SQL Injection Attacks Hit 70,000 Websites

Automated attacks spread across government and education environments as well as commercial sites



JANUARY 8, 2008 | An automated SQL injection attack has caused as many as 70,000 Websites to steer users toward malicious code over the last few days, according to researchers.

The attack adds a JavaScript tag to every piece of text in a Website's SQL database, the researchers said. The tag instructs any browser that reaches the site to execute the script hosted on the malicious server.

The automated attack hit a broad range of Websites, researchers said. "This was a pretty good mass-hack," said Roger Thompson, a researcher at Exploit Prevention Labs -- now a part of Grisoft -- in his blog. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared."

The SANS Institute's Internet Storm Center said the attack hit government and educational institutions as well as commercial sites. The SQL injection attack may also have played a part in the security problems experienced by Computer Associates over the weekend, SANS said.

Ironically, the attack was launched using an old client vulnerability, and it has been relatively easy to clean up, Thompson said.

"The only exploit we were able to [discover] was the venerable MS06-014 (MDAC) patched in September 2006," Thompson said. "What this means is that [the attackers] went to the trouble of preparing a good Website exploit, and a good mass-hack, but then used a mouldy [sic] old client exploit. It's almost a dichotomy."

Posted in |

0 comments: