Mass SQL injection attack compromises 70,000 websites

Share this article:
Updated Wed., Jan. 9, 2008, at 4:37 p.m. EST

An automated SQL injection attack, which at one point compromised more than 70,000 websites, hijacked visitors' PCs with a variety of exploits last week, according to researchers.

The hacked sites, which could be found easily via a Google search, affected a wide variety of pages, Roger Thompson, chief research officer at Grisoft, noted Saturday in a blog post.

"This was a pretty good mass hack," he said. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared.”

The attack affected websites in both the .edu and .gov domains, according to researchers at the SANS Institute's Internet Storm Center (ISC). Several pages of CA's website were infected as well.

"These are almost all trusted sites," Alan Paller, SANS research director, told SCMagazineUS.com.

The cyberattackers used a SQL injection attack on Microsoft's SQL Server database product to compromise the array of sites. "[It was] an application that accessed system tables not commonly accessed," said Phil Neray, vice president of marketing at Guardium.

“[The affected tables] told the hacking application where to insert the malicious code in the database," he said. “Once visitors connect to that database, they get infected with a variety of malware, including the RealPlayer bug discovered in October of last year.

Thompson noted that the 15-month-old vulnerability in Microsoft Data Access Components (MDAC), patched in April 2006, was one flaw exploited in the attack.

“[The hackers] went to the trouble of preparing a good website exploit, and a good mass hack, but then used a moldy old client exploit,” he said, adding that most of the infected sites were quickly sanitized.

Paller said end-users don't have a way to defend themselves against such attacks.

"In this case, [the attackers] are using SQL injection, which is hard for the user to do anything about," he said.

A Microsoft spokesperson said that the Redmond, Wash.-based computing giant is aware of public claims of exploitation, but unawards of customer impact.
Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.