An infection that causes poorly configured websites to silently bombard visitors with malware attacks has hit almost 614,000 webpages, Google searches show. The mass infection, which redirects users to a site exploiting old versions of Oracle's Java, Adobe's Flash player and various browsers, was first disclosed by researchers …
Very poor reporting
From evidence given, nothing to do with ASP.NET. By the sound of it, it's about crap programmers from any database back end. Can you just clarify the ASP.NET vuln?
The site that this article links to gives a bit more information, but not a lot.
This attack is something that I've seen recently, and it is in fact targeting ASP, but not just ASP. Similar attacks are being conducted against sites using PHP as well.
An overview of how it works:
- Hackers gain entrance to a site, via SQL injection or by some other means. (This may, I believe, involve gaining access to a site on a badly configured shared hosting server and then attacking other sites on that same server.)
- The hackers inject a heavily obfuscated piece of ASP code into .asp files or PHP code into .php files. The injected code is written in such a way that it's very difficult to read.
I first became aware of this attack against ASP and PHP sites while I was investigating a different, unrelated (I believe) attack against WordPress sites that also involves injecting obfuscated PHP code into a compromised Wordpress site. I've written about that attack at
One of the commenters on that blog post mentioned that he had a Web site not using WordPress that was being attacked by the injection of obfuscated PHP code. I took a look to see if it was the same attack. It wasn't...but it was an attack that matches in almost all important regards to this ASP attack.
I'm an ASP.NET programmer, so I was very interested to see what the author was trying to tell me was wrong with my sites.
Come to find out, the "attack" on ASP.NET is SQL injection - a vulnerability even a rookie programmer knows how to avoid, and to which any web platform is vulnerable if its application is poorly designed.
Reporting FAIL. Thanks for the time waste, Reg!
What an utterly terrible article
How are these websites being compromised?
You say it's SQL injection then go on to say that ASP.Net sites are being targetted - which is it? (Hint: ASP.Net sites can quite happily run without databases)
This article gives me no information to be able to tell whether my servers are vulnerable to attack or not. Pathetic.
If they a Microsoft servers
They are always vulnerable.
Ignorance on parade
That is all.
Perhaps there are some people who shouldn't be allowed near code editors ever again, all the way down to ed and Notepad, if they don't code to prevent SQL injection attacks.
So, when's the next XSS exploit due?
"Mass ASP.NET attack causes websites to turn on visitors"? Whatever. It's clearly a SQL injection attack. The fact that it may be more prevalent on Windows Servers does not make it 'ASP.NET attack'. Poor title, probably for bait.
Any developer, on any platform, that does not explicitly distrust all incoming data and subsequently sanatise it, should not be a bloody developer. I am amazed just how many sites and prop/open-source solutions (on both MS/Linux) I have seen are susceptible to SQL injection. There's a lot of poor developers out there, on all platforms.
As with all SQL injection attacks, the problem is the developer - simples.
WTF? because WTF?
Crap all around
Crappy web sites. But you make it sound like it's an issue with ASP sites. When in reality it's an issue with configuration. Outed software with holes in it . Finished of with a lousy reporting . In summation this requires a clueless web site designer and a clueless user for this attack to work. Nothing to do with ASP.net
Expect better from an IT site like the reg.
"The infection injects code into websites operated by restaurants, hospitals, and other small businesses"
So that suggests a particular app these places might use is vulnerable, which may or may not be an ASP.NET app. But the headline looks like standard MS bashing fair and suggests the attack is against ASP.NET itself.
Credit to the reg readers that so far there haven't been any tedious derogatory comments about MS (spelled with the dollar site, naturally) urging man and dog to adopt open source O/Ss to avoid such issues.
';drop table users
So as others have pointed out, this affects any website which takes info, stores in a DB, and then displays back to users. Well, any website that doesn't sanitise the input data.
Are there really still developers out there who don't sanitise the input and parameterise their queries?
"So as others have pointed out, this affects any website which takes info, stores in a DB, and then displays back to users. Well, any website that doesn't sanitise the input data."
At last count the "designers" of about 614 000 of them.
But I'll make a small bet this will rise *lots* higher.
That's odd. Suddenly I'm an anonymous coward......
Microsoft is the culprit anyways
It is not the server side vulnerability that makes this interesting, but the ubiquitous client side Microsoft Windows virus friendly OS. Long live the Microshit!
Shall I call 'the men in white coats' or would you prefer to do that for yourself ;)
Really cause. it relies on out dated Java or adobe products. How is that MS fault ?
"Really cause. it relies on out dated Java or adobe products. How is that MS fault ?"
