500 Thousand MS Web Servers Hacked

F-Secure via slashdot ^ | 04/25/08 | Patrik

[Salo]

There's another round of mass SQL injections going on which has infected hundreds of thousands of websites.

Performing a Google search results in over 510,000 modified pages.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.

Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):

[Salo]

Not good.

[Salo]

Security/tech pings.

Slashdot:

http://it.slashdot.org/it/08/04/25/1358234.shtml

[agere_contra]

I hope Free Repblic hsn;t been hcaked

Oh noes.

[Minn]

Sanitizing input to prevent this sort of thing is the most basic security precaution. You get it in the first 20 minutes of any secure coding class. Any sites affected by this should be embarrassed.

[BitBucket]

Yep. SQL Injection has been around since the early days of client server and is quite literally the oldest trick in the book.

I don't know why it says "MS" web servers in the title. SQL Injection has nothing to do with which operating system or web server you use. It's a matter of whether the web programmer bothers to validate user input or not.

[jjw]

i think that lucianne.com was down for a while this week because of a sql injection attack.

[Lynne]

Can anyone give a plan English definition of an SQL attack?

[jjw]

I’ll try. A web site that is poorly written, will accept input in a form just like this one here, and use the text directly (without checking in, or clearning it up) to make computer software statements that are sent to the database server. A hacker can pass commands to the database by entering in malicious code in a form — giving the hacker access to some data in the database, or even control of their network. Hope this helps.

[jack_napier]

I don't know why it says "MS" web servers in the title. SQL Injection has nothing to do with which operating system or web server you use.
Read the article. This is specifically affecting sites built on ASP, which is a MS technology. This is not senseless MS bashing, so put down the alarm. I suspect there's some sort of sanitizer code involved which (looking at the page), doesn't handle hex properly.

[Lynne]

It does help. Thank you!

[Lynne]

It does help. Thank you!

[MediaMole]

[tacticalogic]

The headline seems a little misleading. According to the article at the FSecure link, they’ve identified 510,000 web pages. I seriously doubt that translates into 500,000 individual servers.

[dfwgator]

SQL is the language used to query data from a database table.

An example SQL query is “SELECT * FROM CustomerTable WHERE customer_id = 1”

SELECT * - means show all of the information in the table.

FROM CustomerTable - CustomerTable is the data entity that contains customer information

WHERE customer_id = 1 - Only show information for the customer whose id is 1.

This is just characters that a program can generate. What happens is the program takes the user input and uses it to generate the SQL query.

So lets say a customer enters their customer id, that id is substituted for the ‘1’ in the above statement. And they will get their information.

But someone devious could instead of sending a “1” could send “1 OR ‘1’ = ‘1’”

Now the SQL statement is:

“SELECT * FROM CustomerTable WHERE customer_id = 1 OR ‘1’ = ‘1’”

Since ‘1’ = ‘1’ is always going to be true, and with “OR” only one of the clauses has to be true, ALL rows will now be retrieved so that the hacker can see the information for all customers.

The way to avoid this is on the programming side, is to not build a SQL statement directly from customer input, but to use placeholders for the variable parts and checking the input to make sure no unusual characters are used. Any programmer should know this. It’s always one of the questions I ask when I interview potential members of my team.

[Ernest_at_the_Beach]

Free Republic doesn’t use anything as loose as a MS Server...believe it runs under Apache.,...not sure whether it is based on BSD or Linux kernels...

[tacticalogic]

Running Linux and Apache doesn’t necessarily mean you aren’t running ASP.

[HAL9000]

ActiveX strikes again. This is why Apple will not integrate it into Mac OS X.

[Minn]

ActiveX strikes again

How so?

[Lynne]

Thanks much! I left my programming education in computers 101, back with DOS and Basic.

[antiRepublicrat]

This is why I won’t use anything but parameterized stored procedure calls.

[-YYZ-]

LOL!

[AppyPappy]

Linux as far as I know

[HAL9000]

The exploit is analyzed here: http://forums.iis.net/t/1148917.aspx?PageIndex=1

[Ernest_at_the_Beach]

OK,..thanks...just came across this...(for us novices):

SQL Injection Attacks - Are You Safe?

[ShadowAce]

[wireplay]

ActiveX is obsolete and should never be used today. I mean, it is ancient.

[wireplay]

Free Republic doesn’t use anything as loose as a MS Server...believe it runs under Apache

MS Server and Apache have nothing to do with each other. One's an O/S, the other is a web server.

[mad_as_he$$]

Bringing your evil kid into the church dance under your skirt.