Ads by TechWords

See your link here
Receive the latest technology news and information.
Networking
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Mass hack infects tens of thousands of sites

Then they serve visitors multiple exploits, including October RealPlayer attack

January 7, 2008 12:00 PM ET

Computerworld - Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend.

Roger Thompson, the chief research officer at Grisoft SRO, pointed out that the hacked sites could be found via a simple Google search for the domain that hosted the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass hack," said Thompson, in a post to his blog. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared."

Symantec Corp. cited reports by other researchers -- including one identified only as "websmithrob" -- that fingered a SQL vulnerability as the common thread. "The sites [were] hacked by hacking robot by means of a SQL injection attack, which executes an iterative SQL loop [that] finds every normal table in the database by looking in the sysobjects table and then appends every text column with the harmful script," said websmithrob in a blog post. "It's possible that only Microsoft SQL Server databases were hacked with this particular version of the robot since the script relies on the sysobjects table that this database contains."

According to websmithrob, the attack appends a JavaScript tag to every piece of text in the SQL database; the tag instructs any browser that reaches the site to execute the script hosted on the malicious server.

Hacked sites included both .edu and .gov domains, the SANS Institute's Internet Storm Center (ISC) reported in a warning posted last Friday. The ISC also reported that several pages of security vendor CA Inc.'s Web site had been infected.

Grisoft's Thompson said that his research had identified a 15-month-old vulnerability as one of those exploited by the attack code. The exploit, he said, targeted the MDAC (Microsoft Data Access Components) bug patched in April 2006 with the MS06-014 security update. "They went to the trouble of preparing a good Web site exploit, and a good mass hack but then used a moldy old client exploit. It's almost a dichotomy," said Thompson.

Other researchers, including websmithrob and Symantec, said that the JavaScript also launched an exploit targeting a much more recent vulnerability: a RealPlayer bug that first surfaced last October. The flaw was fixed several days later by RealNetworks Inc.

Another surprise, Thompson said, was the speed of the hack's cleanup. Although a Google search still showed thousands of sites infected with the script on Saturday, Thompson claimed that Grisoft's LinkScanner Pro tool indicated that nearly all had actually been scrubbed. "I found that really surprising [that they were cleaned so quickly]," he said in an interview via instant messaging on Sunday. "They're all so disparate. If it was a big server farm, I could understand it being cleaned so quickly, but there doesn't seem to be anything common about them all."

The ISC updated its alert Sunday, saying another round of SQL injection attacks had infected sites with a script referring to a different malicious server. When asked to examine the second domain, Thompson confirmed that it was serving up the same malicious JavaScript as the first. However, many of those sites -- which as of this morning numbered more than 93,000, according to a quick Google search -- had not been cleaned.



Jump to comments

SQL injection

Additional Resources

EFD vs. HDD - What You Need to Know
WHITE PAPER
Enterprise flash drives provide a new Tier 0 storage layer capable of delivering high I/O performance at a very low latency. Proper use of EFDs in an Oracle environment can deliver increased performance compared to fibre channel drives. Read the recommendations for identification of the best DB components for EFDs.
Gartner Research Report: Magic Quadrant for Application Delivery Controllers, 2009
WHITE PAPER
The market for products to improve the delivery of application software over networks remains dynamic and innovative. Vendors focused on solving enterprises' most-pressing application problems have become the top players.
Eight Criteria for Server Load Balancing
WHITE PAPER
Server load balancers are a simple yet highly effective means to scale an application environment while ensuring its availability. Today's solutions should also address application performance and security. Read about the top eight criteria you should consider when choosing a server load balancer and how Citrix NetScaler meets those requirements.

What People Are Saying

White Papers & Webcasts

Death to PST Files
Download Now  

Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!

A Green Architectural Strategy That Puts IT in the Black
Levergage green computing across your data center. Read more now.  

Manager Experience Demo
Go beyond self-service solutions to perform more effectively. Watch Now.

Quantifying the Business Value of VMware View
Learn why you should invest in a centralized virtual desktop.  

Asia-Pacific Enterprise Network Solutions
Learn through this Webcast how your business can achieve reliability, performance and value in hard-to-reach locations within the Asia-Pacific region.

Mainsoft Webcast w/ Forrester Research: Drive SharePoint Adoption in Lotus Notes Shops
How can you drive mainstream user adoption of Microsoft SharePoint when your users rely on Lotus Notes?


IT Jobs