The sophisticated mass infection that's injecting attack code into hundreds of thousands of reputable web pages is growing and even infiltrated the website of the Department of Homeland Security. While so-called SQL injections are nothing new, this latest attack, which we we reported earlier, is notable for its ability to infect …
We're all doomed
I'll be surfing the web from a computer that boots of a CDrom and has no permament storage ( no harddisk or flash ). Just powercycle it when it barfs...
In a way, the curious thing is that such attacks are possible in the first place...
Would it be so hard to have a "secure" mode on the web server/database interface which automatically stops any request containing brackets or such?
I'm not in the business, but I find weird that with all the so-called "security specialists" in the world, such a simple thing as automatic sanitizing of user supplied data has not been implemented yet... or is not the default setting.
According to researcher Ronald van den Heetkamp, as provided in the link in the article, the biggest risk is to sites running MSSQL servers due to the way they handle this particular query effort:
"...as you can see below the SQL query -or stored procedure- is almost fully HEX encoded, which means that no single quote is being used. Casting in SQL server or simply HEX() or CONCAT(CHAR(),CHAR()) in MySQL is widely known, and a good alternative when single quotes are not allowed upon injection, which makes it far more reliable. In the case of SQL server -which allows query stacking by separating the queries- this is crucial for a guaranteed compromise, and hence the reason why MSSQL sucks, and MySQL or Postgre rocks."
This would explain the majority of .ASP pages you see ... they're running the Microsoft server and Microsoft's database. Does anyone still have any doubt that Microsoft's server products are more prone to successful attacks than others? If you do have doubts, please explain why, and how you got to be in IT in the first place.
No real mystery why sites are vunrible to this kind of thing. It's likely to be one of:
- Security 'experts' and programmers who are real good at interviewing and CV writing, but not so much when it comes to actual security. Doctors, lawyers, engineers, ect. - all of these professionals have licensing schemes that garentee a certain minimum level of competence. Not so much when it comes to software. Used car lots and flea markets have a higher level of regulation and official scrutiny than information security experts. They need business licenses and such. All you need to be a security expert is a business card and a phone number.
- Information security is one of those cost centers in a company that doesn't actually seem to accomplish anything (aside from being occasionally annoying) if they are doing their jobs correctly. People who aren't doing anything are the first to go when budgets get cut.
- SQL injection isn't something you can defend against with an automated tool or eliminate by putting a tick in a box. You have to watch out for it in your coding practices and page design. Like buffer overflows (the main source of security issues in software), the ability to inject unexpected SQL queries into a form on a web page is a bug. You can catch it if you are looking for it, but unless you are looking for it, it can escape your notice.
Not a surprise
Why do you seem surprised that the DHS site was hacked? Remember, this is the government organization who just last year finally managed a non-failing grade (a 'D', which is still pathetic) in computer security, their first non-failing grade ever (the testing started in 2003):
it's not that big a job to tidy up
If you're infected take the SQL they used and run it on your own site... with a small tweak to remove the crap.
then fix your code so you're blocking injection attacks. really... I'm serious about that bit. don't look so smug LAMPers either ... it could be you next ;)
Totally untested example you should test before you take near your production code because you're a professional... right.... http://tinyurl.com/6g2a95
"I'm serious about that bit. don't look so smug LAMPers either ... it could be you next ;)"
The day +500k LAMP servers are thus compromised, I'll eat my Gentoo CD. =P
Still, yet another case of crappy designers shoving security under the rug. (I'd give them the arrogance thumb-down if they used LAMP, but as the servers are mostly M$ oriented they should know security is a huge issue.)
Disaster Recovery Advices For IIS Admins
you posted your link everywhere (included comments on my blog and on Brian Krebs'), but I couldn't find the "small tweak to remove the crap" you talk about.
On the other hand, I did publish an (untested) paraphrase of the original attack which should help in cleaning up your database (unless you've got a good backup, of course), together with other advices here:
Before we go any further on the "it's only Microsoft" road, whilst this attack may show up IIS and ASP, I can tell you for certain that a massive amount of attacks actually target PHP running on Apache (yes, usually on Linux)!
