Massive SQL-Server Web based Injection Attacks

Posted Thursday, January 10, 2008 2:37 PM by hwaldron

As I've been using SQL-Server since it came out in 1994, the SSWUG community is an excellent resource, I've been a member of for years.  In today's newsletter, they are highlighting a major new attack that may have affected up to 70,000 servers and 94,000 unique web addresses   It is vital to stay up-to-date on patches and AV protection.  More importantly the use firewalls, web security techniques, and security testing are all important in ensuring these malicious injection attacks are properly blocked.

SSWUG.ORG Newsletter - (SQL-Server Users Group)
http://www.sswug.org/nlarchive.asp?odate=1/10/2008

QUOTE: Injection again ... I don't know if you've seen the reports, but there is a "mass attack" (my term) that has been going on with an automated SQL Injection engine of sorts that's out looking to find login and registration systems, then attempt SQL injection against the site. 

What's unique about this is that it's a very broad attack, not a hacker trying to breach a system on a system-by-system basis as has traditionally been the case.  This means that to turn this thing loose on all types of sites is "just" a matter of replicating the engine and letting it run amuck.  You can see that this could be a (rather successful) test brute-force approach to trying out just about every other attack that has, to-date at least, been based on a person doing the work.  Traditional injection is about interpreting results, seeing what's returned by the site or application and tweaking your approach.  With this approach - a forced and automated one - the possibility for coming in on multiple attack vectors simultaneously is very possible.

If you're not testing your systems, I highly recommend you consider it.  There are some solid tools and services out there that can help you learn a lot about what vulnerabilities you may have, and they generally help you understand both how they work and how to prevent them.  With this go-round on the hacker attacks on injection, I've seen reports of as many as 70,000 servers infected.  That's a big number and the infections are not passive - they're malicious injection of javascript code.  Take the steps now to learn what can be done to and for your systems.


Additional links are noted below:

Mass exploits with SQL Injection
http://isc.sans.org/diary.html?storyid=3823
http://isc.sans.org/diary.html?storyid=3810

QUOTE: It turned out that there is an automated script or a bot exploiting SQL injection attacks in vulnerable web applications. I remembered that I saw the very same attack appearing back in November last year but it was not this wide spread – it appears that the attacker improved the crawling/attacking function of his bot so he managed to compromise more web sites.

Mass hack infects tens of thousands of sites
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9055858

QUOTE: On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass hack," said Thompson, in a post to his blog. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared." ... However, many of those sites -- which as of this morning numbered more than 93,000, according to a quick Google search -- had not been cleaned.

Register Article
http://www.theregister.co.uk/2008/01/08/malicious_website_redirectors/

QUOTE: At time of writing, more than 94,000 URLs had been infected by the fast-moving exploit, which redirects users to the malicious domain

Additional References
http://www2.csoonline.com/blog_view.html?CID=33430
http://www.modsecurity.org/blog/archives/2008/01/index.html
http://explabs.blogspot.com/2008/01/so-this-is-kind-of-interesting.html

Comments

# Massive SQL-Server Web based Injection Attacks

Monday, January 21, 2008 11:02 AM by Massive SQL-Server Web based Injection Attacks

Pingback from  Massive SQL-Server Web based Injection Attacks