Thursday, June 19, 2008

Have you been hit by Mass SQL Injection?

| Armando Romeo |

Mass Sql injection has been the most important threat being experienced by the
security (and web masters) community from April 2008 until now.

Over 510.000 servers have been successfully exploited using the same payload and a few variants of the same exploit.

At first the attack was believed to be a malware able to propagate on vulnerable servers through SQL commands.


A further forensic study demonstrated how the attack is instead generated by thousands of bots crawling the net for vulnerable web applications. Asprox botnet (15.000 infected hosts as of March 08) above all.

The potential targets are recognized through google dorks and the attack starts injecting a payload able to replace all the string-type field of the database with a javascript payload being downloaded from certain domain names.

The javascript would have been finally executed on the vulnerable websites visitors in order to attempt a forced download of an online gaming trojan horse as well as adwares. Or just more Asprox listeners...

Targeted web applications seemed to be only ASP web pages using Microsoft SQL Server, but more variants of this kind of attack are being discovered targeting different languages and different servers platforms.

The exploitation is made possible due to poorly written web applications while
no vulnerabilities exist into IIS/SQL server for sake of clarity.

A tool is available to check wether your webserver has been hit by Danmec/Asprox botnet: SQLInjectionFinder.

It basically scans your IIS logs looking for known exploit payload like "CAST(" statements. This tool is much better than running an automated scanning tool against your web site scripts although secure scripts or a WAF "in front" of them would have surely mitigated the attack impact.

Time to acquire some WAF vendors' stocks now.

Free Security Magazines