Just look at an average web server log and you'll find it's crammed full of attack attempts on known flaws in known PHP apps.
And many succeed because each individual PHP app needs updating and admins don't update them, and then there are flaws in PHP installs themselves and unpatched Linux systems (which require patching on a weekly basis for a vast array of security fixes).
In fact I'm just off to install yet another patch to Wordpress because of another security hole (yes, Wordpress is PHP and I'm running it on Apache on Linux. If I didn't patch it, I'd get hacked!... all without Microsoft involved).
Oh My God....DHS website got compromised? Wow - who would have thought it was possible...(!?) These guys are *the shit* when it comes to high tech stuff, right?
Jesus, c'mon, does no-one remember the 11th of September 2001? FFS -these self appointed fucknuts are so incompetent (we are led to believe) that even with all their technology and big talk they apparently couldn't stop (or didn't even NOTICE until impact) two enormous fucking passenger aircraft meandering through their airspace and crashing spectacularly into the Twin Towers. Or did they? Hmmmm... it's one or the other!
I remember at a place that I worked a large website was wiped out because someone had been doing some SQL injections and totally wiped out the whole database. So, I am not that surprised, but it does worry me that many websites are relying on databases and it is so easy for hackers to drop tables.
I think there needs to be a change in how databases should be used with websites.
the difference is that with a LAMP server you get weekly patches to fix the holes. With Microsoft products, you get monthly updates (at most) that just add more crap and security holes to your systems. Hence, the majority of the attacked systems run IIS and ASP...
A penguin. Cause they are cute, soft and secure...
In response to what You just said to Mr. Butler there. You took the words out of my mouth. And nicely done as well, hats off to you sir.
re: Shock Horror
As a U.S. citizen, I hate the government just as much (probably more) than your average Joe. And to me, DHS represents one of the primary reasons -- it's another useless organization designed to waste taxpayer money (with little or no benefit) and push the U.S. further along into the police state the government has wanted it to be for many years (if not decades).
However, as much as I hate DHS, do a little research before you go spouting off and making yourself look stupid. DHS can't possibly be responsible for the events of 11 Sep 2001. Why, you might ask? Because DHS didn't exist yet. They were created *in response* to those events. So unless they've developed a time machine that you know about, they had no way to stop it.
If you want to bash the government, go right ahead. But do so for actual reasons. There are plenty of real problems to discuss without resorting to creating fake ones.
Databases are a god-send (well, maybe not MS SQL, but the others), it's just more needs to be done to educate programmers on how to use them properly. One of the things I do is when I make a new database, I think about what kinds of queries I'll be running on it, and only allow the user for that database those queries instead of All Privileges (which I believe is checked as default in CPanel). It's hard to justify allowing stuff like table drops and the like except from an admin back-end (and then you might want to consider a different account for just that purpose), but if you're going to do it you ought to make sure your form (or whatever) data is extra safe.
I'm surprised that the URL used in the attack still resolves.
Not that that's a terribly effective response; of course they could use an IP address instead.
But it would seem an obvious start.
I have lost count of the number of arguments my ops dept has argued with numb-nuts developers who state their app has to have full admin privs to function and a high level DB account or coding so lose that a GCSE CS student to break it in 5 mins, let alone a user simply trying to push the app to it's limits. Not all devs are like it most do care, but there is a large group who simply walk around with the "black-box" mentality. I one had a developer, while working on web based ASP/.Net app that interfaced with O/S to read/write files, say "Oh Windows, no I don't DO operating systems, I only do VB/.Net technologies. O/S stuff is for the Ops teams to worry about after implementation.", sadly that dev is still working in the business!
Your ignornace really shines through in that post. Your saying that patches for the LAMP stack all work to fix the holes, whilst the ones for the Microsoft stack are all introducting new holes...?
Let me tell you something, it matters not what your chosen implementation vendor is - it's how it's configured. Good database and development prevents this sort of thing - regardless of platform. PHP is riddled with bugs and security bad-practices, and mainly runs on Linux under Apache. (I run a Win2k3 server with it so I know it's a generalisation).
