Mass SQL injection attack compromises 70,000 websites

Share this article:
Updated Wed., Jan. 9, 2008, at 4:37 p.m. EST

An automated SQL injection attack, which at one point compromised more than 70,000 websites, hijacked visitors' PCs with a variety of exploits last week, according to researchers.

The hacked sites, which could be found easily via a Google search, affected a wide variety of pages, Roger Thompson, chief research officer at Grisoft, noted Saturday in a blog post.

"This was a pretty good mass hack," he said. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared.”

The attack affected websites in both the .edu and .gov domains, according to researchers at the SANS Institute's Internet Storm Center (ISC). Several pages of CA's website were infected as well.

"These are almost all trusted sites," Alan Paller, SANS research director, told SCMagazineUS.com.

The cyberattackers used a SQL injection attack on Microsoft's SQL Server database product to compromise the array of sites. "[It was] an application that accessed system tables not commonly accessed," said Phil Neray, vice president of marketing at Guardium.

“[The affected tables] told the hacking application where to insert the malicious code in the database," he said. “Once visitors connect to that database, they get infected with a variety of malware, including the RealPlayer bug discovered in October of last year.

Thompson noted that the 15-month-old vulnerability in Microsoft Data Access Components (MDAC), patched in April 2006, was one flaw exploited in the attack.

“[The hackers] went to the trouble of preparing a good website exploit, and a good mass hack, but then used a moldy old client exploit,” he said, adding that most of the infected sites were quickly sanitized.

Paller said end-users don't have a way to defend themselves against such attacks.

"In this case, [the attackers] are using SQL injection, which is hard for the user to do anything about," he said.

A Microsoft spokesperson said that the Redmond, Wash.-based computing giant is aware of public claims of exploitation, but unawards of customer impact.
Share this article:

Sign up to our newsletters

More in News

Op Emmental spoofs bank sites, uses Android malware to maintain account access

Op Emmental spoofs bank sites, uses Android malware ...

On Tuesday, Trend Micro released a report detailing Operation Emmental, which targets victims in Austria, Switzerland, Sweden and Japan.

Goodwill investigates compromise of credit, debit card info

Credit card and debit card data may have been compromised at several Goodwill locations around the country.

Vice.com hacked, possibly The Wall Street Journal website too

Vice.com hacked, possibly The Wall Street Journal website ...

A reported Russian hacker group known as W0rm tweeted on Monday that it had hacked Vice.com and The Wall Street Journal website.