Item Search
     
BG-Wiki Search
Results 1 to 14 of 14
  1. #1
    Sea Torques
    Join Date
    Sep 2007
    Posts
    567
    BG Level
    5

    Mass hack infects tens of thousands of sites

    Much bigger than just FFXI. Interesting read for those interested on who may be behind it.

    Mass hack infects tens of thousands of sites
    Then they serve visitors multiple exploits, including October RealPlayer attack
    Gregg Keizer


    January 07, 2008 (Computerworld) -- Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend.

    Roger Thompson, the chief research officer at Grisoft SRO, pointed out that the hacked sites could be found via a simple Google search for the domain that hosted the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass hack," said Thompson, in a post to his blog. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared."

    Symantec Corp. cited reports by other researchers -- including one identified only as "websmithrob" -- that fingered a SQL vulnerability as the common thread. "The sites [were] hacked by hacking robot by means of a SQL injection attack, which executes an iterative SQL loop [that] finds every normal table in the database by looking in the sysobjects table and then appends every text column with the harmful script," said websmithrob in a blog post. "It's possible that only Microsoft SQL Server databases were hacked with this particular version of the robot since the script relies on the sysobjects table that this database contains."

    According to websmithrob, the attack appends a JavaScript tag to every piece of text in the SQL database; the tag instructs any browser that reaches the site to execute the script hosted on the malicious server.

    Hacked sites included both .edu and .gov domains, the SANS Institute's Internet Storm Center (ISC) reported in a warning posted last Friday. The ISC also reported that several pages of security vendor CA Inc.'s Web site had been infected.

    Grisoft's Thompson said that his research had identified a 15-month-old vulnerability as one of those exploited by the attack code. The exploit, he said, targeted the MDAC (Microsoft Data Access Components) bug patched in April 2006 with the MS06-014 security update. "They went to the trouble of preparing a good Web site exploit, and a good mass hack but then used a moldy old client exploit. It's almost a dichotomy," said Thompson.

    Other researchers, including websmithrob and Symantec, said that the JavaScript also launched an exploit targeting a much more recent vulnerability: a RealPlayer bug that first surfaced last October. The flaw was fixed several days later by RealNetworks Inc.

    Another surprise, Thompson said, was the speed of the hack's cleanup. Although a Google search still showed thousands of sites infected with the script on Saturday, Thompson claimed that Grisoft's LinkScanner Pro tool indicated that nearly all had actually been scrubbed. "I found that really surprising [that they were cleaned so quickly]," he said in an interview via instant messaging on Sunday. "They're all so disparate. If it was a big server farm, I could understand it being cleaned so quickly, but there doesn't seem to be anything common about them all."

    The ISC updated its alert Sunday, saying another round of SQL injection attacks had infected sites with a script referring to a different malicious server. When asked to examine the second domain, Thompson confirmed that it was serving up the same malicious JavaScript as the first. However, many of those sites -- which as of this morning numbered more than 93,000, according to a quick Google search -- had not been cleaned.

    "It looks like a bunch of these are still carrying the references to [the malicious domain] but not infectively," said Thompson. "In other words, they're still hacked, but the injection hasn't worked properly."

    Microsoft was not immediately available for comment on the SQL Server vulnerability used by the mass hack.
    If this is inappropriate please delete or move it. I just thought it may be of interest to some people.

  2. #2
    Bagel
    Join Date
    Sep 2007
    Posts
    1,397
    BG Level
    6
    FFXI Server
    Valefor

    Re: Mass hack infects tens of thousands of sites

    Microsoft was not immediately available for comment on the SQL Server vulnerability used by the mass hack.
    A poor choice of words at best - this is really a website vulnerability. Each of those 70,000 sites are written poorly enough that a clever user can write SQL code into textboxes (and more) in such a way as to have it interpreted as code instead of as text. Well-written sites validate input, checking that it only contains harmless characters such as a-z and 0-9, before processing.

    While abusing the sysobjects table is cute, it's nothing that a good programmer couldn't have nipped in the bud.

    On an FFXI-related note, SQL injection was used to insert the javascript hack onto somepage, so the article is fairly relevant

  3. #3
    Sea Torques
    Join Date
    Sep 2007
    Posts
    567
    BG Level
    5

    Re: Mass hack infects tens of thousands of sites

    I was more interested in the sheer volume of sites that were infected (but as you rightfully pointed out their own site security was insufficient). At first it appeared to be a handful of FFXI related sites but people could have been infected on just about any non-ffxi related site and not have known. Talk about barking up the wrong tree (somepage/ffxiah).

