back to article Mass hack plants malware on thousands of webpages

More than 100,000 webpages, some belonging to newspapers, police departments, and other large organizations, have been hit by an attack over the past few days that redirected visitors to a website that attempted to install malware on their machines. The mass compromise appears to have affected sites running a banner-ads module …

COMMENTS

This topic is closed for new posts.
  1. Slappy
    Boffin

    Adblock+ FTW!

    That is all.

  2. MacRat
    Grenade

    Windows Security

    Not from Microsoft.

  3. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Has done for a while amongst smart folks

      Banner ads have been one of the worst malware vectors for the last few years, at this end, so I always encourage people to use it.

      It reduces the amount of crapware- also, vastly speeds up browsing, as the ad servers are often the slowest element on a page.

    2. AndrueC Silver badge
      Thumb Up

      Why not?

      Personally I prefer AdMuncher but it's all good stuff. Reduces the amount of crap downloaded and significantly improves security.

    3. Anonymous Coward
      Thumb Up

      Only reason I installed it...

      I'm not against sites using advertising as a way of funding development, but if they insist on a format that's easily abused and can be used to compromise my machine, I will use an adblocker.

      Some of the sites I frequently browse seem to frequently get bad ads. Grr.

    4. Asgard
      Joke

      @"does adblock plus count as security software"

      Its an advert firewall for my eyes ;)

  4. James O'Shea

    Series of 10,000

    An SQL injection attack, aimed at Microsoft IIS systems, launched from a Chinese IP. Why, oh, why, am I not surprised?

  5. Pawel 1

    Wait...

    So was it actually trying to exploit some browser bugs, or simply asking users to install something?

  6. Rippy
    WTF?

    Strathclyde Police with a Banner Ad Module?

    Who or what would advertise on a police website? bail bondsmen? Taser?

    1. John Smith 19 Gold badge
      Happy

      @Rippy

      Pubs and massage parlours located near polis stations perhaps.

  7. Joe User

    @Adam 54

    When Adblock Plus blocks an ad that contains an exploit, then yes, it _does_ count as security software.

  8. Dr Wheetos
    FAIL

    The message still doesn't get through...

    to the developers of these sites. A day doesn't go by without hearing about more sql injection exploits. Just take at look at xssed.com as an example. And it'll be high up on the list of programming errors on sans.org and owasp.org's top 10 security vulnerabilities, I'm sure.

  9. Mad Medic
    WTF?

    Data validation ftw

    I'm an old coder, so forgive me if this an obvious question.

    Shouldn't this sort of thing (injection and execution of an abitrary set of commands) be filtered out before any further processing of the text string involved?

    1. Steve Roper

      It SHOULD be

      It's a simple one-line command. For example in PHP, changing

      $param = $_POST['param'];

      to

      $param = isset($_POST['param']) ? mysql_real_escape_string($_POST['param'] ): "";

      will stop pretty much any common SQL injection attack where $param is passed to an SQL statement.

    2. John Smith 19 Gold badge
      Happy

      @Mad Medic

      "Shouldn't this sort of thing (injection and execution of an abitrary set of commands) be filtered out before any further processing of the text string involved?"

      It should. But data validation is one of those ares to squabble over. Is the web designer or the data base people responsible? Web designers tend not to know much about validation and assume the DB is bulletproof. Besides it might slow down response and we wouldn't want to damage the "user experience" would we? If it's not clear who *is* responsible unless someone actually *manages* the project the odds are excellent that *no* one is responsible.

      Repeat with as many websites as necessary.

      1. Jean-Luc

        Hmmm...

        Not sure about that statement. If you are working on the backend, you should _not_ assume the web designer sanitized the request. It may not even come from a browser anyway. Not saying it's easy to clean up the SQL, just that it is the backend's job to do it, possibly even redundantly.

    3. TeeCee Gold badge
      Grenade

      Yes, that sounds like an obvious question.

      Sort of makes you wonder why so many of those in a position to actually prevent this sort of thing never ask it.

    4. lucmars

      Sure

      But I don't understand why an SQL command passed in a SQL command fools the database's engine, otherwise that this latter is at fault.

      1. Steven Knox
        Boffin

        @lucmars

        "But I don't understand why an SQL command passed in a SQL command fools the database's engine"

        It doesn't fool the engine at all. A SQL injection attack fools the web server process into passing two (or more) commands to the database engine. The database engine simply executes the commands it's given.

        I have a full proof of this, but this comments thread has not enough room for it. Besides, there are more that enough resources on the web to find the answer you seek.

    5. AndrueC Silver badge

      Yes

      The first time I saw a string resource with printf() flags inside it I was scared. That would be back in the late 80s. Admittedly I was concerned with program stability rather than security but even my young teenage brain could see the danger. Sadly even that kind of idiocy still goes on. At least with C# the risks are mitigated but I still don't like to see it being done.

      As for web stuff - meh. They aren't proper programmers anyway.

      :D :D

  10. paulc
    FAIL

    oh for heck's sake...

    Windows is doomed... it's like trying to patch a tyre that's been patched so many times, there's no fresh surface left to stick the patch to...

  11. irrelevant

    validation? Pah!

    Far too many sites do no validation whatsoever..

    $query = "SELECT * FROM users WHERE username = " . $_GET['username'];

    This page was an eye opener for me as to just how easy it was to break into a site using SQL:

    http://www.unixwiz.net/techtips/sql-injection.html

    1. Steven Knox
      FAIL

      Got a better one that that

      I fixed a site the actually had this in the code to authenticate the user:

      "SELECT COUNT(*) FROM users WHERE login = '" & Request("Login") & "' AND password = '" & Request("Password") & "'"

      If the query returned ANY RESULT other than 0, the user was allowed through.

  12. Tom Stone
    FAIL

    All the more reason to avoid Microsoft products

    How many times do these things need to happen before developers and admins wise up and dump Microsoft products. If this was a programmer's error, why would 100,000 sites have the same mistake. It is inherently poor product design that continues to plague users of Microsoft products.

    Nothing is 100% secure but open source seems to have more people examining the code to make sure these problems aren't pushed out to unsuspecting users. Microsoft and other commercial products are too focused on protecting their intellectual property.

  13. Tom 7

    Its not just a security problem

    it shows up O'level IT skills ( that's MS Revered Partner or something or other).

    Never allow a web site (or app come to that) to call a piece of SQL - always run a stored procedure or a function - that way not only can you implement some decent security* and still get some development done but if you should actually happen to write something useful you can change it behind the scenes without having to re-write everything else.

    * not sure about MSSQLServer but most mickey mouse db's can do this.

  14. peter 5 Silver badge

    You don't even need to quote the params...

    It's been a couple of years since I did any web programming. But if you bind the parameter to a placeholder, then it doesn't need to be quoted, e.g.

    my $stmt = $dbh->prepare( 'SELECT name FROM users 'WHERE email = ?' );

    $stmt->execute( $param );

    You can do that in PHP, can't you?

  15. Josephist
    Jobs Halo

    Hope

    I hope Safetica protects me like this ring

This topic is closed for new posts.