500 Thousand MS Web Servers Hacked

andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that have been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."

Bias?

SQL injection is a result of poor data validation on the part of the web application - not, as the blurb implies, an indicator of an insecure web server. LAMP installations are also susceptible to SQL injection [mysql.com] (PDF). From TFA:

Unless [...] data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls.

As for the fact that Firefox + NoScript prevents the problems, that really isn't a surprise seeing as these specific exploits rely on executing a JScript. Any browser with scripting disabled would be immune.

The tone of the blurb is not only biased but also counter-productive to promoting open source (as this appears to be its intention): by trying to criticise closed technologies not by highlighting their actual deficiencies but instead by spreading FUD, the whole community is done a disservice.

Re:Bias?

I agree, and that was my first reaction: "Wtf does IIS have to do with SQL injection". If nothing else, a LAMP stack would be more susceptible, not because of the servers, but because PHP didn't have mainstream prepared statements as part of a default standard install in its earlier versions, and now that it DOES have it, a lot of script kiddies or peanut gallery programmers aren't using them, as opposed to Java/.NET/Whatever which, while still having some issues with the same group of newbie developers, are prepared-statement centric in their development paradigms and documentation, thus reducing the amount of possible SQL injection significantly, unless the apps are made in legacy environments too.

Its such a rediculous flamebait, I don't know what to say.

Re:Bias?

> "Wtf does IIS have to do with SQL injection". RTFA:

the attackers looked for ASP or ASPX pages containing any type of querystring

This specific attack, of which google has found over half a million affected pages, is targeted at IIS.

Re:Bias?

Doesn't change that IIS doesn't have anything to do with it. If you take aside that both ASP and ASP.NET (more ASP though) aren't IIS specific by a long shot, the attack is targeting specific technologies, then targetting specific software development flaws within the boundaries of those technologies. If I'm running PERL/PHP on my server, it won't see it. If I'm running an ASP page on Apache, it will, and even if my server hasn't been patched for the last 5 years, I'm no more or less vulnerable to that attack.

If the attackers looked for servers that were advertising themselves as IIS, and/or attacked IIS vulnerabilities or bad administration practices, you'd have a point. But the fact that the servers were running IIS was little beyond a strong corelation.

Re:Bias?

The admins on the ground seem to disagree [iis.net] with you. From that page, "Our initial investigations are pointing at an attack through IIS using ASP in an overload."

Re:Bias?

No, i'm not trolling. My point is that the story itself is trolling. This isn't an IIS directed attack, it is a "bad programming" directed attack. The -same- attack, exactly, would work -regardless- of the server. You don't even need to CHECK which server is running on the machine for this attack to work, since the server is IRRELEVENT, and I was trying to demonstrate that. Nothing more.

It is NOT an IIS directed attack. At best, its a loose corelation statistic, and one thats pretty useless without comparing it to other references, such as other web servers.

Re:Bias?

In fact, the attack enumerates all ASP variables and tries to force a SQL payload in them, that in turn if executed adds the link to the malicious script to every textfield in the database. A very simple vulnerability scanner, if you like, targeting only ASP applications - thus the ISS spin.
Since we don't see the LAMP version spreading I think we can safely conclude that no web application written in PHP with a MySQL back-end is currently vulnerable to any type of SQL injection.

Re:Bias?

I have to agree that this is highly Biased.
This has nothing to do with IIS, SQL or ASP, coding against SQL injection is the responsibility of web designer. Also it should be noted that ASP was originally released way back when with NT4.0 in 1996(v1) , 2.0 in 1997 and 3.0 in 2000 http://en.wikipedia.org/wiki/Active_Server_Pages [wikipedia.org].

With the newer ASP.NET MS was kind enough to provide several layers of protection against attacks such as SQL injection with both server side and client side validation applied to controls when built in the designer (by default).

Re:Bias?

The blurb completely misquotes the article. The article clearly states pages as reported by google. Plus, Google is hardly a live metric for the state of the internet. It really gives us a very poor estimate of how much impact this is having.

Also, which browsers are affected? It sounds like most of the exploits being used against the browsers have already been patched. Is there a new one there?

Re:Not really

As so has ASP.NET. I write (almost) all my database queries parametrized like this

SqlConnection conn = ...
SqlCommand cmd = ...
cmd.CommandText = "SELECT * FROM Foo WHERE Bar = @bar";
cmd.Parameters.AddWithValue("bar", barValue);

This way I'm pretty safe from SQL injection attacks. Add all the HTML encoding/decoding stuff to that and you can rest your nights peacefully.

Then enter the PHB. Now a days we stuff all the parameters straight to the DB procedure where they aren't sanitized at all. We build SQL query inside the stored proc by concatenating strings and call sp_execute to execute them. So all my earlier input validation and parameterized queries went down the drain. PHB's reasoning? - We trust our users.

This site makes me sick

This site makes me sick sometimes. If this were a problem with PHP (which, mind you, it IS), we wouldn't be calling it a "vulnerability".

ASP.net has lots of built-in features to prevent SQL injection attacks (like bind parameters) and the ASP.net DB documentation specifically warns about this type of attack.

Anyone still getting hit with this in 2008 needs to be whacked on the head.

Re:This site makes me sick

Anyone still getting hit with this in 2008 needs to be whacked on the head.

