Welcome to WebmasterWorld Guest from 54.160.131.144

Forum Moderators: ocean10000

Message Too Old, No Replies

Mass IIS attack under way

Mass SQL Injection Attack Hits Sites Running IIS 10,000+ sites affected

     

Demaestro

7:17 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member



[threatpost.com...]

There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now.


Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites.


Some high profile sites hit, The Wall Street Journal among them.

Anyone running IIS should make sure they are safe.

Analysis of attack
[blog.sucuri.net...]

[edited by: Brett_Tabke at 1:45 pm (utc) on Jun 12, 2010]
[edit reason] added sucuri.net link [/edit]

J_RaD

8:11 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



WSJ seems to be running fine.

lets also be clear on something


that the attack doesn't exploit any vulnerability in IIS, but instead is an attack against third-party Web applications


They arn't attacking IIS, so no everyone running IIS doesn't need to have a heart attack.

marcel

8:14 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Fortunately, it doesn't seem to be an IIS attack, but an SQL injection attack.

I'm still trying to find out which third party software is affected, when I check the attack code:
2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100200′;dEcLaRe%20@s%20vArChAr(8000)
%20sEt%20@s=0x6445634C6152652040742076...
...6F523B2D2D%20eXEc(@s) 80 121.xx.#*$!.xx HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322)
- www.example.com 200 0 0 32068 1685 0

I see a number of 'utm_' query string parameters, which seem to point to Google Analytics and Feedburner...
or am I looking in the wrong direction?

[edited by: marcel at 8:24 pm (utc) on Jun 11, 2010]

Future

8:23 pm on Jun 11, 2010 (gmt 0)

5+ Year Member



threatpost.com only this site reported the incident, cannot re-confirm anywhere yet ?

Vamm

8:29 pm on Jun 11, 2010 (gmt 0)

5+ Year Member



Yeah positive confirmation. Just google for an url to which the target redirects, be careful though. I suppose specifics would be no go here as it is basically live malware.

Brett_Tabke

9:14 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



analysis of the attack:

[blog.sucuri.net...]

aleksl

10:05 pm on Jun 11, 2010 (gmt 0)



I concur, we'were attacked, but they didn't get through. This is a classic sql injection. It is a 64-bit encoded string that executes Microsoft SQL server script. They append their own string to every character field in your database.

We were hit by almost identical attack 2 years ago, when we were unprepared. But the script is "lazy" enough that it'll just append everywhere...which leads me to believe they are there for collateral damage.

You'd need a database scan script to look through all character fields if your DB is large enough.

Sgt_Kickaxe

10:27 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Anyone running IIS should make sure they are safe.


I'd suggest that the "attacker" probably made a mistake with his/her execution given that it is aimed at an ad agency. Having everyone's site telling them it's infected serves no purpose. On the other hand replacing ads on your site with ads that convert for the hacker is extremely profitable which was probably the goal.

Patch, move on, this isn't nearly as malicious an attack as others that get/got very little press. The sky isn't falling, only IIS's reputation is.

This was more like an Amber Alert (very alarming title) given the minor damage potential.

Vamm

10:49 pm on Jun 11, 2010 (gmt 0)

5+ Year Member



I still cannot figure out what is the actual affected software.

johnnie

11:25 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Just check my logs, luckily I have not been attacked.

aleksl

11:38 pm on Jun 11, 2010 (gmt 0)



Vamm, there's no "list of affected software". It is a SQL injection, and your software either has an issue, or not. The problem is every form and every dynamic parameter that is used on a page can be a vulnerability. And even if you had software that was tested, and added modifications, you may have introduced a vulnerability yourself.

If you are affected:

The quick-and-dirty way to protect yourself is deny all permissions on Sys* database tables (and other sys* objects) to SQL server user that is used by your web application.

You may have to modify some queries, such as start doing "Select count(*)" again instead of hitting sys tables to get record counts. Small price to pay for security.

maximillianos

12:25 am on Jun 12, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Does IIS have a way to do rewrite rules like in apache? We added some rules to our httpd.conf last year to thwart sql injections.

Vamm

6:35 am on Jun 12, 2010 (gmt 0)

5+ Year Member



Really, I got confused by some comments along the line of "specific third party ad script", and also utm_whatever in the request, thought it would be specifically targeted. Apparently this is not the case.

blend27

5:02 pm on Jun 12, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Does IIS have a way to do rewrite rules like in apache?


Yes, There is a IIS URL Rewrite Module for IIS7 and up, native from IIS.net. For IIS6 and below there are several other alternavivs such as ISAPIRewrite.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month