500 Thousand MS Web Servers Hacked 332
andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that have been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."
Re:Bias? (Score:5, Insightful)
Its such a rediculous flamebait, I don't know what to say.
This site makes me sick (Score:5, Insightful)
ASP.net has lots of built-in features to prevent SQL injection attacks (like bind parameters) and the ASP.net DB documentation specifically warns about this type of attack.
Anyone still getting hit with this in 2008 needs to be whacked on the head.
Re:Seems to be effecting older versions of IIS... (Score:3, Insightful)
IIS bashing (Score:2, Insightful)
I've read a similar article on theregister.com: Web infection attacks more than 100,000 pages [theregister.co.uk]. There are also some interesting discussions over there.
This is a SQL injection, which is not specific to IIS. Any server-side program that fails to validate the input is subjected to this kind of exploit.
Re:This site makes me sick (Score:5, Insightful)
Re:epic lol (Score:5, Insightful)
Sure, he should know about SQL injection stuff - but even if he did, would he be able to fix it?
Re:Bias? (Score:4, Insightful)
If users of open source software want to protect our largely well-deserved right to be smug, we have to be no less vigilant against these attacks than the proprietary chumps. This particular attack may only have hit MS servers, but this category of attack in general is frighteningly equal-opportunity.
We can't take our superiority for granted; we have to earn it every day.
Re:Bias? (Score:5, Insightful)
It is NOT an IIS directed attack. At best, its a loose corelation statistic, and one thats pretty useless without comparing it to other references, such as other web servers.
what does the trojan do? (Score:5, Insightful)
there seems to be a story 2 here: what the trojan will do in a few weeks to all of the IE users who visit these half a million sites
and, reading some of the links and finding that these trojan hosting domains are registered in china, there also seems to be a story 3: chinese hackers are pissed off
i got hacked shortly after the hainan island incident [wikipedia.org] in 2001. that is when the us spy satellite was bumped a chinese fighter, and was forced to land on hainan island (china). there was much chinese nationalist anger then, and it was taken out by hacking western sites with "f**k usa!" and the chinese flag replacing the main page
obviously, this hack is contemporaneous with the whole tibet riots/ olympic torch protests. that's the meat of this story, and that avenue seems unexplored as of yet. similar to the russian ddos of estonia due to the deprecation of a war statue in 2007 [slashdot.org]: the lesson is that, much like al qaeda and terrorism, cyber warfare is not so much a tool of any state government, but chest-thumping activity for ultranationalists and religious bigots and other organizations of cultural or national or religious chauvinism. the theme of the 21st century seems to be shaping up as partisan tribalism and extreme ideology reaching beyond the notions of sovereignty, statehood to go to war with each other in a novel ways
Re:epic lol (Score:3, Insightful)
When such misconceptions are so pervasive (even in -articles- on a geek web site like here!), obviously newbies are going to be confused all over the place.
Its a bit similar on how there's still so many SQL Server DBAs who think stored procedures are faster by design than dynamic SQL.
Re:Bias? (Score:3, Insightful)
I love the difference in tone between the two submissions, and especially the "haha this is all a big joke, relax" tone of the comments on the other one.
It's unfortunate that Slashdot is becoming one big FUD-spewing machine.
Re:ob... (Score:5, Insightful)
The above quote is from the article link which lists "important sites that have been compromised". I think the important thing is that any site running MSSQL could potentially be compromised in a way that would affect a reader of that site who (a) does not have an updated web browser, or (b) doesn't have script disabled.
In 2008... why is it really so easy to put a damned single or double quote into a SQL form and then make it possible to execute your malicious code on that server? Shouldn't disabling this be a fundamental security rule for databases?
Re:500,000? Where'd that number come from? (Score:3, Insightful)
The dangers of Apache and PHP (Score:3, Insightful)
Add a healthy dose of misrepresentation, twisting of facts and oh-so-funny exaggeration (the IIS admins are running around in circles, LOLZORZ) and people like you can feel better about yourselves, at least for a few hours.
In the meantime, it's been 5+ years and no one has found an exploitable vulnerability in IIS.
I'm sure FOSS is better off this morning, thanks to kdawson, Slashdot and this type of misguided "advocacy". Might as well have twitter control the content of the front page.
Re:what does the trojan do? (Score:3, Insightful)
Re:Not really (Score:3, Insightful)
If you are under SarBox, remind them that this is an security audit issue.
This all can be done in a professional manner and not a 'get my stupid boss' manner.
IF you deal with any personal information, in your report you will make before the meeting, show the PR and legal nightmare that happens when data gets out.
Your boss should not be telling you how to program.
Re:ob... (Score:5, Insightful)
It is fundamental. It's called secure input handling, or sanitizing input. Just because it's a rule doesn't mean it is followed.
Re:ob... (Score:4, Insightful)
"It Isn't Secure" is a tired old joke. But so is Microsoft!
Re:what does the trojan do? (Score:5, Insightful)
The "Russian DDoS attacks of Estonia" were done by a few Estonian kids mad about some statues being moved around.
http://www.theregister.co.uk/2008/01/24/estonian_ddos_fine/ [theregister.co.uk]
There was no cyberwar, the Russian government had nothing to do with it, and every media source that mentioned it really needs to update their articles because the misinformation is causing far more harm than good.
In other words.... (Score:1, Insightful)
In other words, it's a story perfectly suited for Slashdot and Slashdot's primary audience.
Re:Not really (Score:1, Insightful)
PHP has pretty much fixed SQL injection hacks, at least for MySQL, something TFA you quote mentions on page 74.
Please don't make me laugh. Try Googling this exact search phrase:
inurl:select inurl:where inurl:%20
PHP can give you all the protection in the world, but when you're designing your application with SQL query strings in the fucking URL, you're just hosed no matter what language you're using.
Re:ob... (Score:3, Insightful)
Re:ob... (Score:3, Insightful)
Besides, tutorials have no excuse anymore. In the PHP4 days it required extra code to be secure, but with PDO in PHP5, and bind variables, the easiest way to code things also happens to be the secure way. There are enough PHP5 web hosts out there that it makes sense to no longer support PHP4 other than for legacy systems.