Forgot your password?
typodupeerror
Security IT

SQL Injection Attack Claims 132,000+ 186

Posted by CmdrTaco
from the check-yer-code-people dept.
An anonymous reader writes "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."
This discussion has been archived. No new comments can be posted.

SQL Injection Attack Claims 132,000+

Comments Filter:
  • hey (Score:3, Funny)

    by Spazztastic (814296) <spazztastic@nOSPAM.gmail.com> on Thursday December 10, 2009 @10:24AM (#30387714)

    Hey, I went to 318x.com and all of a sudden my computer is acting funny. Any suggestions?

  • I blame Mrs. Roberts [xkcd.com].
  • 318x.com (Score:2, Interesting)

    by NoYob (1630681)
    I tried to go there and I got this from Google: Diagnostic page for 318x.com [google.com]

    After doing a whois, I see that just about all information is described as "Unknown"

    Why is this domain still in existence? Can ICANN take it down?

    It looks like the sole reason for this domain is for malware.

    • Re: (Score:3, Informative)

      318x.com is now in my hosts file. Can at least try to protect ourselves...
      • by ls671 (1122017) *

        318x.com zone is now defined in my DNS so I don't have to update host files on each and every one of my computers.

        Just kidding, but host files are so 1980 ;-))

    • I'm not familiar with any blemishes on ICANN's record of neutrality, but I, for one, wouldn't care to have my blog's domain erased because someone decided it was deemed harmful in some fashion.

  • by v1 (525388) on Thursday December 10, 2009 @10:30AM (#30387786) Homepage Journal

    If they know where the site is that's hosting the payload why don't they just shut them down? I realize the locations for the hosting are carefully chosen to provide maximum insulation, but still you'd expect that by now (years after this sort of thing became common) that there'd be mechanisms and procedures in place to break these down swiftly?

    • Re: (Score:3, Insightful)

      by qazsedcft (911254)
      If it were kiddy porn it would be shutdown already.
    • by jimicus (737525) on Thursday December 10, 2009 @10:52AM (#30388022)

      You are assuming that all the systems are hosted at reputable hosting companies that pro-actively monitor all their systems.

      There are millions of systems worldwide that are exposed to the public internet (even though they probably shouldn't be) that are sitting in the corner somewhere waiting for someone to "get around to decommissioning them" - and in the meantime they're pumping out spam and taking part in DDoS attacks.

      • No... (Score:3, Interesting)

        The assumption is that once there are a hundred thousand servers hit, and maybe fewer, if the hosting company doesn't shut down the site within an hour or two a responsible upstream router blocks traffic from the site. Every delivered payload costs society more time and money.
        • by jimicus (737525)

          I think the sheer amount of shite in the form of worms, spam and DoS attacks continuing to flood the Internet kind of kills off that utopian vision, wouldn't you say?

      • by sjames (1099)

        The hosting company is irrelevant if the domain's NS records in the gtld-servers are pointed to nowhere. That won't help if the script uses the IP address, but in this case, it would kill it.

        Where an IP address is used, null routing by an upstream provider can kill that IP. So the question stands, when the threat is this big, why is the site allowed to continue existing? Start at the colo provider/ISP and work up the chain until a reputable provider is found to null route the IP.

        • So the question stands, when the threat is this big, why is the site allowed to continue existing?

          I don't know if you're bothering to test anything, but from where I stand 318x.com does not exist.

    • Re: (Score:3, Informative)

      by wowbagger (69688)

      You must be new here, let me welcome you to "The Internet". I hope you enjoy your visit.

      Hosting companies don't give a pair of fetid dingo's kidneys about such matters, so long as the people responsible for the hosting pay good money.

      Even the hosting companies [softlayer.com] that claim [softlayer.com] to be anti-spam, and who's acceptable use policies state that ANY support of spam, including hosting spamvertized web sites [softlayer.com], when confronted with multiple, on-going violations [winehq.org], will ignore all reports, remove all forum posts calling attenti

  • by BountyX (1227176) on Thursday December 10, 2009 @10:34AM (#30387846)
    Seriously people stop naming your kids with ');DROP TABLE [xkcd.com] at the end...
    • by Ksevio (865461)
      Well that would be an SQL injection attack... Does everything that's been covered by XKCD remind you of it now?
  • Details? (Score:4, Insightful)

    by HangingChad (677530) on Thursday December 10, 2009 @10:35AM (#30387848) Homepage

    I love the way they fail to mention what server systems might be effected. Is it SQL Server? MySQL? .NET? PHP? Windows servers? Linux? Both? What web sites are vulnerable?

