Incident Response, Network Security, Patch/Configuration Management, TDR, Vulnerability Management

Mass SQL injection attack compromises 70,000 websites

Updated Wed., Jan. 9, 2008, at 4:37 p.m. EST

An automated SQL injection attack, which at one point compromised more than 70,000 websites, hijacked visitors' PCs with a variety of exploits last week, according to researchers.

The hacked sites, which could be found easily via a Google search, affected a wide variety of pages, Roger Thompson, chief research officer at Grisoft, noted Saturday in a blog post.

"This was a pretty good mass hack," he said. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared.”

The attack affected websites in both the .edu and .gov domains, according to researchers at the SANS Institute's Internet Storm Center (ISC). Several pages of CA's website were infected as well.

"These are almost all trusted sites," Alan Paller, SANS research director, told

The cyberattackers used a SQL injection attack on Microsoft's SQL Server database product to compromise the array of sites. "[It was] an application that accessed system tables not commonly accessed," said Phil Neray, vice president of marketing at Guardium.

“[The affected tables] told the hacking application where to insert the malicious code in the database," he said. “Once visitors connect to that database, they get infected with a variety of malware, including the RealPlayer bug discovered in October of last year.

Thompson noted that the 15-month-old vulnerability in Microsoft Data Access Components (MDAC), patched in April 2006, was one flaw exploited in the attack.

“[The hackers] went to the trouble of preparing a good website exploit, and a good mass hack, but then used a moldy old client exploit,” he said, adding that most of the infected sites were quickly sanitized.

Paller said end-users don't have a way to defend themselves against such attacks.

"In this case, [the attackers] are using SQL injection, which is hard for the user to do anything about," he said.

A Microsoft spokesperson said that the Redmond, Wash.-based computing giant is aware of public claims of exploitation, but unawards of customer impact.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.