back to article Mass infection turns websites into exploit launch pads

Malicious hackers have managed to infect about 57,000 web pages with a potent exploit cocktail that targets a variety of vulnerable applications to surreptitiously install malware on visitor machines. The exploits install an assortment of nasty software, including Gologger, a keystroke logging trojan, and a backdoor that …


This topic is closed for new posts.
  1. Nobody 2

    exploit of systems not updated

    now I'm now guru but according to netcraft the vast majority of the domains listed in the google link seem to have been updated today 24AUG09 from Microsoft-IIS/5.0 to something different.

    When I say something different I'm not pulling out the usual "linux aint infected" lark as the initial report doesnt seem to indicate exactly what platform the exploit is targeting - what I'm saying is make yer own mind up - whilst its possible to munge the server agent string a lot of these domains seem to have changed hosting providers as well - today!

    lastly, not posting very often it would be nice to know who the feck stole my original "nobody" handle. ta.

  2. Anonymous Coward
    Anonymous Coward

    Clarification Required

    Which browsers/operating systems does this affect?

  3. Disco-Legend-Zeke

    Now that the army....

    has a cyber squad, on hopes they will be sharpening their bayonets in exploits like this.

  4. gollux

    So, did...

    HackerSafe catch any of these flaws? I had a guy wrangling me for nearly half an hour on how it can walk on water. Inquiring minds want to know.

  5. Mike007

    sql injection?

    seriously... how the hell can anyone still have SQL injection issues? nearly every database library for every platform supports parameterised queries, so why are people *still* not using them?

    and even the handful of database libraries that don't support them, it's not hard to write a quick function to implement it, which not only protects all of your queries but also makes them simpler (as there's no need to escape your parameters every time - although clearly these people still building their query strings manually don't bother with that anyway!)

  6. Anonymous Coward


    Erm, We were running Win2003 Server & SQL Server 2005 (patched to the hilt) and got hit with 7.5M entries in our database (before we hit STOP!!) a couple of weeks back (the same day Facebook and {another large website - forget who} died).

    I havn't looked into the Website code to see how "well" it was constructed.

    Restored ok though and were back up next day.

    AC for obvious reasons.

  7. Bod

    Any platform

    Before the smug lot turn up, it's important to stress that SQL injection attacks affect any platform, any form of SQL, whether you're on IIS, Apache, using ASP, PHP, or "whatever". It's not SQL either that's at fault, it's simply sloppy coding on the web application side that isn't checking and formatting data correctly before it goes into an SQL query.

    Again another reason why today's slew of "I've got a degree in Media/Web/Business" developers should be given managed and protective high level development platforms to develop on. We can't stop the flow of sloppy developers, so we need to protect everyone else from the mess they create by preventing them doing anything dodgy.

  8. adnim


    it is time to make website owners liable for any inadequate security and configuration issues of their sites which result in damage to connecting systems. Making laws for criminals to abide by just doesn't work.

  9. Anonymous Coward
    Unhappy seems to have vanished from DNS

    At least where I am anyway. Pity , because I wanted to have a look at the code to see how it worked.

  10. Anonymous Coward

    SQL Injection still largely possible because clueless(1) web developers keep coding embedded SQL in their pages which concatenate together values to generate a SQL string that gets passed back to the DB server for execution.

    This would become a far less common vulnerability if developers took just a tiny bit more time to code SQL using typed/bound parameters(2) passed to back end stored statements(3). This simple technique eliminates the possibility in the majority of cases of extra SQL being surresptitiously slipped into the statement at prepare time.

    (1) Actually thats not entirely fair - most guys out there DO have a clue, which is why its all the more frustrating that this is such a common vulnerability. Often its down to the ridiculous timescales given to implement projects.

    (2) Type parameters force the SQL client to validate whats being assigned to the parameter. If you've defined a numeric parameter for instance, its impossible to force extra text - ie an additional WHERE clause - into the value in an attempt to corrupt the statement.

    (3) Stored statements combine with typed/bound parameters eliminate the possibility of tricking the SQL into returning extra fields.

  11. BlueGreen

    @adnim: seconded

    and if they all stopped using javascript/flash/silverlight/other RIA crap unless their £$%^ing website intrinsically *needed* it and could not do its job without it, we'd all be safer and organised crime poorer.

  12. LewFoo

    Inferior People...

    ...should not be employed.

    This is what happens when businesses all over the freekin' planet continue to hire pimply faced drooling trolls at cut-rate salaries who taught themselves PHP in their parents' basement between sleepless bouts of Warcraft and Wolfenstein, instead of hiring highly skilled (and guess what? more expensive!) university trained degreed professional software engineers who've been trained to think past next week's paycheck.

    It is axiomatic that you get what you pay for.

  13. Anonymous Coward

    Not SQL injection (or certainly not only)

    The sites I have seen infected have ALL been done through FTP.

    The hack typically defaces the default/index page of the site, no database data is changed. And I have seen pure static HTML sites infected - not SQL injection issues there!

    It seems more likely to me that the FTP details are obtained from hacked client machines, as there has been no discernible pattern of the sites that get hit - they are spread over multiple servers, on multiple hosts, but the vast majority of other sites on the same servers are fine, despite running exactly the same applications on them.

    Locking down FTP by IP address prevents reinfection in all cases I have seen.

  14. Bod


    Businesses these days tend to hire cheap outsourcing or foreigners looking for a visa to work in the UK, all of which have degrees from high turnover tech universities overseas (e.g. India).

    In my experience of these situations almost all of them have been rubbish. I'm guessing the degrees are more like business degrees where they try to teach VBA to Excel students and that qualifies them to write software!

    Recruitment these days is a nightmare too as not only are the businesses looking for cheap labour, but the agents are pushing cheap labour at inflated prices to take a bigger cut. It's amazing just how few applications for IT jobs these days are actually home grown and I suspect it's more down to agents than the proportion of candidates applying.

This topic is closed for new posts.

Other stories you might like