Feeds

back to article Mass hack plants malware on thousands of webpages

More than 100,000 webpages, some belonging to newspapers, police departments, and other large organizations, have been hit by an attack over the past few days that redirected visitors to a website that attempted to install malware on their machines. The mass compromise appears to have affected sites running a banner-ads module …

COMMENTS

This topic is closed for new posts.
Boffin

Adblock+ FTW!

That is all.

0
0
Grenade

Windows Security

Not from Microsoft.

2
0
Bronze badge
Alert

adblock plus?

So does adblock plus count as security software now?

1
0
Anonymous Coward

Has done for a while amongst smart folks

Banner ads have been one of the worst malware vectors for the last few years, at this end, so I always encourage people to use it.

It reduces the amount of crapware- also, vastly speeds up browsing, as the ad servers are often the slowest element on a page.

0
0
Silver badge
Thumb Up

Why not?

Personally I prefer AdMuncher but it's all good stuff. Reduces the amount of crap downloaded and significantly improves security.

0
0
Thumb Up

Only reason I installed it...

I'm not against sites using advertising as a way of funding development, but if they insist on a format that's easily abused and can be used to compromise my machine, I will use an adblocker.

Some of the sites I frequently browse seem to frequently get bad ads. Grr.

0
0
Joke

@"does adblock plus count as security software"

Its an advert firewall for my eyes ;)

0
0
Bronze badge

Series of 10,000

An SQL injection attack, aimed at Microsoft IIS systems, launched from a Chinese IP. Why, oh, why, am I not surprised?

2
0

Wait...

So was it actually trying to exploit some browser bugs, or simply asking users to install something?

0
0
WTF?

Strathclyde Police with a Banner Ad Module?

Who or what would advertise on a police website? bail bondsmen? Taser?

1
0
Gold badge
Happy

@Rippy

Pubs and massage parlours located near polis stations perhaps.

0
0

@Adam 54

When Adblock Plus blocks an ad that contains an exploit, then yes, it _does_ count as security software.

2
0
FAIL

The message still doesn't get through...

to the developers of these sites. A day doesn't go by without hearing about more sql injection exploits. Just take at look at xssed.com as an example. And it'll be high up on the list of programming errors on sans.org and owasp.org's top 10 security vulnerabilities, I'm sure.

1
0
WTF?

Data validation ftw

I'm an old coder, so forgive me if this an obvious question.

Shouldn't this sort of thing (injection and execution of an abitrary set of commands) be filtered out before any further processing of the text string involved?

2
0
Silver badge

It SHOULD be

It's a simple one-line command. For example in PHP, changing

$param = $_POST['param'];

to

$param = isset($_POST['param']) ? mysql_real_escape_string($_POST['param'] ): "";

will stop pretty much any common SQL injection attack where $param is passed to an SQL statement.

0
0
Gold badge
Happy

@Mad Medic

"Shouldn't this sort of thing (injection and execution of an abitrary set of commands) be filtered out before any further processing of the text string involved?"

It should. But data validation is one of those ares to squabble over. Is the web designer or the data base people responsible? Web designers tend not to know much about validation and assume the DB is bulletproof. Besides it might slow down response and we wouldn't want to damage the "user experience" would we? If it's not clear who *is* responsible unless someone actually *manages* the project the odds are excellent that *no* one is responsible.

Repeat with as many websites as necessary.

0
0
Gold badge
Grenade

Yes, that sounds like an obvious question.

Sort of makes you wonder why so many of those in a position to actually prevent this sort of thing never ask it.

0
0

Sure

But I don't understand why an SQL command passed in a SQL command fools the database's engine, otherwise that this latter is at fault.

0
0
Silver badge

Yes

The first time I saw a string resource with printf() flags inside it I was scared. That would be back in the late 80s. Admittedly I was concerned with program stability rather than security but even my young teenage brain could see the danger. Sadly even that kind of idiocy still goes on. At least with C# the risks are mitigated but I still don't like to see it being done.

As for web stuff - meh. They aren't proper programmers anyway.

:D :D

0
0
Bronze badge

Hmmm...

Not sure about that statement. If you are working on the backend, you should _not_ assume the web designer sanitized the request. It may not even come from a browser anyway. Not saying it's easy to clean up the SQL, just that it is the backend's job to do it, possibly even redundantly.

0
0
Silver badge
Boffin

@lucmars

"But I don't understand why an SQL command passed in a SQL command fools the database's engine"

It doesn't fool the engine at all. A SQL injection attack fools the web server process into passing two (or more) commands to the database engine. The database engine simply executes the commands it's given.

I have a full proof of this, but this comments thread has not enough room for it. Besides, there are more that enough resources on the web to find the answer you seek.

0
0
Bronze badge
FAIL

oh for heck's sake...

Windows is doomed... it's like trying to patch a tyre that's been patched so many times, there's no fresh surface left to stick the patch to...

3
0

validation? Pah!

Far too many sites do no validation whatsoever..

$query = "SELECT * FROM users WHERE username = " . $_GET['username'];

This page was an eye opener for me as to just how easy it was to break into a site using SQL:

http://www.unixwiz.net/techtips/sql-injection.html

1
0
Silver badge
FAIL

Got a better one that that

I fixed a site the actually had this in the code to authenticate the user:

"SELECT COUNT(*) FROM users WHERE login = '" & Request("Login") & "' AND password = '" & Request("Password") & "'"

If the query returned ANY RESULT other than 0, the user was allowed through.

0
0
FAIL

All the more reason to avoid Microsoft products

How many times do these things need to happen before developers and admins wise up and dump Microsoft products. If this was a programmer's error, why would 100,000 sites have the same mistake. It is inherently poor product design that continues to plague users of Microsoft products.

Nothing is 100% secure but open source seems to have more people examining the code to make sure these problems aren't pushed out to unsuspecting users. Microsoft and other commercial products are too focused on protecting their intellectual property.

0
0
Silver badge

Its not just a security problem

it shows up O'level IT skills ( that's MS Revered Partner or something or other).

Never allow a web site (or app come to that) to call a piece of SQL - always run a stored procedure or a function - that way not only can you implement some decent security* and still get some development done but if you should actually happen to write something useful you can change it behind the scenes without having to re-write everything else.

* not sure about MSSQLServer but most mickey mouse db's can do this.

0
0
Bronze badge

You don't even need to quote the params...

It's been a couple of years since I did any web programming. But if you bind the parameter to a placeholder, then it doesn't need to be quoted, e.g.

my $stmt = $dbh->prepare( 'SELECT name FROM users 'WHERE email = ?' );

$stmt->execute( $param );

You can do that in PHP, can't you?

0
0
Jobs Halo

Hope

I hope Safetica protects me like this ring

0
0
This topic is closed for new posts.