SQL Injection Attack Claims 132,000+ 186
An anonymous reader writes "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."
Details? (Score:4, Insightful)
I love the way they fail to mention what server systems might be effected. Is it SQL Server? MySQL? .NET? PHP? Windows servers? Linux? Both? What web sites are vulnerable?
It's always fun to snicker when you get to the registry entries which points to Windows. Although there was a trojan for Ubuntu in a desktop theme a few days ago, so enjoy the time to mock Windows users while it lasts.
Re:Details? (Score:5, Insightful)
But a Trojan needs user access and approval to get installed. No OS on the planet can protect itself from a user with the admin password.
Re:why don't these go away? (Score:3, Insightful)
Re:why don't these go away? (Score:4, Insightful)
You are assuming that all the systems are hosted at reputable hosting companies that pro-actively monitor all their systems.
There are millions of systems worldwide that are exposed to the public internet (even though they probably shouldn't be) that are sitting in the corner somewhere waiting for someone to "get around to decommissioning them" - and in the meantime they're pumping out spam and taking part in DDoS attacks.
Re:Details? (Score:5, Insightful)
Even still, this blog post is fucking useless. What CMS? What input is not being validated? Is it an underlying problem with Drupal? Wordpress? Joomla? What version?
On top of that, it doesn't give any recommendations for what end users could do to protect themselves. Does anti-virus software already detect it? Can you simply alter your hosts file? Disable Javascript?
The blog post is completely fucking useless.
Re:Windoze (Score:3, Insightful)
Re:Lame coders who don't care about security! (Score:3, Insightful)
Re:hey (Score:3, Insightful)
that's the point
it's not a security issue if you deliberately do something ignorant
like, say, using the internet
THE INTERNET IS NOT SECURE
says so right on the packaging, and always has
Re:Details? (Score:3, Insightful)
If it's really over 100,000 sites with the same attack then there's something obvious they have in common, like the same PHP/MYSQL library, and it has a predictable vulnerability in it.
Re:Lame coders who don't care about security! (Score:3, Insightful)
You don't need stored procedures, all you need are parametrized statements/commands, so long as your API provides it. And plain ADO, which was used with classic ASP, did provide parametrized commands.
Any attempt to defeat SQL injection by blacklisting syntax is inherently error-prone if only because it may break on a future version of database (when its syntax gets extended). Not to mention that, unless you have perfect knowledge of 100% of the SQL dialect that your implementation uses, you may forget to blacklist some corner case.
In short, if you use text substitution to counter SQL injection, you're not doing it right.
Re:why don't these go away? (Score:2, Insightful)
No you're wrong. People attack Windows because the most people use it AND it is conveniently also less inherently secure than anything else in current production. If everyone stopped using Windows and switched to XYZ then XYZ would eventually become the new biggest target, that is true but it is just as completely naive to assume the same percentage of attacks would be successful on an entirely different platform as Windows as it is to assume that you would have a remotely accurate clue about what that new percentage would be unless you were fluent in the use of "XYZ" which I'm assuming you are not because you can't even spell Linux right.