is:

Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Thanks for that. Now that 500k servers got owned maybe you want to move on this sort of thing a little more seriously.

At the bottom they ask, How would you rate the usefulness of this content ? But there's no option for "a little late, eh?"

Though it DOES make me wonder if the publishing of this notice gave the idea to the makers of the malware. Makes a good case for not publishing a known vulnerability until either (1) its' in the wild already, or (2) you have a fix for it. Clearly neither of these were the case on Wednesday.

True story...

[gaspyy (514539)]

Just a few months ago we had to build a small custom CMS for a client, that had to be PHP/MySQL. The specs were very specific so it had to be custom-built. Since it was a relatively small work and we were involved in some bigger projects, we hired a contractor. Good references, a few years of experience, knew javascript, so we handled the project to him.

To his credit, the site actually worked and seemed fine, until you had a peek at the PHP code, which was truly horrific. I could overlook the nonsensical use of POST for things were GET was better suited or the crap variable naming, or the generally inefficient way of doing things - but what really got me was the complete absence of ANY input checking.

Simply put, the whole thing was completely vulnerable to SQL injection of the worst kind. I even checked his other works - all sites he'd ever done were vulnerable.

In the end, I had to spend a few more days myself just to clean the mess.

So, dear reader, if you don't know what SQL injections are - stop coding in whatever language you're using, right now. It doesn't matter if it's Ruby on Rails or ASP.NET. Please, please learn to do things properly. Security is not something you can learn later.

New AVG 8 free edition, the linkchecker catches it

[Fallen Andy (795676)]

... so update from 7.5 if you're using the free version. 8.0 has been available here [grisoft.com] since yesterday.

Interestingly (and I've been looking at this attack all day) it seems to overwrite itself in the middle.

Andy

The real clue...

[Aellus (949929)]

Aside from the obvious bias and ignorance on the subject, the real clue that the OP has no idea what he's talking about is that he writes "...an SQL..."

Just as dumb

[pembo13 (770295)]

When people laugh at Linux for being an OS with a webserver which hosts compromised web pages.

Idiots running webservers

[onesullivan (1279412)]

This is exactly what happens when you have a bunch of idiots running webservers. Come on people, it is not that hard to keep up with your updates...morons. For example, my site has been reviewed for security flaws by many, and has never had any problems, even with the php and MySql. Simply because I keep up with the patches. See for yourself: www.onesullivan.com

May relate to attack c.a. 11 april...

[Fallen Andy (795676)]

Some more digging and here in mangled form is what i've dug up... The IIS thread in the submitters post mentions that the site nihaorr1.com was registered 11 april. Interestingly, doing some spelunking with google for mangled script injection turned up refs to 414151.com and a script "fjp.js". That led me to a thread here [castlecops.com] from 11th April which mentions aspder.com . Hmm. There's a pattern here I think.

The real puzzle for me is *why* they haven't fixed the overwrite (unless it's a deliberate way of slowing growth).

Andy

SQL Injection = MS problem now??

[cmay (687134)]

So now you are blaming SQL Injection on Microsoft? Get a life.

Take that PHP haters

[Skylinux (942824)]

Ha, take that PHP haters .... this one is not caused by a n00b using PHP, it is caused by n00b using ASP.

Wait a minute.... could that possibly mean that PHP/ASP is not at fault when this stuff happens but the programmer(s)... where is this world coming to when the language can not be blamed anymore?

obnoxious headline

[Examancer2 (606336)]

"500 Thousand"

What an obnoxious headline. Either go with the numeric representation of the number (500,000) or spell it out properly (five hundred thousand). Didn't your English teacher tell you not to mix and match?

PHP Magic Quotes

[Richard_J_N (631241)]

With the Magic Quotes feature (on by default), PHP is unconditionally safe against SQL injection. All input data (GET,POST,COOKIES) are automatically parsed to backslash-escape single-quote, double-quote, and backslash. So, you can just use the input data, and never worry about compromise. (In my view, this is a very good idea, and the fail-safe nature is well worth the slight-inconvenience of having to occasionally remember to call stripslashes() if your data is not going to end up a database.)

What I cannot understand is why magic-quotes has been deprecated for PHP-6. Can anyone explain?

BTW, I'm not convinced by the advantages of stored procedures. Yes, they save you from SQL-injection risk (similar to magic-quotes), but the complexity of the resulting code is higher, and the readability is lower. Debugging cpomplex queries is hard enough already!

Boring

[codepunk (167897)]

It could have been more entertaining it had done a fetch from any tables where
it finds a field named user, pass, ssn etc ,combined the results and wrote it
to all text fields in all tables.