...because it only affects sites using ASP.NET!
re: Microsoft is the culprit anyway
I can't refute what you say, so I'll mod you down instead :)
I see, so by your logic, current and past SQL injection vunerabilities in phpCMS, Codice CMS, Voxpopulime CMS, BloofoxCMS, WordPress, Joomla and Drupal (to name but a tiny, tiny fraction) would the be fault of say Linux and/or Microsoft (or any other OS capable of running PHP)?
I take it your are not a developer?
did you read
Because it said that you had to badly configure the site. The fact that same can't code is not MS fault. It's the same as having the spare key under the front door mat. It's not the fault of the lock maker.
Did you read mine? I said that on GNU/Linux I do not care about these web browsers' dangers resulting from whichever fault (bad SQL/PHP/.NET/JAVA)
t is only the MS Windows users' worry. Now are you getting it?
Pull the article or rename the title
I agree with the other comments here. I'm an ASP.NET developer and this article in the end becomes a piece of false advertising by its title. It's almost as bad as saying the sky has mysteriously and dangerously turned grey on a cloudy day. Makes me wonder if the reporter just needed more readership and so threw in that title or if it's an article just meant to slam ASP.NET in general.
The bull horn because it's just a bunch of unwelcome noise rather than being informative
yes it is to do with ASP/ASP.NET
if you read the blog entry and look at the link to google search results, you will see it IS targetting ASP/ASP.NET websites. Whether the attack would work against PHP sites is not the point, the google results clearly show .aspx pages being returned, so yes they are affecting ASP.NET sites. OK they may be poorly codes, and they may not be:
As a PHP developer and an ASP.NET developer, I can say it is not always the case that developers are at fault, sometimes the framework code in .NET does not do what it should, as in the past I have had to code my own routines. Not saying that's whats going on here.
Actually I would suspect it is more likely IIS
The nature of the attack doesn't appear to use anything specific to ASP or ASP.NET. So my unfounded guess as to why there's such a high proportion of sites that are ASP.NET (yet not all of them) is that the automated script that is run once the server is comprimised is targetting IIS. This makes some sense to me, as IIS is easily locatable, and easily interrogated and manipulated by a script (by design, not by mistake). This would make it an easy target for someone wanting to do a mass automated attack. I'm sure they could have targetted other web servers, but I guess they haven't.
Attacking IIS is something different than a SQL injection attack.
No Sentient, you misunderstand
Not 'attacking IIS', I'm saying that once the system has been comprimised by the SQL injection attack, I suspect it is then using the fact you can easily find IIS and configure it (now that it has permissions) by writing an automated script to do it. Thus the websites that are seen as comprimised are ASP.NET, because most websites running on IIS are ASP.NET. I'm not suggesting an IIS vulnerability.
WTF with the title?
Looks like it works because of a basic misunderstanding.
Hold in DB.
Output information back to user.
The implication is that this happens with text controls which deal with *passive* text.
But the DB executes code *regardless* of what kind of control it originates from.
The attackers know this. The "legitimate" developers do not seem to.
Now how many times had this been done *already*?
Mass ColdFusion attack causes websites to turn on visitors
This is a complete joke. Nothing here to suggest this has anything to do with ASP.NET, IIS, Microsoft, or anything else specific to a particular brand. There are almost as many ColdFusion pages in the linked Google results.
It's an exploit that all dynamic data driven sites try to program against.the only newsworthy bit of this article is the information about what happens to the users after they're redirected off to malicious sites.
Next to useless article
This is a pretty major development, especially for those of us working with ASP.NET directly, or supporting users of ASP.NET systems - and I'm the latter, working in one of the UK's largest hospitals.
What you've written is a fairly lengthy article saying not very much. Useful things to include in your blathering might have been:
- What actions developers should be taking
- What actions server side support teams should be taking
- What actions desktop support/end users should be taking
WTF is going on at El Reg these days?!
This article is symptomatic of the junk that's now being regularly churned out.
You seem to think that launching a paper aeroplane once a year is enough to keep the geeks happy, and the advertising revenues rolling in.
FFS sort yourselves out or you risk losing your readers.
websites operated by restaurants, hospitals, and other small businesses
Yep, whenever I think of small businesses, hospitals are one of the obvious examples.
Again, to echo what everyone else has said: this article doesn't help in the slightest.
Are there any examples of how this is an ASP.Net exploit? As it stands, it appears a number of web techs, including ASP.Net, have been struck by this issue - and as others have commented, it is likely to be some kind of SQL injection, which a well-coded .Net app should be protected against. So unless there is an issue with .Net's SQL Parameters, or some other part of the .Net db technologies, I fail to see how this is a "MASS ASP.NET ATTACK".
Can we have a system with user input escaped by default
so if you're going to open up an injection vuln you have to do it deliberately?