Comments on: Widespread SQL injection & Javascript malware http://travisaltman.com/widespread-sql-injection-javascript-malware/ Tue, 06 Jan 2009 04:43:42 +0000 http://wordpress.org/?v=2.2.1 By: travis http://travisaltman.com/widespread-sql-injection-javascript-malware/#comment-86 travis Fri, 16 May 2008 16:49:25 +0000 http://travisaltman.com/widespread-sql-injection-javascript-malware/#comment-86 <p>Joel,</p> <p>you make a good point, i'm surprised this didn't happen months or years ago. as far as offending code you can do it but it's not the easiest solution. Eric Jenko above pointed me to a link on how to fix the problem.</p> <p>http://phreakhead.livejournal.com/2008/05/12/</p> <p>in phreakhead's case he searches for and replaces wowyeye.com/m.js, you would of course have to search for other offending URL's also.</p> <p>speaking of worms Joel, Eric also pointed to an article yesterday saying that the likely culprit is a botnet. who would'a thunk it?</p> <p>http://www.darknet.org.uk/2008/05/new-botnet-malware-spreading-sql-injection-attack-tool/</p> Joel,

you make a good point, i’m surprised this didn’t happen months or years ago. as far as offending code you can do it but it’s not the easiest solution. Eric Jenko above pointed me to a link on how to fix the problem.

http://phreakhead.livejournal.com/2008/05/12/

in phreakhead’s case he searches for and replaces wowyeye.com/m.js, you would of course have to search for other offending URL’s also.

speaking of worms Joel, Eric also pointed to an article yesterday saying that the likely culprit is a botnet. who would’a thunk it?

http://www.darknet.org.uk/2008/05/new-botnet-malware-spreading-sql-injection-attack-tool/

]]> By: Joel Helgeson http://travisaltman.com/widespread-sql-injection-javascript-malware/#comment-85 Joel Helgeson Fri, 16 May 2008 16:13:07 +0000 http://travisaltman.com/widespread-sql-injection-javascript-malware/#comment-85 The internet worm is back. My only surprise is that it took them this long to innovate. Second, being that the exploits are being served up by the database, the Database Admin will see no problems, because we're not dealing with corruption here. They would need to delve into the tables and find the offending code... and how the heck are they supposed to do that? Apparently history does repeat itself, the attackers have gone back to defacing websites. The internet worm is back. My only surprise is that it took them this long to innovate.
Second, being that the exploits are being served up by the database, the Database Admin will see no problems, because we’re not dealing with corruption here. They would need to delve into the tables and find the offending code… and how the heck are they supposed to do that?
Apparently history does repeat itself, the attackers have gone back to defacing websites.

]]> By: travis http://travisaltman.com/widespread-sql-injection-javascript-malware/#comment-84 travis Fri, 16 May 2008 03:06:46 +0000 http://travisaltman.com/widespread-sql-injection-javascript-malware/#comment-84 Eric, you're right about mixing up the javascript on the sites performing the exploits, i didn't really think about that. the possibilities are some what endless when the attacker has a hold of your web apps database. also something interesting that PJ McGarvey out of Philly pointed out is that some of the javascript used is obfuscated to try and hide the attack. i haven't personally analyzed much of this attack but the 50,000 ft view is scary enough. Eric,

you’re right about mixing up the javascript on the sites performing the exploits, i didn’t really think about that. the possibilities are some what endless when the attacker has a hold of your web apps database.

also something interesting that PJ McGarvey out of Philly pointed out is that some of the javascript used is obfuscated to try and hide the attack. i haven’t personally analyzed much of this attack but the 50,000 ft view is scary enough.

]]> By: Eric Jenko http://travisaltman.com/widespread-sql-injection-javascript-malware/#comment-83 Eric Jenko Thu, 15 May 2008 21:44:12 +0000 http://travisaltman.com/widespread-sql-injection-javascript-malware/#comment-83 Another thing to consider is how dynamic the attack can be. Consider that what is stored to the victim-site is the call to the external js file and NOT the js file, itself. This means that the person/people who serve the malicious js files can constantly update the code with different or newly crafted attacks. ...Of course, this is assuming that the injection goes unnoticed by the victim-sites' owners. But given the widespread success, how many of the victim-sites' owners are aware that they are victims? :) Another thing to consider is how dynamic the attack can be. Consider that what is stored to the victim-site is the call to the external js file and NOT the js file, itself.

This means that the person/people who serve the malicious js files can constantly update the code with different or newly crafted attacks.

…Of course, this is assuming that the injection goes unnoticed by the victim-sites’ owners. But given the widespread success, how many of the victim-sites’ owners are aware that they are victims? :)

]]>