Patch your windows and use a web application fw

[Yoshimetso (1240968)]

You can't depend on developers any more, they are just doing the shit the easy way, no code checking, no code assessment, the business needs are more important than spending hours and hours trying to figure out where are the bugs!??? 80% of web developers are just careless. My advise is keep your windows servers up-to-date. And deploy a web app firewall from vendors like F5 or Citrix. Blocking these kinds of attacks at the gateway is faster and will cover all of the vulnerable applications. check out my blog here: http://extremesecurity.blogspot.com/2008/04/un-site-took-injection.html [blogspot.com]

Re:epic lol

[James Kilton (714163)]

Wow. The responses on the forum http://forums.iis.net/t/1148917.aspx?PageIndex=1 [iis.net] are sad indeed. Windows Security patches DON'T protect against shittily built websites. My favorite:

I also have been hit by this attack on Saturday 4/12/08. It compromised our database and overwritten that script into all of your products. Luckily a database restore fixed the problem. Two days later the same thing happened, I have changed all the database and login passwords and did another db restore. Now today 4/18/08 we got hit again by the same thing but this time as the pages are loaded ActivX is activated and wants to run but of course I did not allow it. Anybody has successfully solved this situation?

It truely sickens me how many web developers STILL don't know about SQL Injection.

Re:epic lol

[caluml (551744)]

Why do you think he's a developer? He sounds more like a sysadmin to me.
Sure, he should know about SQL injection stuff - but even if he did, would he be able to fix it?

Re:epic lol

[D Ninja (825055)]

Parent -1 Flamebait. (Actually...it's more Article -1 Flamebait.)

Anyway, as it has already been noted, this problem has nothing specifically to do with the IIS servers.

Two other notes:
FOSS is good, I agree. But FOSS, by default, is not always better than closed source solutions. Making a blanket statement like that is being just as close minded as the opposite camp.

Using M$ to represent Microsoft is soooooooo 1990s.

Re:Okay this is an honest question

[D Ninja (825055)]

Again, this has nothing to do with IIS. I'm being redundant, and MS has done some crappy things in the past, but this is due to poor web site development (specifically SQL injections) and nothing to do with IIS.

Re:epic lol

[TooMuchToDo (882796)]

EPIC FAIL.

OS Security != Application Securty

Re:Okay this is an honest question

[Shados (741919)]

First, as someone already stated, the vulnerabilty is in poor software development practice, and is pervasive in all environments, be in MS, Linux, Apache, IIS, PHP, ASP.NET, JAVA, whatever.

Second, IIS, since version 6, is amazingly secure, comparable with the likes of Apache. Its also the more straightforward platform to use as an ASP.NET server (obviously, unless you're into Mono), or to use along with a lot of fairly interesting technologies, such as TFS, Reporting Services, Sharepoints, etc.

On top of that, well, just by having a windows-based network, IIS is already "pre-configured". That is, aside for web server specific stuff, its already on your server, can be admin-ed the same way, etc. Adding a box with a different OS, a non-integrated web server, etc, is just overhead.

Same way as regardless of anything, if you were all java based, NOT using a java app server for your web apps would just be overhead, unless you have a damn good reasons.

Re:Okay this is an honest question

[wilsone8 (471353)]

Side node: (Why was the above poster modded up?)

Admitted newbie question here, but why do people even RUN MS IIS?

Typically, people install MS IIS for a host of mostly good reasons.

1) They are a MS shop. That means they already have a big investment in MS IT training and their developers understand Windows.

2) They're using Microsoft development tools to create other parts of the application and they want the seemless integration that VS.Net and IIS give you. Good luck trying to debug PHP or other applications on Apache. It can be done, but its not nearly as easy as on Windows.

Windows XP makes a great desktop environment for the office, but where does Microsoft have any business making server software other than Domain Controllers for telling their desktop machines what to do?

By that logic, companies should never be allowed to work on anything other than their cash cow. Good job; you just destroyed capitalism with single sentence!

The dangers of Apache and PHP

[willyhill (965620)]

Yeah sure [slashdot.org].

Add a healthy dose of misrepresentation, twisting of facts and oh-so-funny exaggeration (the IIS admins are running around in circles, LOLZORZ) and people like you can feel better about yourselves, at least for a few hours.

In the meantime, it's been 5+ years and no one has found an exploitable vulnerability in IIS.

I'm sure FOSS is better off this morning, thanks to kdawson, Slashdot and this type of misguided "advocacy". Might as well have twitter control the content of the front page.

Re:Okay this is an honest question

[ZenDragon (1205104)]

Clever troll... or do you just not think before you post?

IIS has its merits, just as apache does. ASP.net and other related technologies are a mainstay in the corporate environment whether you agree with it or not. They lend themselves well to rapid application development, and are well supported. Thus, it is cheap and easy to find talent within the field.

Regardless, your hosting platform will do nothing to fix bad code. The platform in this case, is irrelevent. Dont try to turn this into a soapbox to promote your own biased opinions.

FYI, I run several linux/apache servers as well as IIS/ASP servers. I am not impartial to either, as they each have their place in our environment.

Re:500 Thousand?!

[pclminion (145572)]

I'm 1 hundred % shocked.

I don't see why you think it's weird. People write numbers like this all the time, especially when talking about monetary amounts. For instance, "Microsoft made $100 billion last year."