Massive SQL-based Web attack decoded

New details have emerged about the attack over the weekend; some speculate it was automated.

On Wednesday, the SANS Internet Storm Center and others published details about the massive SQL-based Web attack that occurred over the weekend. The attack, says SANS, is similar to a smaller SQL-injection attack seen in November. At least 70,000 sites were compromised in a short period of time, leading some to speculate this was an automated attack.

From logs files, the attack code appears to exploit a variety of SQL injection vulnerabilities existing on Web sites using Microsoft SQL or Microsoft IIS. On the vulnerable sites, malicious JavaScript is injected into all variable character fields and text fields in the SQL database such that when visitors hit the site, their browsers, if vulnerable, are then redirected to another domain--in this case, us8010.com.

Roger Thompson, chief research officer at Grisoft, identified one of the exploits served at the malicious server as taking advantage of MS06-014, a Microsoft Data Access Components vulnerability that Microsoft patched in September 2006. He also noted that "this domain uc8010(dot)com was registered just a few days ago (Dec 28), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains." Yet by January 5, most of these domains had already been cleaned.

What's interesting about this attack, aside from its automation, is that the SQL injection script is given in terms of a CAST statement, code that converts one data type to another. Ryan Barnett has provided a decoded version of this attack.

Barnett suggests that to protect against this attack a Web site should be front-ended by an Apache proxy and then back-ended by ISS or MS-SQL. SANS says other methods, such as blocking CAST statements, would also be effective.

About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    HOT ON CNET

    Point-and-shoot quality with your phone?

    Upgrade your camera photo game with these great additions.