Mass infection turns websites into exploit launch pads Malicious hackers have managed to infect about 57,000 web pages with a potent exploit cocktail that targets a variety of vulnerable applications to surreptitiously install malware on visitor machines. The exploits install an assortment of nasty software, including Gologger, a keystroke logging trojan, and a backdoor that …
now I'm now guru but according to netcraft the vast majority of the domains listed in the google link seem to have been updated today 24AUG09 from Microsoft-IIS/5.0 to something different.
When I say something different I'm not pulling out the usual "linux aint infected" lark as the initial report doesnt seem to indicate exactly what platform the exploit is targeting - what I'm saying is make yer own mind up - whilst its possible to munge the server agent string a lot of these domains seem to have changed hosting providers as well - today!
lastly, not posting very often it would be nice to know who the feck stole my original "nobody" handle. ta.
seriously... how the hell can anyone still have SQL injection issues? nearly every database library for every platform supports parameterised queries, so why are people *still* not using them?
and even the handful of database libraries that don't support them, it's not hard to write a quick function to implement it, which not only protects all of your queries but also makes them simpler (as there's no need to escape your parameters every time - although clearly these people still building their query strings manually don't bother with that anyway!)
Erm, We were running Win2003 Server & SQL Server 2005 (patched to the hilt) and got hit with 7.5M entries in our database (before we hit STOP!!) a couple of weeks back (the same day Facebook and {another large website - forget who} died).
I havn't looked into the Website code to see how "well" it was constructed.
Restored ok though and were back up next day.
AC for obvious reasons.
Before the smug lot turn up, it's important to stress that SQL injection attacks affect any platform, any form of SQL, whether you're on IIS, Apache, using ASP, PHP, or "whatever". It's not SQL either that's at fault, it's simply sloppy coding on the web application side that isn't checking and formatting data correctly before it goes into an SQL query.
Again another reason why today's slew of "I've got a degree in Media/Web/Business" developers should be given managed and protective high level development platforms to develop on. We can't stop the flow of sloppy developers, so we need to protect everyone else from the mess they create by preventing them doing anything dodgy.
...is still largely possible because clueless(1) web developers keep coding embedded SQL in their pages which concatenate together values to generate a SQL string that gets passed back to the DB server for execution.
This would become a far less common vulnerability if developers took just a tiny bit more time to code SQL using typed/bound parameters(2) passed to back end stored statements(3). This simple technique eliminates the possibility in the majority of cases of extra SQL being surresptitiously slipped into the statement at prepare time.
(1) Actually thats not entirely fair - most guys out there DO have a clue, which is why its all the more frustrating that this is such a common vulnerability. Often its down to the ridiculous timescales given to implement projects.
(2) Type parameters force the SQL client to validate whats being assigned to the parameter. If you've defined a numeric parameter for instance, its impossible to force extra text - ie an additional WHERE clause - into the value in an attempt to corrupt the statement.
(3) Stored statements combine with typed/bound parameters eliminate the possibility of tricking the SQL into returning extra fields.
...should not be employed.
This is what happens when businesses all over the freekin' planet continue to hire pimply faced drooling trolls at cut-rate salaries who taught themselves PHP in their parents' basement between sleepless bouts of Warcraft and Wolfenstein, instead of hiring highly skilled (and guess what? more expensive!) university trained degreed professional software engineers who've been trained to think past next week's paycheck.
It is axiomatic that you get what you pay for.
The sites I have seen infected have ALL been done through FTP.
The hack typically defaces the default/index page of the site, no database data is changed. And I have seen pure static HTML sites infected - not SQL injection issues there!
It seems more likely to me that the FTP details are obtained from hacked client machines, as there has been no discernible pattern of the sites that get hit - they are spread over multiple servers, on multiple hosts, but the vast majority of other sites on the same servers are fine, despite running exactly the same applications on them.
Locking down FTP by IP address prevents reinfection in all cases I have seen.
Businesses these days tend to hire cheap outsourcing or foreigners looking for a visa to work in the UK, all of which have degrees from high turnover tech universities overseas (e.g. India).
In my experience of these situations almost all of them have been rubbish. I'm guessing the degrees are more like business degrees where they try to teach VBA to Excel students and that qualifies them to write software!
Recruitment these days is a nightmare too as not only are the businesses looking for cheap labour, but the agents are pushing cheap labour at inflated prices to take a bigger cut. It's amazing just how few applications for IT jobs these days are actually home grown and I suspect it's more down to agents than the proportion of candidates applying.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
