SQL Injection mass attack

Not sure who to bring this to, so I thought I'd post it here in General to ensure it gets the admin's attention.

There is currently a mass attack taking place against millions of internet databases serving content to ASP and PHP powered websites. Thus far, over 700,000 web servers have been compromised.

The result of a compromise is the injection of code into active content tables which will initiate a cross-site scripting call to one of dozens of sites in Russia. The result of the cross-site scripting call is the download and execution of malicious javascript; the javascript then installs a downloader which will download the ASPROX virus. No interaction is required by the end user, who by all accounts is visiting a trusted web site.

The ASPROX virus serves two major purposes. First, it seeks out and attacks additional databases, usually sites that the infected user is visiting. Attacks may be persisitent, i.e. over many months, until the virus eventually finds and exploits a vulnerable application, function or table.

Secondly, the ASPROX virus installs a "BOT" on the end user's computer. The Bot becomes part of the ASPROX BOTNET. The ASPROX BOTNET's primary usage is to faciliate ROCK PHISH attacks against multiple financial institutions.

Based on the database errors I've seen occurring on this site recently, it is my believe that this site is being targetted by the Asprox virus. If there is a vulnerability anywhere within the site's application code, the virus will eventually exploit it. Exploitation may result in collateral infection of the entire ASC user community.

To the ADMINS: Please check your sql logs for evidence of multiple stacked SQL statements using CAST method and followed by a long string of Base64 characters. Additionally, please ensure you've updated to the latest version of the board software to ensure there are no application vulnerabilities to exploit.

To the USERS: Please ensure your antivirus software is up to date, and that you are running regular scans. FYI if you wind up with the ASPROX virus on your machine, you will be an unwilling participant in international criminal activity. Oh, it will also keylog the fuck out of you, so you'll probably lose most of your personal information in the process.

Enjoy.



More information on the ASPROX virus: http://technology.timesonline.co.uk/...cle4381034.ece

[Mantelope]

TBH, ASC has had SQL problems its entire life. This is scary shit though, and I'm looking into it. Don't be surprised if ASC goes down in the near future for a security audit.

[Gunk]

Emailed to work's IT dept...

Suggest anyone else who's ever visited ASC in the past 2-3 months at work do the same, just in case.

+1 to scary shit

[Shrike]

Morb you know too much about computer stuff. You and some of the other brainiacs on here should drink more alcohol to kill some brain cells and level the playing field.

On a related note we got a warning today at work to NOT open any e-mail with the word "POSTCARD" or any similar variation, not sure if it's different or same attack.

[warbird]

Quote:

Originally Posted by Gunk

+1 to scary shit

me too...

[Maverick0]

I run my team's site / forum...

We were hit with something similar if not this exact thing about 4 months ago. Had to switch providers and upgrade forum software. It's a real bastard because it gets into the webserver itself and infects other sites hosted on it. I'm not sure if anything can be done from a user standpoint, as in, I who rent space on a webserver am virtually powerless as I don't have access to the server backend. It can only hit certain webservers that have a particular vulnerability as I understand it.

Just be weary of any redirects when you try to get to a familiar site...

[Sha Do]

Hell crap.....just when I'm trying to organize the US team for Border War II...

Thanks for the head's up Morb.
SHA DO

[Mantelope]

I'm not 100% convinced that ASC is safe and secure from this, but I have confirmed that a lot of the performance issues we've been experiencing have been from phpbb forums running on the same server, being pounded by spambots.

There's a simple fix to keep spambots out. Put the entire site behind simple authentication /htaccess. Doesn't matter if it's a shared username / password, but the bots will hit the auth page and won't be able to go beyond it unless someone tells the bot the password.

Intrusive perhaps, but desperate times....note that this will also stop web crawlers from indexing the site. So if that's a problem, perhaps it's not the right solution.

[Tankdude]

its ok, i got vista.

[Mantelope]

Quote:

Originally Posted by MadMorbius

There's a simple fix to keep spambots out. Put the entire site behind simple authentication /htaccess. Doesn't matter if it's a shared username / password, but the bots will hit the auth page and won't be able to go beyond it unless someone tells the bot the password.

Intrusive perhaps, but desperate times....note that this will also stop web crawlers from indexing the site. So if that's a problem, perhaps it's not the right solution.

Not feasible for ASC, too much work for the other sites with phpbb; I've just disabled the insecure forums, they weren't even being used.

[underground]

I'm on a mac, I wonder if it affects us mac users...

[hattrick]

Quote:

Originally Posted by Tankdude

its ok, i got vista.

hahahahaah

[Gunk]

Quote:

Originally Posted by Tankdude

its ok, i got vista.

Put that in the "you laugh you lose" thread...

[Styrak]

Quote:

Originally Posted by Tankdude

its ok, i got vista.

I hope that's a joke.