    It's always fun to snicker when you get to the registry entries which points to Windows. Although there was a trojan for Ubuntu in a desktop theme a few days ago, so enjoy the time to mock Windows users while it lasts.

    • Re:Details? (Score:5, Insightful)

      by Yvan256 (722131) on Thursday December 10, 2009 @10:39AM (#30387896) Homepage Journal

      But a Trojan needs user access and approval to get installed. No OS on the planet can protect itself from a user with the admin password.

      • Re:Details? (Score:5, Funny)

        by Bert64 (520050) <bert@slash d o t . f i renzee.com> on Thursday December 10, 2009 @10:44AM (#30387916) Homepage

        Windows 9x used to due a pretty good job, can't own a system once it's bluescreened.

      • by caluml (551744)
        Linux + GRSec (or SELinux) can. Assuming they don't know the password/mechanism to enter the "unlocked" mode. There used to be a Gentoo SELinux box on the net - selinux.dev.gentoo.org, I think it was. They published the root password, and let you log in. It was funny to watch all the skiddies on there, copying their rootkits down. I wish I could have sent a wall to them all - "You're already root - stop that!".
    • Re: (Score:2, Informative)

      by necrogram (675897)

      They didn't mention it because it doesn't matter. Its the result of bad coding practices. A sql injection attack is caused by the front end application accepting whatever input its given and using to generate the sql statements. You stop these attacks by sanitizing your input, use stored procedures to do the database work, and possibly stick in a middle ware tear to handle database access, ie apache -> websphere -> database.

      • by Bengie (1121981)

        paramerterized inputs?

        The only times I EVER pass a value as a concatenated string is if it goes along these lines..

        try
        query = "select [columns] from table where iTableID = "+INT64.Parse(strInput).ToString();
        catch

        ^^
        My lazy code. I only do internal utilities on side projects, so I can get away with this since these utilities are seldom used by anyway except when crap goes wrong. My primary job is SQL.

        otherwise it's always the

        string strSelectQry = "Select [columns] from schooltable where ischoolguid = @ischool

      • Re: (Score:3, Informative)

        by HangingChad (677530)

        They didn't mention it because it doesn't matter. Its the result of bad coding practices.

        It does too matter. You don't infect 132,000 web sites with separate injection attacks. That's automated. Lot of the people running forums and CMS-driven web sites don't understand the code well enough to fix anything.

        Heck, one of my sites was hacked once, through the forum software. I'm not in the habit of combing through forum code looking for unvalidated inputs. So if someone could mention what the parent e

      • Re: (Score:3, Insightful)

        by lseltzer (311306)

        If it's really over 100,000 sites with the same attack then there's something obvious they have in common, like the same PHP/MYSQL library, and it has a predictable vulnerability in it.

  • How is SQL involved? (Score:4, Interesting)

    by Bromskloss (750445) < ... <at> <gmail.com>> on Thursday December 10, 2009 @10:38AM (#30387874)

    The article said "SQL" in the headline, but never mentioned it again after that.

    • Re: (Score:3, Interesting)

      by jDeepbeep (913892)

      The article said "SQL" in the headline, but never mentioned it again after that.

      My guess is that the compromised websites all have something in common, such as running the same CMS for example. You're right though, the article is short on details of the injection itself.

    • The SQL injection allows the malware scripts to be placed on websites. Then website visitors get hit with the malware the scripts facilitate. Of course, silly me, I went and RTFA. Half of the headlines on /. are either grammatically incorrect, sensationalized, or just plain silly...
  • The real problem (Score:2, Informative)

    by Anonymous Coward

    So it's MS and Adobe vulnerabilities that actually let the malware onto your system.
    FTA:

    Observed exploits include:

    * Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
    * MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
    * Microsoft Office Web Components vulnerabilities described in MS09-043
    * Microsoft video ActiveX vulnerability described in MS09-032

    • by wjsteele (255130)
      Which, of course, have already been addressed by the respective companies. Only unpatched systems would be affected.

      This is actualy a stupid article, as it doensn't even bother to describe the platform which has the vulnerability in it. It's not a platform or database issue if it's a SQL Injection, so it must be some app that is common... like a CMS package or blog engine... something like that.

      Bill
      • by gmuslera (3436)

        Which, of course, have already been addressed by the respective companies. Only unpatched systems would be affected.

