Massive SQL-Server Web based Injection Attacks
Thursday, January 10, 2008 2:37 PM
As I've been using SQL-Server since it came out in 1994, the SSWUG community is an excellent resource, I've been a member of for years. In today's newsletter, they are highlighting a major new attack that may have affected up to 70,000 servers and 94,000 unique web addresses It is vital to stay up-to-date on patches and AV protection. More importantly the use firewalls, web security techniques, and security testing are all important in ensuring these malicious injection attacks are properly blocked.
SSWUG.ORG Newsletter - (SQL-Server Users Group)
QUOTE: Injection again ... I don't know if you've seen the reports, but there is a "mass attack" (my term) that has been going on with an automated SQL Injection engine of sorts that's out looking to find login and registration systems, then attempt SQL injection against the site.
What's unique about this is that it's a very broad attack, not a hacker trying to breach a system on a system-by-system basis as has traditionally been the case. This means that to turn this thing loose on all types of sites is "just" a matter of replicating the engine and letting it run amuck. You can see that this could be a (rather successful) test brute-force approach to trying out just about every other attack that has, to-date at least, been based on a person doing the work. Traditional injection is about interpreting results, seeing what's returned by the site or application and tweaking your approach. With this approach - a forced and automated one - the possibility for coming in on multiple attack vectors simultaneously is very possible.
Additional links are noted below:
Mass exploits with SQL Injection
QUOTE: It turned out that there is an automated script or a bot exploiting SQL injection attacks in vulnerable web applications. I remembered that I saw the very same attack appearing back in November last year but it was not this wide spread – it appears that the attacker improved the crawling/attacking function of his bot so he managed to compromise more web sites.
Mass hack infects tens of thousands of sites
QUOTE: On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass hack," said Thompson, in a post to his blog. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared." ... However, many of those sites -- which as of this morning numbered more than 93,000, according to a quick Google search -- had not been cleaned.
QUOTE: At time of writing, more than 94,000 URLs had been infected by the fast-moving exploit, which redirects users to the malicious domain