back to article Security gumshoes locate source of mystery web compromise

The source of the mystery infection of more than 10,000 websites back in January has been uncovered. Thousands of legitimate websites were compromised at the start of the year to serve up malware. It seemed that the exploitation of SQL Injection vulnerabilities was involved in the automated attacks. The precise mechanism was …

COMMENTS

This topic is closed for new posts.
  1. Matthew

    Err...

    Twelve Monkeys, I think you'll find.

  2. Anonymous Coward
    Paris Hilton

    Umm..

    Perhaps it's Twelve Monkees?

    Paris because:

    Bruce Willis was in Twelve Monkeys

    Bruce Willis was in Rugrats Go Wild (2003) with Elizabeth Daily

    Elizabeth Daily was in Pledge This! (2006) with Paris Hilton

    via oracleofbacon.org

  3. Anonymous Coward
    Coat

    Twelve Monkies

    He may have been referring to a completely unrelated Shaolin Kung Fu movie

  4. Nicholas Moore

    Twelve Monkeys

    I love the way John has linked to a page all about the film, yet still manages to misspell the films title!

  5. Matt

    SQL injection

    If you use stored procedures and don't give the web site user access to the raw tables there can be no SQL injection!

  6. Sarah Bee (Written by Reg staff)

    Re: Twelve Monkeys

    I love the way you made a mistake while pointing out someone else's mistake. Grammar karma in action.

  7. Anonymous Coward
    Coat

    Grammar karma

    "I love the way you made a mistake while pointing out someone else's mistake. Grammar karma in action."

    i belive the miss take was intentional to add sat tyre to the post.....

    mine is the one with the dictionary in the pocket

  8. Anonymous Coward
    Anonymous Coward

    Gramma Karma

    Spelling and Punctuation karma, surely? ;)

    </pedant>

  9. Anonymously Deflowered
    Alert

    Grammerer Karma

    May Pedantry Karma strike you all down!

  10. Anonymous Coward
    Joke

    It's called Skitts law!

    If you correct peoples gramer you is bound to make a mishtake!

  11. Dennis
    Coat

    Re: Grammerer Karma

    Q: Who was the leader of the Pedants' Revolt?

    A: Which Tyler.

  12. Robert Forsyth

    @Matt Re: <b>SQL,</b> injection

    Not true.

    Injection can work by using a input value that is displayed (without sanitizing it).

    Say you had a comments application, that had three inputs: Title, Author, and Comment. And say when you press submit on the entry form the input values are stored verbatim, when the comment is displayed, say the author field just has "by " added to the beginning and is sent to the browser. Now say, someone inputs a script tag as the author, the browser will, instead of displaying the author, run the script.

    Stored procedures does protect you from someone replacing a password input with a SQL script select statement to get the password from the database, assuming you can get enough details of the database structure from the error messages that appear in the browser (or it is a standard structure database).

  13. Ainteenbooty
    IT Angle

    don't be lazy

    The only reliable protection against SQL-injection is sever-side validation. Check the content and length of input strings before passing along to the database. Anything less is just lazy.

  14. Anonymous Coward
    Paris Hilton

    I think you'll find it's...

    Spolling errers and grandma problems, I think you'll find!

    Paris, because of all the wonderful things she's brought to the English language.

  15. Anonymous Coward
    Anonymous Coward

    untitled

    @ Robert "little knowledge is dangerous" Forsyth

    ROFL... read a book dude...what you describe would not be an SQLi... and..

    "Stored procedures does protect you from someone blah blah blah....". Again, read a book

  16. Nicholas Moore

    @Sarah Bee

    I shall remember to use apostrophes for possession.

    I shall remember to use apostrophes for possession.

    I shall remember to use apostrophes for possession...

    And as Mark correctly pointed out, it was punctuation karma biting me on the arse :) (aka "Pedantry to the rescue!")

  17. A

    So.. what can we do?

    I've been scanning my sites for this..

    The evidence for the malware I picked up, were malicious iframe's linked to javascripts appended to every index.html and index.php (even if the name started with something else)

    grep -i -r -H -n --binary-files=without-match --colour=auto -U iframe /path/to/site/* > ~/tmp.txt && grep -i fromCharCode ~/tmp.txt > ~/results.txt

    Just delete the iframe and script code to clean your code.. don't know how to prevent it though.. anyone?

  18. Steven Knox
    Boffin

    @Nicholas - More Pedantry

    "I love the way John _has_linked_ to a page all about the film, yet _still_manages_ to misspell the films title!"

    I believe that you'll find that tense misalignment is a grammatical error. Try "has linked...has still managed" or "links...still manages" -- or follow Sara's example and use "has linked...while still managing".

    PS - Don't mess with Sara. She's the best Vulture Central's got (and surely vastly underpaid)!

    PPS - To those which hate the constant pedants' wars: I agree, but pedantry is like crack to some of us -- specifically those of us who actually cling to the horribly unlikely dream that someday humankind will create a language (or anything, for that matter) that is logically consistent and easy to use.

  19. Unlimited

    html encode

    "don't know how to prevent it though.. anyone"

    1. sanitise user input on the way in

    2. html encode it on the way out. most web languages have a function for this, e.g. php has htmlspecialchars

  20. Matt

    @Robert Forsyth

    Yes, you're right, stored procedures protect the database from the user gaining unauthorised access to the data, but they don't necessarily protect you from people inserting html it entered values.

  21. Unlimited

    @Matt

    I take it you've never seen a proc like this:

    CREATE PROCEDURE [dbo].[myproc] @sql varchar(8000)

    EXEC(@sql)

    Moral of the story: _Anything_ can be misused / written badly / insecure

  22. Doug

    I'm here about some monkeys. .. :)

    Hi John, it's me again ...

    "With the benefit of the hacker tool used to pull off the attack this all becomes much clearer, much like it was easier for scientists to unravel a cure for the mystery pandemic that blighted mankind in the Twelve Monkies after they obtained a sample of the pure source"

    No, the above is a description of an SQL injection exploit, the latter is a ludicrous plot from a movie ..

    Like, why didn't they send him back before the outbreak with a very contagious antidote virus to the first virus, that way he would have innoculate the population in advance. That way, him getting amnesia for half the picture and wandering around wondering what to do, wouldn't matter.

    Wait a minute, I have an idea, why don't SANS send someone back in time to get a sample of the original malware. I'm available and after a life time of overindulging in chemicals, is suffering from amnesia already, just wait a minute, who wrote that already, voodoo mannn ???

  23. A
    Coat

    @ Unlimited

    Ok,

    But what if you have inherited a couple of thousand php files and don't want to rewrite Invision Power Board.. for a non-profit org where you volunteer..

    should be an option in apache

    mod_xss disable

    mod_sqli disable

    mod_malware disable

    mines the lazy Nehru Jacket..

  24. Brian Miller

    But the scientists didn't find a cure...

    They tried to have James Cole kill the end-of-world microbiologist who originally released the viruses. Remember the airport scene? Cole was gunned down, and after one of the tubes had been opened.

  25. Unlimited

    @A

    You may want to look into mod_security

    http://www.modsecurity.org/projects/modsecurity/apache/index.html

  26. A
    Happy

    Hey Thanks!

    Thats just what I was looking for, will have to learn it, use it, and spread it myself!

    Thank you very much.

This topic is closed for new posts.