J_RaD
msg:4151404 | 8:11 pm on Jun 11, 2010 (gmt 0) |
WSJ seems to be running fine.
lets also be clear on something
that the attack doesn't exploit any vulnerability in IIS, but instead is an attack against third-party Web applications
|
|
They arn't attacking IIS, so no everyone running IIS doesn't need to have a heart attack.
|
marcel
msg:4151405 | 8:14 pm on Jun 11, 2010 (gmt 0) |
Fortunately, it doesn't seem to be an IIS attack, but an SQL injection attack.
I'm still trying to find out which third party software is affected, when I check the attack code:
2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe%20@s%20vArChAr(8000)
%20sEt%20@s=0x6445634C6152652040742076...
...6F523B2D2D%20eXEc(@s)– 80 – 121.xx.#*$!.xx HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) –
- www.example.com 200 0 0 32068 1685 0 |
|
I see a number of 'utm_' query string parameters, which seem to point to Google Analytics and Feedburner...
or am I looking in the wrong direction? [edited by: marcel at 8:24 pm (utc) on Jun 11, 2010]
|
Future
msg:4151409 | 8:23 pm on Jun 11, 2010 (gmt 0) |
threatpost.com only this site reported the incident, cannot re-confirm anywhere yet ?
|
Vamm
msg:4151413 | 8:29 pm on Jun 11, 2010 (gmt 0) |
Yeah positive confirmation. Just google for an url to which the target redirects, be careful though. I suppose specifics would be no go here as it is basically live malware.
|
Brett_Tabke
msg:4151430 | 9:14 pm on Jun 11, 2010 (gmt 0) |
analysis of the attack:
[blog.sucuri.net...]
|
aleksl
msg:4151455 | 10:05 pm on Jun 11, 2010 (gmt 0) |
I concur, we'were attacked, but they didn't get through. This is a classic sql injection. It is a 64-bit encoded string that executes Microsoft SQL server script. They append their own string to every character field in your database.
We were hit by almost identical attack 2 years ago, when we were unprepared. But the script is "lazy" enough that it'll just append everywhere...which leads me to believe they are there for collateral damage.
You'd need a database scan script to look through all character fields if your DB is large enough.
|
Sgt_Kickaxe
msg:4151463 | 10:27 pm on Jun 11, 2010 (gmt 0) |
| Anyone running IIS should make sure they are safe. |
|
I'd suggest that the "attacker" probably made a mistake with his/her execution given that it is aimed at an ad agency. Having everyone's site telling them it's infected serves no purpose. On the other hand replacing ads on your site with ads that convert for the hacker is extremely profitable which was probably the goal.
Patch, move on, this isn't nearly as malicious an attack as others that get/got very little press. The sky isn't falling, only IIS's reputation is.
This was more like an Amber Alert (very alarming title) given the minor damage potential.
|
Vamm
msg:4151470 | 10:49 pm on Jun 11, 2010 (gmt 0) |
I still cannot figure out what is the actual affected software.
|
johnnie
msg:4151496 | 11:25 pm on Jun 11, 2010 (gmt 0) |
Just check my logs, luckily I have not been attacked.
|
aleksl
msg:4151501 | 11:38 pm on Jun 11, 2010 (gmt 0) |
Vamm, there's no "list of affected software". It is a SQL injection, and your software either has an issue, or not. The problem is every form and every dynamic parameter that is used on a page can be a vulnerability. And even if you had software that was tested, and added modifications, you may have introduced a vulnerability yourself.
If you are affected:
The quick-and-dirty way to protect yourself is deny all permissions on Sys* database tables (and other sys* objects) to SQL server user that is used by your web application.
You may have to modify some queries, such as start doing "Select count(*)" again instead of hitting sys tables to get record counts. Small price to pay for security.
|
maximillianos
msg:4151513 | 12:25 am on Jun 12, 2010 (gmt 0) |
Does IIS have a way to do rewrite rules like in apache? We added some rules to our httpd.conf last year to thwart sql injections.
|
Vamm
msg:4151584 | 6:35 am on Jun 12, 2010 (gmt 0) |
Really, I got confused by some comments along the line of "specific third party ad script", and also utm_whatever in the request, thought it would be specifically targeted. Apparently this is not the case.
|
blend27
msg:4151715 | 5:02 pm on Jun 12, 2010 (gmt 0) |
| Does IIS have a way to do rewrite rules like in apache? |
|
Yes, There is a IIS URL Rewrite Module for IIS7 and up, native from IIS.net. For IIS6 and below there are several other alternavivs such as ISAPIRewrite.
|
|