This particular attack does work on LAMP, it just so happens that MS SQL allows query stacking through webapps. This is easily changed, and good development techniques (vendor neutral in fact) prevents this sort of thing. You get a crap developer/DBA using LAMP and you'll see a similar, if not identical thing happening.
Just running the LAMP stack is not sufficent to secure a website. The same as running any other webserving stack - it's the administrators (DBA, webmasters, infrastructure) that secure technology - not the technology.
Bind parameters anyone?
I suspect these web site programmers build queries by string concatenation instead of properly using bind variables.
Linux boys doing their rounds!
As usual, most of the posts are made by those who have no clue about technology and think that Linux is the end-all of everything. This attack has nothing to do with Microsoft / Linux, MSSQL or MySQL. It's all about the people who wrote the applications not properly using the tools that they have. Here are some points:
1) MySQL5 has prepared / parameterized statements, MSSQL had this for a long time (yes, way before MySQL). If you use these, SQL injections are a thing of the past. However, there are lazy programmers in both camps that would rather not type one of two extra lines.
2) ASP is OLD people, come join us in 2008! ASP.NET has been out since 2002. Yes, there are still old "classic" ASP pages out there, but don't make it sound like poor "Microsoft guys" are stuck with ASP and don't have anything else better.
3) ASP.NET, by default as ratfox wondered, blocks any form inputs that may contain potential HTML characters. This particular feature would not have helped in this case, but it does help in other cases (i.e. if you're lazy and don't validate your input). As a second layer, any database input should be using parameterized queries which would make SQL injection a thing of the past.
I hope this cleared some of the FUD around here, though I doubt it...
@vincent himpe: You mean a thin client?
Infection mitigation is a huge reason why some organisations use thin clients. It centralises servers too.
XKCD Comic-robert drop tables student
Have a look here http://www.xkcd.com/327/
Covers the story on this pretty well............
This doesn't make me feel secure...
DHS is going to protect me? I feel about as secure as I might, if I found that taggers had gotten into the police station and spray-painted gang graffiti on the walls, and gotten away.
I am reminded of the Keystone Kops.
"The day +500k LAMP servers are thus compromised, I'll eat my Gentoo CD"
While not defending slack security on MS servers, don't get too smug. A company I worked for ran Joomla on their main site, which got hacked 3 times within one week. The problem is that people who don't have much technical knowledge have been setting up servers and not thinking of security.
Like one of the AC's says, mySQL didn't used to have stored procedures so you would find inline SQL dotted around the place. All it takes is for one page not to do any type checking and your site is compromised.
Also there is a known issue with people using sendmail in PHP that allows it to be used for spam.
The issue is that many designers have taken the role of programmers in creating websites without weighing up security issues.
what should endusers be looking for?
As someone visiting websites but not writing or maintaining them, what malware should I be looking for, and is the redirection to specific websites - which should be avoided?
Query parameters anyone?
Unfortunately most web devs don't even know what they are... oh well :)
@Unfortunately most web devs don't even know what they are
Yes, there in lies the problem.
user generated content, at developer levels, bring back the days when to be a web designer you had to know how to write pages, not how to use a content management system.
there is no SQL injections possible in raw HTML.
this is just another effect of the great squeeze where people try to find the cheapest possibly way of doing things
"It's far better to keep your mouth closed and be thought a fool than to open it and remove all doubt"
Hopefully this will be the straw that breaks the dynamic web's back.
Yeah, I'm still back on Web 0.9 and that's the way I like it. Yall can keep your Facespace and youboob and shitty flash demos. When I get to a companies home page and it tells me I have to install flash I know its a company driven by marketdroids rather than engineers and its no one I want to do business with.
yeah, send those so called porsche driving ict guys back home and get some decent people in. it’s getting about time that this whole ict circus is getting mature and back to basics as other jobs do!
- Review This is why we CAN have nice things: Samsung Galaxy Alpha
- Hey, YouTube lovers! How about you pay us, we start paying for STUFF? - Google
- MEN: For pity's sake SLEEP with LOTS of WOMEN - and avoid Prostate Cancer
- Vid BONFIRE of the MEGA-BUCKS: $200m+ BURNED in SECONDS in Antares launch blast
- Tim Cook: The classic iPod HAD to DIE, and this is WHY