Mass SQL injection attack compromises 70,000 websites

Share this article:
Updated Wed., Jan. 9, 2008, at 4:37 p.m. EST

An automated SQL injection attack, which at one point compromised more than 70,000 websites, hijacked visitors' PCs with a variety of exploits last week, according to researchers.

The hacked sites, which could be found easily via a Google search, affected a wide variety of pages, Roger Thompson, chief research officer at Grisoft, noted Saturday in a blog post.

"This was a pretty good mass hack," he said. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared.”

The attack affected websites in both the .edu and .gov domains, according to researchers at the SANS Institute's Internet Storm Center (ISC). Several pages of CA's website were infected as well.

"These are almost all trusted sites," Alan Paller, SANS research director, told SCMagazineUS.com.

The cyberattackers used a SQL injection attack on Microsoft's SQL Server database product to compromise the array of sites. "[It was] an application that accessed system tables not commonly accessed," said Phil Neray, vice president of marketing at Guardium.

“[The affected tables] told the hacking application where to insert the malicious code in the database," he said. “Once visitors connect to that database, they get infected with a variety of malware, including the RealPlayer bug discovered in October of last year.

Thompson noted that the 15-month-old vulnerability in Microsoft Data Access Components (MDAC), patched in April 2006, was one flaw exploited in the attack.

“[The hackers] went to the trouble of preparing a good website exploit, and a good mass hack, but then used a moldy old client exploit,” he said, adding that most of the infected sites were quickly sanitized.

Paller said end-users don't have a way to defend themselves against such attacks.

"In this case, [the attackers] are using SQL injection, which is hard for the user to do anything about," he said.

A Microsoft spokesperson said that the Redmond, Wash.-based computing giant is aware of public claims of exploitation, but unawards of customer impact.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Info on 282K Wisconsin Home Depot cards for sale on black market ...

A Milwaukee Journal Sentinel investigation found customer payment card information from all 26 Wisconsin stores on sale.

Malvertising campaign targets Israeli news outlets

The recently discovered campaign is using The Times of Israel and The Jerusalem Post to expose users to the Zemot Trojan.

Two Russian cybercriminals nabbed in Android malware scheme

Two men were arrested for stealing money from victims' bank accounts after sending malicious emails offering a romantic gift.