        In official packages of a linux distribution, i would say that almost all would be patched so shouldn't be affected. But we are talking about Windows world here. Im not sure how automatic are the updates for flash player (just today got one in my ubuntu box), Windows updates are known to add functionality (sometimes unwanted, so people could disable automatic updates after something "misbehaves"), and the MS fixes there probably arent for IE6 (still used by 20% of internet), maybe some for IE7 that is more

      • Which, of course, have already been addressed by the respective companies. Only unpatched systems would be affected.

        Are you certain? I believe Flash might still have issues [foregroundsecurity.com], unless Adobe has figured out something to contradict their earlier statement that "...unfortunately, there is no easy solution. This issue is very difficult to solve without also breaking existing, legitimate content elsewhere on the web." Still, that report was a month ago, so maybe the situation has changed since then. I couldn't find anything to confirm or deny that current versions of Flash are still vulnerable -- does anyone else k

    • So the SQL injection which landed those vulnerabilities on 100+ thousand formerly trusted sites is not a real problem?

  • by GreenTom (1352587) on Thursday December 10, 2009 @10:49AM (#30387988)
    Add to windows\system32\drivers\etc\hosts:

    127.0.0.1 318x.com

    And you should be safe, for the moment.
    • It's already under a huge DOS attack by the readers of Slashdot. There's no need to block it, in fact you should be attempting to load that page in concert with all the other members of the Slashbot.

    • by Nohea (142708)

      safe until next week, when they use another address.

      Checking inputs is the only fix.

  • by gregarican (694358) on Thursday December 10, 2009 @11:14AM (#30388258) Homepage
    validate your SQL inputs before posting them against an Internet-facing database. This isn't an SQL problem. This isn't a Windows-based problem. This is a poor coders problem. If there are high-profile websites that were compromised I'd be one pissed off PHB fo sho...
    • Exactly!

      Obligatory [xkcd.com]

    • by Vellmont (569020) on Thursday December 10, 2009 @11:56AM (#30388778)


      validate your SQL inputs before posting them against an Internet-facing database.

      Or simply use prepared statements (or whatever the equivalent term is in your language of choice). Prepared statements are far safer and easier than trying to validate all the current potential and future potential for breaking out of a SQL statement. It won't protect you from people putting in their own parameters into your SQL statement (like say someone elses userID), but that's a different class of vulnerability.

  • by erroneus (253617) on Thursday December 10, 2009 @12:25PM (#30389308) Homepage

    The source of the attacks are servers who have been compromised through SQL injection. I get that. It's an important detail. They fail to identify what sites and/or what those sites are running that is exploitable in this way. Is it MySQL? Is it MS SQL? Oracle? Is it a particular software package running on a particular web host platform? The questions are too many and should have been answered in the article.

    What is done after a server is compromised is pretty common. Microsoft components, especially those linked through ActiveX, have been not just a hole in Microsoft security, but a tunnel into the Windows kernel big enough to drive a truck through. A vulnerability in Adobe flash is only a a problem when it uses ActiveX to get there. Flash running in other ways does not seem to pose such an extreme threat otherwise. But while these are important security concerns to be aware of, it has nothing to do with the topic of the story as indicated by the headline or the first line of the story which is about compromised SERVERS, not about compromised clients.

  • I must disagree with the way they calculated infections. Counting the number of times something comes up on Google does not equal the number of infections.

    • If they search for the right string, then it should very closely approximate the number of compromised websites. The only other thing it should find are people talking about how to find the list of compromised websites.

  • 132,000? Try 1269. (Score:2, Interesting)

    by milesw (91604)

    As many have pointed out, the blog post does not offer sufficient detail, but does offer the rather sensational headline "SQL injection attack claims 132,000+". The Google Safe Browsing diagnostic page for 318x.com has it closer to 1200 or so:

    http://google.com/safebrowsing/diagnostic?site=318x.com/

    Has this site acted as an intermediary resulting in further distribution of malware?
    Over the past 90 days, 318x.com appeared to function as an intermediary for the infection of 1202 site(s) including 37y.org/, jxa

  • Oops. Send those SQL injections back. We don't need them.
  • That makes it sound like people died of SQL injection. . .
  • These are again Chinese based servers.

    http://google.com/safebrowsing/diagnostic?site=318x.com/ [google.com]

    • by cenc (1310167)

      It looks like most of the sites showing up infected in Google are almost overwhelmingly in China or Chinese language.This one has been circulating for a while.

  • I have one Mac laptop and one Linux laptop. Will the rootkit be a problem for me?

"Silent gratitude isn't very much use to anyone." -- G. B. Stearn

Working...