Your security, networking, programming, and application news source.

Monday, April 28, 2008

Automated SQL Injection Mass Attack Hits IIS Websites

“Exploits of a Mom” by <xkcd>

  An automated attack against Microsoft’s IIS servers has hit some 500,000 websites. Websites affected include the United Nations, UK Government sites and the U.S. Department of Homeland Security.

  These attacks targeted Microsoft IIS servers which allow generic SQL commands that don’t require specific table-level arguments. The attack targets IIS servers which run ASP allowing them to pollute database servers in a generic way that doesn't require prior knowledge of the database's table and field structure.

  The attacking script injects malicious JavaScript code into every text field of the database. The JavaScript then loads an external script that can compromise a user’s PC. So far there have been no details about who is behind the attacks.

<Wired Blog - Massive Attack: Half A Million Microsoft-Powered Sites Hit With SQL Injection> (4/28/2008)
<Hackademix - Mass Attack FAQ> (4/26/2008)

No comments:

Post a Comment