  4. #4
    Chram
    Join Date
    Jan 2006
    Posts
    2,341
    BG Level
    7

    Re: Mass hack infects tens of thousands of sites

    meh.

  5. #5
    Salvage Bans
    Join Date
    Apr 2005
    Posts
    939
    BG Level
    5

    Re: Mass hack infects tens of thousands of sites

    Ohh yay SQL Injection... kinda depressing so many sites were hit by such an easy attack.

  6. #6
    Banned.

    Join Date
    Oct 2006
    Posts
    10,115
    BG Level
    9

    Re: Mass hack infects tens of thousands of sites

    Weren't SQL injections the "in" thing like 5 years ago?


    Edit: Or like 8 <_<;

  7. #7
    Chram
    Join Date
    Jan 2006
    Posts
    2,341
    BG Level
    7

    Re: Mass hack infects tens of thousands of sites

    Quote Originally Posted by Tajin
    Weren't SQL injections the "in" thing like 5 years ago?


    Edit: Or like 8 <_<;
    Pretty Much.

  8. #8
    Bagel
    Join Date
    Sep 2007
    Posts
    1,397
    BG Level
    6
    FFXI Server
    Valefor

    Re: Mass hack infects tens of thousands of sites

    Quote Originally Posted by Builttolast
    I was more interested in the sheer volume of sites that were infected (but as you rightfully pointed out their own site security was insufficient). At first it appeared to be a handful of FFXI related sites but people could have been infected on just about any non-ffxi related site and not have known. Talk about barking up the wrong tree (somepage/ffxiah).
    Nah, if you were infected on some random porn site, the culprits (people on the receiving end of your shiny new keylogger) wouldn't be gilsellers. They would be some guys looking for information that could be used for some more serious identity theft, such as credit card or banking info.

  9. #9
    the whitest knight u' know
    Join Date
    May 2006
    Posts
    15,485
    BG Level
    9
    FFXIV Character
    Miya Kai
    FFXIV Server
    Excalibur

    Re: Mass hack infects tens of thousands of sites

    lolRealPlayer...

  10. #10
    The Wang
    Join Date
    Jun 2006
    Posts
    1,343
    BG Level
    6
    FFXIV Character
    Furt Wangler
    FFXIV Server
    Coeurl
    FFXI Server
    Sylph

    Re: Mass hack infects tens of thousands of sites

    Ever since I got windows xp from building my own computer I have never touched realplayer since. I grew to hate it from my old Acer windows 95 machine I had previously, kinda happy I abandoned it way back when, along with IE like 3 years ago.

  11. #11
    Fake Numbers
    Join Date
    Jul 2006
    Posts
    92
    BG Level
    2
    FFXI Server
    Lakshmi
    WoW Realm
    Tichondrius

    Re: Mass hack infects tens of thousands of sites

    From what I can see on Google, 200k infected.

  12. #12
    2600klub
    I donated 5 bucks and all I got was this shitty title from Zet

    Join Date
    Jun 2007
    Posts
    2,688
    BG Level
    7
    FFXI Server
    Ragnarok

    Re: Mass hack infects tens of thousands of sites

    Quote Originally Posted by miokomioko
    lolRealPlayer...

  13. #13
    Salvage Bans
    Join Date
    Jun 2007
    Posts
    808
    BG Level
    5
    FFXI Server
    Odin

    Re: Mass hack infects tens of thousands of sites

    Quote Originally Posted by Builttolast
    Hacked sites included both .edu and .gov domains,
    isnt hacking the government like brbfbi shit?

  14. #14
    Nidhogg
    Join Date
    Apr 2006
    Posts
    3,562
    BG Level
    7

    Re: Mass hack infects tens of thousands of sites


Similar Threads

  1. Another Set of Questions of Attestation NMs
    By Kiyara in forum FFXI: Everything
    Replies: 0
    Last Post: 2009-10-20, 01:00
  2. Treasures of Afghanastan official site
    By Lordwafik in forum FFXI: Everything
    Replies: 39
    Last Post: 2005-11-28, 03:50