SQL Injection mass attack

[eV.Viper]

SQL Injection has been here for years... and many websites now protect themselves from the sql injection. For php it's enough easy to fix, and as the ASC forum is a complete script (made by a company) I'm almost sure that this has been fixed, or at least very hard to execute.

Anyway, for the "virus" part... many web servers are running on linux, and virus aren't aiming at linux. If they manage to enter 1 server, maybe they could try to install theses "viruses" on computers with internetexplorer/firefox but the user will get a question if he wants to install it...

The only scaring thing on this is because all our passwords stored here can be retreived. However... password here are not plain text, nor crypted. They're hashed so impossible to decrypt. The only method you can use to crack hashed passwords is bruteforcing.

Bruteforcing is not something easy to do if you have a long password (can take up to years for 10-12+ chars password).

Hope some of you are going to sleep a bit better lol

Except you're incorrect. Well, partly.

SQL injection doesn't care if the server is linux, windows, etc. It's SQL, and therefore any SQL database is potentially vulnerable.

The Achilles Heel of any web server is the application layer. If the application layer doesn't properly santize and/or validate input, you can potentially read/write to the database with the permissions of the application...or more.

If you can compromise the tables that present site content, you can include a cross-site script call to a foreign web server. That call can be for ,oh, let's call it "ngg.js". You can Google that if you like, but for God's sake don't click on the results.

Ngg.js is JAVA. Java doesn't care what OS you're running, or even what browser you're running. It runs in it's own sandbox and is completley portable.

So the Java WILL execute if you haven't prevented javascript execution with a tool like NoScript under Firefox. The JS can include browser checks, which can be used to control WHAT malware is presented to you. IE, a Macintosh-specific trojan for a Safari browser.

Yes, I know that Safari also runs on Windows, but the point is that this is a targetted, blended threat, so the usual rules about ciruclating viruses that would affect the larger market don't apply...these are professional criminals and they're well aware that many people out there feel safe and secure behind their Mac and Linux systems, and therefore may treat certain things as "safer" where they wouldn't trust them on Internet Explorer.

Say for example, visiting your favourite news site and being presented with a dialogue box asking you to install a Codec that's required to view specific content...we know that people are stupid, and they'll hapilly click on anything if they think they'll be able to watch stupid movies or free porn. So, you're on a site that you trust, and you've watched streaming content there before. It's only logical that you may need to update your codec, isn't it?

[eV.Viper]

Yeah, you're right but I was more talking about the fact once you got access to the database, you can even upload some stuff in the website (yeah, that's an old hacking method).

For what you're talking about, yeah you're totally right. I didn't looked at this option!

But then again, you'll need to hack the database first which is enough hard to do on well protected website (like I already stated, I'm almost sure this website have a good/strong protection against this hacking attempt)

Edit: the java machine can be disable, or even restricted on most browser

700,000 hacked databases on the Internet since May 23rd 2008 say otherwise. And sure, you can disable the JVM. In the proces, you'll break a shitload of web content and applications. Try it sometime.

[eV.Viper]

Damn I was not aware of this number of hacked databases. It's a big wow :|

But do you have more informations on databases type? (MSSQL/MySQL/mSQL/etc)

Any SQL database.

[vatek]

http://support.microsoft.com/kb/927177

[eV.Viper]

Uninstalling internet explorer is dangerous...

It's part of the system's core and it's very risky to uninstall it. I know some services use IE to manage things, so uninstalling it would stop them.

If you have a second computer, you should try to install your first computer's harddisk into the second one, and use an antivirus to scan it. Having it's OS disabled, the hard disk can be fully scanned.

Note: If you're reading carefully the link to the microsoft's help, you'll notice they're saying you have to reinstall another version of internet explorer to ensure everything work right.

Standard forensic methodology here. As EV states above, you can either mount the drive on another system and run an AV scan, or you can boot to a Linux toolkit and run AV from there.

In my experience, best not to uninstall IE. Just keep your machine updated via Windows Update, and dont forget about the applications like Adobe, Flash and others. They can make you just as vulnerable.

I have IE on all my machines. However, it almost never gets used, unless I have no option but to use it because the site *requires* activeX shit to work. There are very few sites that I'll use where they require that shit, but every now and then it's unavoidable.

CG - if you got it, then got it again, you're either un-patched or doing something wrong

[Mantelope]

I've done a crapload of investigation about this attack and how it spreads, and it seems to be limited to SQL servers supporting T-SQL; no, ASC running MySQL is not vulnerable to this attack.

[warbird]

Good! Too bad I don't only visit ASC, lol.

So regular virus protection should pick this up, if updated?

[eV.Viper]

As usual!

But the best antivirus I've ever saw is to pull the keyboard and mouse's cable lol :P

[warbird]

lol, I'd say the internet cable

[warbird]

I'm using symantec, should be good...right?

[eV.Viper]

yeah it's good, but norton360 (i think that's what you're talking about?) is decreasing the computer's performances. Most people install kaspersky/nod32/avast/and some other names I can't remember!

But yeah, it's doing the job