This is true of any language, not just ASP. You can easily prevent SQL injection with Perl, Python, PHP, etc.

what does the trojan do?

ok, story 1 is a sql injection

there seems to be a story 2 here: what the trojan will do in a few weeks to all of the IE users who visit these half a million sites

and, reading some of the links and finding that these trojan hosting domains are registered in china, there also seems to be a story 3: chinese hackers are pissed off

i got hacked shortly after the hainan island incident [wikipedia.org] in 2001. that is when the us spy satellite was bumped a chinese fighter, and was forced to land on hainan island (china). there was much chinese nationalist anger then, and it was taken out by hacking western sites with "f**k usa!" and the chinese flag replacing the main page

obviously, this hack is contemporaneous with the whole tibet riots/ olympic torch protests. that's the meat of this story, and that avenue seems unexplored as of yet. similar to the russian ddos of estonia due to the deprecation of a war statue in 2007 [slashdot.org]: the lesson is that, much like al qaeda and terrorism, cyber warfare is not so much a tool of any state government, but chest-thumping activity for ultranationalists and religious bigots and other organizations of cultural or national or religious chauvinism. the theme of the 21st century seems to be shaping up as partisan tribalism and extreme ideology reaching beyond the notions of sovereignty, statehood to go to war with each other in a novel ways

Re:what does the trojan do?

Please do not perpetuate hysteria.

The "Russian DDoS attacks of Estonia" were done by a few Estonian kids mad about some statues being moved around.

http://www.theregister.co.uk/2008/01/24/estonian_ddos_fine/ [theregister.co.uk]

There was no cyberwar, the Russian government had nothing to do with it, and every media source that mentioned it really needs to update their articles because the misinformation is causing far more harm than good.

500,000? Where'd that number come from?

Before you post such a headline, perhaps it would be a good idea to check your facts. I RTFA'ed and checked those links and there is no mention of how many servers were attacked. There were 510,000 pages mentioned, but pages do not equal servers. This a sensationalistic headline based on a sensationalistic interpretation of a Google web search.

Re:epic lol

Wow. The responses on the forum http://forums.iis.net/t/1148917.aspx?PageIndex=1 [iis.net] are sad indeed. Windows Security patches DON'T protect against shittily built websites. My favorite:

I also have been hit by this attack on Saturday 4/12/08. It compromised our database and overwritten that script into all of your products. Luckily a database restore fixed the problem. Two days later the same thing happened, I have changed all the database and login passwords and did another db restore. Now today 4/18/08 we got hit again by the same thing but this time as the pages are loaded ActivX is activated and wants to run but of course I did not allow it. Anybody has successfully solved this situation?

It truely sickens me how many web developers STILL don't know about SQL Injection.

Re:epic lol

Why do you think he's a developer? He sounds more like a sysadmin to me.
Sure, he should know about SQL injection stuff - but even if he did, would he be able to fix it?

Re:ob...

Does it run on linux.

That is actually a good question and the first thing I thought of. While I'm not worried about my little webserver being hacked as it runs on Linux without MySQL, I am worried about my browser.

If I run Firefox on Linux without NoScript, is there a danger?

Re:ob...

In other words, you can't rely on the site you are visiting to be safe.. so the onus is on the end user to make sure their PC is fully patched and as secure as possible.

The above quote is from the article link which lists "important sites that have been compromised". I think the important thing is that any site running MSSQL could potentially be compromised in a way that would affect a reader of that site who (a) does not have an updated web browser, or (b) doesn't have script disabled.

In 2008... why is it really so easy to put a damned single or double quote into a SQL form and then make it possible to execute your malicious code on that server? Shouldn't disabling this be a fundamental security rule for databases?

Re:ob...

In 2008... why is it really so easy to put a damned single or double quote into a SQL form and then make it possible to execute your malicious code on that server? Shouldn't disabling this be a fundamental security rule for databases?

It is fundamental. It's called secure input handling, or sanitizing input. Just because it's a rule doesn't mean it is followed.

Re:ob...

Did you really name your kid "Robert'); DROP TABLE Students; --"?

Re:ob...

Obligatory link:
http://xkcd.com/327/ [xkcd.com]

Re:ob...

Oh, yes. Little Bobby Tables, we call him.

Re:The Trojan is hosted in China

I'm sure you mean Persia.

And I'm sure you meant Turkey.(http://en.wikipedia.org/wiki/Troy [wikipedia.org]).

Re:So this isn't an IIS attack at all.

There are several smart things that need to be done to protect yourself.

Restrict the account that is used to access the database to the absolute minimum permissions it needs to run; using one set of credentials for insert/update/delete and another for selects is enough to foil a lot of exploits (I actually never allow deletes, just out of paranoia...I just update the record with an "inactive" flag, and purge them later with a local account).

For gods sake, don't allow a single account to access multiple databases, and even within the database make sure it only has access to the tables you're going to be using. I've seen more than a few MySQL injections that just dump the user table to the screen because some joker didn't think he needed to restrict access for "SELECT" statements.

Escape ALL data that comes from userland. This is your first line of defense, and it's where most people screw up. If you let an escape character past without it being escaped, your only protection is the privileges associated with the user account.

Abstract your data methods. If you just throw out random SQL queries all through your code, you're going to make a mistake somewhere. Make a single method that does your selects. Make a single method that does your inserts, etc. If it's only in ONE PLACE you can go over the code in extreme detail. If the queries are scattered through the code, you can't.

This is all just best practice stuff. The most important thing is to PAY ATTENTION and remember that one unsecured account can screw your entire server.