Relentless Web Attack Hard To Kill 218
ancientribe writes "The thousands of Web sites infected by a new widespread SQL injection attack during the past few days aren't necessarily in the clear after they remove the malicious code from their sites. Researchers from Kaspersky Lab have witnessed the attackers quickly reinfecting those same sites all over again. Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."
Infected Websites (Score:4, Interesting)
Can someone explain to me how websites get infected?
Oh, that's right, running ads and other shit from shady people (directly or indirectly).
I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.
Install a proxy (Score:5, Interesting)
We had this problem a few months back at work. Old but necessary asp web sites kept getting infected. It only took a few hours to install a reverse proxy with mod_security on EC2 and we were in the clear.
Full story on my blog:
http://guillaume.filion.org/blog/archives/2008/05/i_love_ec2_and_rightscale.php [filion.org]
Big Picture (Score:4, Interesting)
This is going to sound like a little bit of double speak but I'll remind you that Kaspersky found these attacks were happening. Also, they are studying the behavior. Furthermore, Kaspersky protects systems from nefarious things that attackers will do, regardless of how they get on the system. Nothing is perfect with Windows, but if you look at the options, Kaspersky is the best out there.
Now of course, if you want to insist that the attacks happen whether Kaspersky is running or not, you will be correct. But what you're not saying is how LIMITED the attackers are when trying to get past Kaspersky after they get on a system.
Noscript also helps, but isn't perfect either.
Re:Kaspersky (Score:2, Interesting)
Re:Kaspersky (Score:2, Interesting)
You know, something just occurred to me. The biggest reason SQL injection attacks are so common is that SQL allows multiple commands per input line and allows you to comment out the rest of the line, neither of which is useful when called from a programming language (or really anywhere outside of dump/restore tools). If you built a custom SQL library that PHP/Perl/* linked into that would return an error and do nothing if it detects more than one command or a comment start character anywhere in a command, injection attacks would become dramatically harder, if not impossible. At best, an attacker would merely be able to change additional fields in a table that were not changed in the original query, a security flaw that is much less problematic than the more general case of injection attacks....
Re:Kaspersky (Score:3, Interesting)
PHP is just as vulnerable to SQL injection as ASP...I think he was speaking in generic terms.
The problem isn't in the scripting engine. The problem is bad code. You can put a bad developer in front of system you want, and he'll still write bad code.