500 Thousand MS Web Servers Hacked 332
andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that have been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."
Bias? (Score:5, Informative)
The tone of the blurb is not only biased but also counter-productive to promoting open source (as this appears to be its intention): by trying to criticise closed technologies not by highlighting their actual deficiencies but instead by spreading FUD, the whole community is done a disservice.
The Trojan is hosted in China (Score:2, Informative)
Re:epic lol (Score:5, Informative)
Not really (Score:4, Informative)
Re:Bias? (Score:5, Informative)
Also, which browsers are affected? It sounds like most of the exploits being used against the browsers have already been patched. Is there a new one there?
Re:LOL (Score:3, Informative)
In any semi-advanced programming language or framework (including PHP, even more so since PHP5 as it doesn't require any extension or whatever), you just use prepared statements. Maybe that MS SQL Server admin was a bozo, but in VB, you'll almost always be using prepared statements (even in VB5-6, pre-.NET), or at worse, stored procedures, which act as prepared statements.
SQL string escaping is inexistant in environments where prepared statements are first class citizens of the language/framework, because they're inferior methods of handling it. (and again: even in PHP its not what you're supposed to do).
Re:epic lol (Score:3, Informative)
Anyway, as it has already been noted, this problem has nothing specifically to do with the IIS servers.
Two other notes:
FOSS is good, I agree. But FOSS, by default, is not always better than closed source solutions. Making a blanket statement like that is being just as close minded as the opposite camp.
Using M$ to represent Microsoft is soooooooo 1990s.
Re:ob... (Score:2, Informative)
500,000? Where'd that number come from? (Score:5, Informative)
Re:So this isn't an IIS attack at all. (Score:3, Informative)
In development, it often IS simpler to start with a single hardcoded SQL query (probably cut and paste from your DB tool, and then if your language supports + or . for string concat, it's easier to just do a "+variablename+" where the hardcoded value was -- plus, it keeps the flow of the SQL 'sentence' in correct order, rather than that kind of weird "sprintf()"ness you get when you have placeholder ?s in your string and a list of variables at the end.
Mind you, I'm not defending this; it's still a D,U,M thing to do, but also it is a lazier route, it doesn't really "take more time to develop, harder to read and maintain" like you said.
Re:Bias? (Score:5, Informative)
Re:So this isn't an IIS attack at all. (Score:5, Informative)
Restrict the account that is used to access the database to the absolute minimum permissions it needs to run; using one set of credentials for insert/update/delete and another for selects is enough to foil a lot of exploits (I actually never allow deletes, just out of paranoia...I just update the record with an "inactive" flag, and purge them later with a local account).
For gods sake, don't allow a single account to access multiple databases, and even within the database make sure it only has access to the tables you're going to be using. I've seen more than a few MySQL injections that just dump the user table to the screen because some joker didn't think he needed to restrict access for "SELECT" statements.
Escape ALL data that comes from userland. This is your first line of defense, and it's where most people screw up. If you let an escape character past without it being escaped, your only protection is the privileges associated with the user account.
Abstract your data methods. If you just throw out random SQL queries all through your code, you're going to make a mistake somewhere. Make a single method that does your selects. Make a single method that does your inserts, etc. If it's only in ONE PLACE you can go over the code in extreme detail. If the queries are scattered through the code, you can't.
This is all just best practice stuff. The most important thing is to PAY ATTENTION and remember that one unsecured account can screw your entire server.
SQL injection is not platform dependent (Score:2, Informative)
Re:Bias? (Score:5, Informative)
Looking at the IIS forum... (Score:4, Informative)
However, it is now abundantly clear that the attack is NOT ASP-specific, and just because one of the vectors it tries is based on ActiveX does NOT mean it doesn't try other methods. It only means that the people who spotted it early spotted it trying that method. Although it's unlikely to have an attack library for multiple OS', it would be surprising if it didn't have some alternative action for when ActiveX isn't available.
I'm concerned about the number of Government sites that have been shown to be vulnerable, especially (as has been commented by others on Slashdot) a Canadian site dealing with national security. This attack is unlikely to cause any particular lasting harm, but stop and think. These are the sorts of sites that actually need to be secure. Even if not directly connected to internal secure networks (and I'd be willing to bet that far more are than are supposed to be), they are high-profile and for that reason alone are likely to be much more at-risk than other sites.
Most smaller websites are just point-of-presence and information sites. It's an irritant if they vanish for a while, but it's unlikely to hurt anything. Nobody is going to die if a blog site isn't available for an hour or so, unless they're a serious addict. No small vendor is going to lose business if their PDF datasheets aren't reachable for a little while. Adult sites risk making a one or two percent loss of webcam income out of their steady stream of millions. I seriously doubt anyone from the United Methodist church will suddenly become Mormon or Catholic because their primary website was hit.
Re:ob... (Score:5, Informative)
http://xkcd.com/327/ [xkcd.com]
Re:ob... (Score:3, Informative)
Just because there are rules, doesn't mean people know about them. I frequent a flash forum where people often ask how to integrate flash with mysql via a php script. The vast majority of the code posted there is open to sql injection. This is not a matter of laziness, it is ignorance.
And this is perfectly understandable if you look at the tutorial sites out there. Take for example the number 3 result for a google search for "php mysql". It gives the following code, with a short mumble in the precursor about addslashes:
If the tutorial writers can't even be bothered to write secure code, how can people who learn from tutorials be expected to? I think the tutorial sites have an obligation to correct or remove any tutorials that have basic coding mistakes like these in them.
Re:More data needed (Score:4, Informative)
Create Procedure GetUserTelePhone(@UserName varchar(50))
Begin
Declare @sql varchar(300)
Set @sql = 'SELECT TelePhone From Users where UserName=''' + @UserName + ''''
return exec(@sql)
END
See, there you go, completely open to sql injection, and it's a stored procedure. The problem isn't that people aren't using stored procedures, it's that people are creating queries which result from the concatenation of strings and variables, which invariably leaves them open to attack. A much better way to do things, is to use prepared queries, either in you stored procedures, or just using prepared queries directly in the code.