homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
Forum Library, Charter, Moderators: ocean10000

Microsoft IIS Web Server and ASP.NET Forum

Mass IIS attack under way
Mass SQL Injection Attack Hits Sites Running IIS 10,000+ sites affected

 7:17 pm on Jun 11, 2010 (gmt 0)


There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now.

Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites.

Some high profile sites hit, The Wall Street Journal among them.

Anyone running IIS should make sure they are safe.

Analysis of attack

[edited by: Brett_Tabke at 1:45 pm (utc) on Jun 12, 2010]
[edit reason] added sucuri.net link [/edit]



 8:11 pm on Jun 11, 2010 (gmt 0)

WSJ seems to be running fine.

lets also be clear on something

that the attack doesn't exploit any vulnerability in IIS, but instead is an attack against third-party Web applications

They arn't attacking IIS, so no everyone running IIS doesn't need to have a heart attack.


 8:14 pm on Jun 11, 2010 (gmt 0)

Fortunately, it doesn't seem to be an IIS attack, but an SQL injection attack.

I'm still trying to find out which third party software is affected, when I check the attack code:
2010-06-07 13:31:15 W3SVC1 webserver GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100200′;dEcLaRe%20@s%20vArChAr(8000)
...6F523B2D2D%20eXEc(@s) 80 121.xx.#*$!.xx HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322)
- www.example.com 200 0 0 32068 1685 0

I see a number of 'utm_' query string parameters, which seem to point to Google Analytics and Feedburner...
or am I looking in the wrong direction?

[edited by: marcel at 8:24 pm (utc) on Jun 11, 2010]


 8:23 pm on Jun 11, 2010 (gmt 0)

threatpost.com only this site reported the incident, cannot re-confirm anywhere yet ?


 8:29 pm on Jun 11, 2010 (gmt 0)

Yeah positive confirmation. Just google for an url to which the target redirects, be careful though. I suppose specifics would be no go here as it is basically live malware.


 9:14 pm on Jun 11, 2010 (gmt 0)

analysis of the attack:



 10:05 pm on Jun 11, 2010 (gmt 0)

I concur, we'were attacked, but they didn't get through. This is a classic sql injection. It is a 64-bit encoded string that executes Microsoft SQL server script. They append their own string to every character field in your database.

We were hit by almost identical attack 2 years ago, when we were unprepared. But the script is "lazy" enough that it'll just append everywhere...which leads me to believe they are there for collateral damage.

You'd need a database scan script to look through all character fields if your DB is large enough.


 10:27 pm on Jun 11, 2010 (gmt 0)

Anyone running IIS should make sure they are safe.

I'd suggest that the "attacker" probably made a mistake with his/her execution given that it is aimed at an ad agency. Having everyone's site telling them it's infected serves no purpose. On the other hand replacing ads on your site with ads that convert for the hacker is extremely profitable which was probably the goal.

Patch, move on, this isn't nearly as malicious an attack as others that get/got very little press. The sky isn't falling, only IIS's reputation is.

This was more like an Amber Alert (very alarming title) given the minor damage potential.


 10:49 pm on Jun 11, 2010 (gmt 0)

I still cannot figure out what is the actual affected software.


 11:25 pm on Jun 11, 2010 (gmt 0)

Just check my logs, luckily I have not been attacked.


 11:38 pm on Jun 11, 2010 (gmt 0)

Vamm, there's no "list of affected software". It is a SQL injection, and your software either has an issue, or not. The problem is every form and every dynamic parameter that is used on a page can be a vulnerability. And even if you had software that was tested, and added modifications, you may have introduced a vulnerability yourself.

If you are affected:

The quick-and-dirty way to protect yourself is deny all permissions on Sys* database tables (and other sys* objects) to SQL server user that is used by your web application.

You may have to modify some queries, such as start doing "Select count(*)" again instead of hitting sys tables to get record counts. Small price to pay for security.


 12:25 am on Jun 12, 2010 (gmt 0)

Does IIS have a way to do rewrite rules like in apache? We added some rules to our httpd.conf last year to thwart sql injections.


 6:35 am on Jun 12, 2010 (gmt 0)

Really, I got confused by some comments along the line of "specific third party ad script", and also utm_whatever in the request, thought it would be specifically targeted. Apparently this is not the case.


 5:02 pm on Jun 12, 2010 (gmt 0)

Does IIS have a way to do rewrite rules like in apache?

Yes, There is a IIS URL Rewrite Module for IIS7 and up, native from IIS.net. For IIS6 and below there are several other alternavivs such as ISAPIRewrite.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved