Welcome to WebmasterWorld Guest from 54.146.55.156

Forum Moderators: ocean10000

Message Too Old, No Replies

Mass IIS attack under way

Mass SQL Injection Attack Hits Sites Running IIS 10,000+ sites affected

     
7:17 pm on Jun 11, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 15, 2003
posts:2606
votes: 0


[threatpost.com...]

There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now.


Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites.


Some high profile sites hit, The Wall Street Journal among them.

Anyone running IIS should make sure they are safe.

Analysis of attack
[blog.sucuri.net...]

[edited by: Brett_Tabke at 1:45 pm (utc) on Jun 12, 2010]
[edit reason] added sucuri.net link [/edit]

8:11 pm on June 11, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2006
posts:1655
votes: 7


WSJ seems to be running fine.

lets also be clear on something


that the attack doesn't exploit any vulnerability in IIS, but instead is an attack against third-party Web applications


They arn't attacking IIS, so no everyone running IIS doesn't need to have a heart attack.
8:14 pm on June 11, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 1, 2005
posts:732
votes: 0


Fortunately, it doesn't seem to be an IIS attack, but an SQL injection attack.

I'm still trying to find out which third party software is affected, when I check the attack code:
2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100200′;dEcLaRe%20@s%20vArChAr(8000)
%20sEt%20@s=0x6445634C6152652040742076...
...6F523B2D2D%20eXEc(@s) 80 121.xx.#*$!.xx HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322)
- www.example.com 200 0 0 32068 1685 0

I see a number of 'utm_' query string parameters, which seem to point to Google Analytics and Feedburner...
or am I looking in the wrong direction?

[edited by: marcel at 8:24 pm (utc) on Jun 11, 2010]

8:23 pm on June 11, 2010 (gmt 0)

Preferred Member

5+ Year Member

joined:Sept 23, 2008
posts:440
votes: 0


threatpost.com only this site reported the incident, cannot re-confirm anywhere yet ?
8:29 pm on June 11, 2010 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 30, 2005
posts:120
votes: 2


Yeah positive confirmation. Just google for an url to which the target redirects, be careful though. I suppose specifics would be no go here as it is basically live malware.
9:14 pm on June 11, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38061
votes: 13


analysis of the attack:

[blog.sucuri.net...]
10:05 pm on June 11, 2010 (gmt 0)

Senior Member

joined:Jan 3, 2003
posts:1023
votes: 0


I concur, we'were attacked, but they didn't get through. This is a classic sql injection. It is a 64-bit encoded string that executes Microsoft SQL server script. They append their own string to every character field in your database.

We were hit by almost identical attack 2 years ago, when we were unprepared. But the script is "lazy" enough that it'll just append everywhere...which leads me to believe they are there for collateral damage.

You'd need a database scan script to look through all character fields if your DB is large enough.
10:27 pm on June 11, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member

joined:Apr 14, 2010
posts:3169
votes: 0


Anyone running IIS should make sure they are safe.


I'd suggest that the "attacker" probably made a mistake with his/her execution given that it is aimed at an ad agency. Having everyone's site telling them it's infected serves no purpose. On the other hand replacing ads on your site with ads that convert for the hacker is extremely profitable which was probably the goal.

Patch, move on, this isn't nearly as malicious an attack as others that get/got very little press. The sky isn't falling, only IIS's reputation is.

This was more like an Amber Alert (very alarming title) given the minor damage potential.
10:49 pm on June 11, 2010 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 30, 2005
posts:120
votes: 2


I still cannot figure out what is the actual affected software.
11:25 pm on June 11, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 17, 2004
posts:1354
votes: 0


Just check my logs, luckily I have not been attacked.
11:38 pm on June 11, 2010 (gmt 0)

Senior Member

joined:Jan 3, 2003
posts:1023
votes: 0


Vamm, there's no "list of affected software". It is a SQL injection, and your software either has an issue, or not. The problem is every form and every dynamic parameter that is used on a page can be a vulnerability. And even if you had software that was tested, and added modifications, you may have introduced a vulnerability yourself.

If you are affected:

The quick-and-dirty way to protect yourself is deny all permissions on Sys* database tables (and other sys* objects) to SQL server user that is used by your web application.

You may have to modify some queries, such as start doing "Select count(*)" again instead of hitting sys tables to get record counts. Small price to pay for security.
12:25 am on June 12, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 20, 2004
posts:2377
votes: 0


Does IIS have a way to do rewrite rules like in apache? We added some rules to our httpd.conf last year to thwart sql injections.
6:35 am on June 12, 2010 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 30, 2005
posts:120
votes: 2


Really, I got confused by some comments along the line of "specific third party ad script", and also utm_whatever in the request, thought it would be specifically targeted. Apparently this is not the case.
5:02 pm on June 12, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1835
votes: 47


Does IIS have a way to do rewrite rules like in apache?


Yes, There is a IIS URL Rewrite Module for IIS7 and up, native from IIS.net. For IIS6 and below there are several other alternavivs such as ISAPIRewrite.