Mysterious infection of ten thousand web sites explained
In January this year, several thousand legitimate web sites were manipulated in order to make them try to infect visitors to their pages with trojans and other malicious code. Security experts at the Internet Storm Center (ISC) have now worked out how the mass infection was carried out.
While investigating a server that was hosting malicious JavaScript code for these attacks, the ISC experts came upon the actual executable file being used to attack web sites. It's a Windows tool with a user interface in Chinese, and it uses the Google search engine to hunt for vulnerable servers on which it then carries out an SQL injection attack. This inserts an iframe that pushes the attacking code on visitors to the web pages affected.
The crafted iframe in the tool contains the link that turned up on a great many manipulated web sites in January. The attacks appear to be tailored to Microsoft SQL Server and Internet Information Server. According to the analyses by the ISC, the tool also contacts another server in China before attacking, apparently to trigger a payment procedure.
The ISC warns that the analysis of the tool is continuing and far from complete. Operators of web pages are advised to check the security of their web applications, because the attacks on web servers are still going on. Initial practical help and suggestions to operators for checking the security of their web presence is available in two articles at heise Security: Data salad (searching for vulnerabilities with fuzzing) and Server peace (basic security for PHP software).
See also:
- The 10,000 web sites infection mystery solved, ISC blog entry
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
