< Currently, potentially, Infected SA sites | Debian (and derivatives) OpenSSL-based keys vulnerability >
May 12

SQL injections going mad

Security 2 Comments »
Security

So, the SQL injections of last month are still going and on the increase. At last check (11am SAST) Google's index had 1 070 000 infected pages. Not all of these are from the same source, or load the same malware. However, they have the same basic principle:

generic SQL injection -> Javascript -> infect visitors

Several of the sites in South Africa I've been watching have been re-infected. I spoke to several of the admins, but it seems they are just restoring from backup and not fixing the root cause. The domains currently being injected and containing the malicious Javascript are:

  • nihaorr1.com
  • 2117966.net
  • aspder.com
  • haoliuliang.net
  • nmidahena.com
  • free.hostpinoy.info
  • xprmn4u.info
  • winzipices.cn
  • wowgm1.cn
  • killwow1.cn
  • wowyeye.cn

Although, new ones are coming to my attention fairly quickly at the moment. For example, wowgm1.cn was re-injected over winzipices.cn on a few pages. The 'wow' range seem to be related, as they are re-infecting pages with a new URL. On the point of re-injections, it seems some are overwriting each other in funny ways, for example, the following was found on one page (*'s added):

<script src=http://www.2<script src=h**p://www.2117966.net/f*ckjp.js></script>

It bother's me that the security industry (particularly in SA) doesn't seem to have cottoned on to this as a widespread pervasive attack. Shadowserver (one, two) seems to be the only ones getting close to the problem, but even SANS is treating these as seperate events. There is only basic protection at the moment, if you click through from some of these sites (10%?) in Google, you will get a Malware warning. Continuing to the site anyway prevents me due to Firefox's security setting (which shares the same list from Google, i.e. stopbadware.org).

Given how successfull the exploitation of such an 'old' vulnerability, it is likely we are only going to see more (and better executed) versions of this in the next few months (years?). Hitting over a million pages with a pretty lame attack, that only targets Microsoft SQL is fairly impressive. If they just modified their SQL to work on MySQL or Postgres I'm sure we would seem more than a million more hit. It is interesting to note that it has taken this long from someone to try and 'monetise' SQL injections, as it has been around for a while (8 years?). My guess is that it will take less time for bad guys to do the same with XSS & CSRF, but that Microsoft's default request validation will save some of us, but not because dev's have cottoned on.


Posted by Dominic White

Last modified on 2008-05-13 06:19

0 Trackbacks

Trackback specific URI for this entry
  1. No Trackbacks

2 Comments

Display comments as(Linear | Threaded)
  1. Philip says:
    05/12/2008 10:32:35 PM

    This happened to our site... but I thought SQL injection only works on pages with forms ?

    This happened to database tables that are only read to display content ?

  2. Dominic White says:
    05/13/2008 06:19:02 AM

    Hi Philip,

    There only needs to be one injection point, and that can be on *any* page displaying forms, or accepting GET/POST variables, or even WebServices.

    Once they have an injection point, and if your DB isn't sufficiently secured, they can write to any content table the user in the connection string has access to write to. The current round seems to try and write to all of them.

    Parameterise and pre-compile your SQL, then remove as many rights from the user you use to connect to the DB to solve this.

Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA