500 Thousand MS Web Servers Hacked 332
andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that have been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."
Re:Bias? (Score:4, Interesting)
Re:ob... (Score:5, Interesting)
If I run Firefox on Linux without NoScript, is there a danger?
Re:Bias? (Score:2, Interesting)
Re:Bias? (Score:5, Interesting)
This has nothing to do with IIS, SQL or ASP, coding against SQL injection is the responsibility of web designer. Also it should be noted that ASP was originally released way back when with NT4.0 in 1996(v1) , 2.0 in 1997 and 3.0 in 2000 http://en.wikipedia.org/wiki/Active_Server_Pages [wikipedia.org].
With the newer ASP.NET MS was kind enough to provide several layers of protection against attacks such as SQL injection with both server side and client side validation applied to controls when built in the designer (by default).
Re:ob... (Score:2, Interesting)
Re:Bias? (Score:5, Interesting)
If the attackers looked for servers that were advertising themselves as IIS, and/or attacked IIS vulnerabilities or bad administration practices, you'd have a point. But the fact that the servers were running IIS was little beyond a strong corelation.
Any meaning to the site names? (Score:4, Interesting)
(Other meanings are possible as well, due to the large number of homophones in the language, but this is by far the most obvious meaning.)
Re:Not really (Score:5, Interesting)
As so has ASP.NET. I write (almost) all my database queries parametrized like this
SqlConnection conn = ... ...
SqlCommand cmd =
cmd.CommandText = "SELECT * FROM Foo WHERE Bar = @bar";
cmd.Parameters.AddWithValue("bar", barValue);
This way I'm pretty safe from SQL injection attacks. Add all the HTML encoding/decoding stuff to that and you can rest your nights peacefully.
Then enter the PHB. Now a days we stuff all the parameters straight to the DB procedure where they aren't sanitized at all. We build SQL query inside the stored proc by concatenating strings and call sp_execute to execute them. So all my earlier input validation and parameterized queries went down the drain. PHB's reasoning? - We trust our users.
It's even on the UN's website (Score:2, Interesting)
Re:Bias? (Score:3, Interesting)
If you actually bother to read the thread, anyway, it's clear that the problem is indeed with applications that use queries like "SELECT * FROM Users WHERE Name LIKE '" + Request("User") + "%'". As far as I'm concerned, anyone who writes code like that in 2008, when SQL injection is explained even in books like "PHP in 7 days for total idiots", deserves what they get, be it Perl/CGI, IIS+ASP, LAMP, or whatever else.
Re:Not so fast, cowboy (Score:3, Interesting)