500 Thousand MS Web Servers Hacked

andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that have been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."

Re:Bias?

[ischorr]

Also, is it 500,000 web *sites* identified so far, or 510,000 web *pages*?

Re:ob...

[ArcherB]

Does it run on linux.

That is actually a good question and the first thing I thought of. While I'm not worried about my little webserver being hacked as it runs on Linux without MySQL, I am worried about my browser.

If I run Firefox on Linux without NoScript, is there a danger?

Re:Bias?

[jellomizer]

'); drop table users; --Yea this is a microsoft problem. That wouldn't be the cause of poor website development.

Re:Bias?

[toby360]

I have to agree that this is highly Biased.
This has nothing to do with IIS, SQL or ASP, coding against SQL injection is the responsibility of web designer. Also it should be noted that ASP was originally released way back when with NT4.0 in 1996(v1) , 2.0 in 1997 and 3.0 in 2000 http://en.wikipedia.org/wiki/Active_Server_Pages [wikipedia.org].

With the newer ASP.NET MS was kind enough to provide several layers of protection against attacks such as SQL injection with both server side and client side validation applied to controls when built in the designer (by default).

Re:ob...

[plague3106]

Except that Sql injections can happen on any web server with a poorly coded application. So you should be marked as troll, but your comments on IIS are just here to stir up MS fanboy. To be fair, it's been a long time since there was any huge number of exploits on IIS.

Re:Bias?

[Shados]

Doesn't change that IIS doesn't have anything to do with it. If you take aside that both ASP and ASP.NET (more ASP though) aren't IIS specific by a long shot, the attack is targeting specific technologies, then targetting specific software development flaws within the boundaries of those technologies. If I'm running PERL/PHP on my server, it won't see it. If I'm running an ASP page on Apache, it will, and even if my server hasn't been patched for the last 5 years, I'm no more or less vulnerable to that attack.

If the attackers looked for servers that were advertising themselves as IIS, and/or attacked IIS vulnerabilities or bad administration practices, you'd have a point. But the fact that the servers were running IIS was little beyond a strong corelation.

Any meaning to the site names?

[Guppy]

Hmmm.... nihaorr1.com? "Ni Hao" is a greating, like "Hello" in Chinese. Anyone figure out any meaning behind the other names?

(Other meanings are possible as well, due to the large number of homophones in the language, but this is by far the most obvious meaning.)

Re:Not really

[weicco]

As so has ASP.NET. I write (almost) all my database queries parametrized like this

SqlConnection conn = ...
SqlCommand cmd = ...
cmd.CommandText = "SELECT * FROM Foo WHERE Bar = @bar";
cmd.Parameters.AddWithValue("bar", barValue);

This way I'm pretty safe from SQL injection attacks. Add all the HTML encoding/decoding stuff to that and you can rest your nights peacefully.

Then enter the PHB. Now a days we stuff all the parameters straight to the DB procedure where they aren't sanitized at all. We build SQL query inside the stored proc by concatenating strings and call sp_execute to execute them. So all my earlier input validation and parameterized queries went down the drain. PHB's reasoning? - We trust our users.

It's even on the UN's website

[probityrules]

A Google search for "nihaorr1.com" brings up events.un.org as an affected site.

Re:Bias?

[shutdown -p now]

The admins on the ground are so clueless it hurts to even read the posts. They actually think they can close the hole by searching for strings such as "EXEC", "SELECT" or "NVARCHAR" in all query parameters and rejecting the request if anything similar is found. The words "escaping" and "parametrized queries" are not found once in the whole thread.

If you actually bother to read the thread, anyway, it's clear that the problem is indeed with applications that use queries like "SELECT * FROM Users WHERE Name LIKE '" + Request("User") + "%'". As far as I'm concerned, anyone who writes code like that in 2008, when SQL injection is explained even in books like "PHP in 7 days for total idiots", deserves what they get, be it Perl/CGI, IIS+ASP, LAMP, or whatever else.

Re:Not so fast, cowboy

[Macthorpe]

From an ex-user of Panda Antivirus, take what they say with a pinch of salt.