Web Application Security Consortium - Web hacking Incidents Database (WHID)

Reported: 08 January 2008
Occurred: 28 December 2007

Classifications:

Attack Method: SQL Injection
Origin: China
Outcome: Planting of Malware

An SQL injection robot is running wild and has already hacked hundreds of thousands of web sites. Since the robot plants malicious code in infected sites, its traces can be found by Googling for a name of Chinese sites referred to in malicious code.

As a security practitioner I often see SQL injection bots, and many times when I install ModSecurity, an open source application firewall but this bot is unique in the way it exploits web sites. It is easier to perform a wide scale attack by exploiting the least common denominator, which in the hacking world is the operating system. As a result most SQL bots tend to try to use SQL injection vectors that will enable issuing OS commands. A good example is a Cacti vulnerability: since it allows an OS command to be issued I often see bots looking for it in the wild. This attack is the first I have seen in which the actual attack vector is SQL based. The bot is modifying every record it has access to into a malicious code in the hope that it will be fetched and displayed by the application to its users.

A byproduct if this vector is that is that results are catastrophic for the site owners. While in a case of common defacement attacks restoring (or recreating) the homepage is all it required to get back to business, in this case the whole database is ruined. Considering the scope of the attack and that restoring the database, if it was ever backup, requires much more expertise, the overall damage of this attack is very high.

References:

70,000 Web Pages Hacked By Database Attack
News Story, Information Week, 08 January 2008
Realplayer Vulnerability
Alert, SANS Internet Storm Center, 04 January 2008
Massive embedded exploit web site attack underway
Alert, Heise, 08 January 2008
SQL Injection Attack Infects Thousands of Websites
Technical Analysis, Ryan Barnett, 08 January 2008
Mass exploits with SQL Injection
Technical Analysis, SANS, 09 January 2008

Select an Incident:

1999: 1999-1

2000: , 2000-1, 2000-2, 2000-3, 2000-4, 2000-5, 2000-6

2001: 2001-1, 2001-2, 2001-3, 2001-4, 2001-5, 2001-6

2002: 2002-1, 2002-2, 2002-3, 2002-4

2003: 2003-1, 2003-2, 2003-3, 2003-4, 2003-5, 2003-6, 2003-7, 2003-8, 2003-9

2004: 2004-1, 2004-10, 2004-11, 2004-12, 2004-13, 2004-14, 2004-15, 2004-16, 2004-17, 2004-18, 2004-2, 2004-3, 2004-4, 2004-5, 2004-6, 2004-7, 2004-8, 2004-9

2005: 2005-1, 2005-10, 2005-11, 2005-12, 2005-13, 2005-14, 2005-15, 2005-16, 2005-17, 2005-18, 2005-19, 2005-2, 2005-20, 2005-21, 2005-22, 2005-23, 2005-24, 2005-25, 2005-26, 2005-27, 2005-28, 2005-29, 2005-3, 2005-30, 2005-31, 2005-32, 2005-33, 2005-34, 2005-35, 2005-36, 2005-37, 2005-38, 2005-39, 2005-4, 2005-40, 2005-41, 2005-42, 2005-43, 2005-44, 2005-45, 2005-46, 2005-47, 2005-48, 2005-49, 2005-5, 2005-50, 2005-51, 2005-52, 2005-53, 2005-54, 2005-55, 2005-56, 2005-57, 2005-58, 2005-59, 2005-6, 2005-60, 2005-61, 2005-62, 2005-63, 2005-64, 2005-65, 2005-7, 2005-8, 2005-9, 2007-18

2006: 2006-1, 2006-10, 2006-11, 2006-12, 2006-13, 2006-14, 2006-15, 2006-16, 2006-17, 2006-18, 2006-19, 2006-2, 2006-20, 2006-21, 2006-22, 2006-23, 2006-24, 2006-25, 2006-26, 2006-27, 2006-28, 2006-29, 2006-3, 2006-30, 2006-31, 2006-32, 2006-33, 2006-34, 2006-35, 2006-36, 2006-37, 2006-38, 2006-39, 2006-4, 2006-40, 2006-41, 2006-42, 2006-43, 2006-45, 2006-46, 2006-47, 2006-5, 2006-6, 2006-7, 2006-8, 2006-9

2007: , 2007-01, 2007-02, 2007-03, 2007-04, 2007-05, 2007-06, 2007-07, 2007-08, 2007-09, 2007-10, 2007-11, 2007-12, 2007-13, 2007-14, 2007-15, 2007-16, 2007-17, 2007-19, 2007-20, 2007-21, 2007-22, 2007-23, 2007-24, 2007-25, 2007-26, 2007-27, 2007-28, 2007-29, 2007-30, 2007-31, 2007-32, 2007-33, 2007-34, 2007-35, 2007-36, 2007-37, 2007-38, 2007-39, 2007-40, 2007-41, 2007-42, 2007-43, 2007-44, 2007-45, 2007-46, 2007-47, 2007-48, 2007-49, 2007-50, 2007-51, 2007-52, 2007-53, 2007-54, 2007-55, 2007-56, 2007-57, 2007-58, 2007-59, 2007-60, 2007-61, 2007-62, 2007-63, 2007-64, 2007-65, 2007-66, 2007-67, 2007-69, 2007-70, 2007-71, 2007-72, 2007-73, 2007-74, 2007-75, 2007-76, 2007-77, 2007-78, 2007-79, 2007-80, 2007-81, 2007-82, 2007-83, 2007-84, 2007-85, 2007-86

2008: , 2008-01, 2008-02, 2008-03, 2008-04, 2008-05, 2008-06, 2008-07, 2008-08, 2008-09, 2008-10, 2008-11, 2008-12

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.