Blogger :
MSDN Blogs
All posts :
All posts by MSDN Blogs
Category :
SAPscript
Blogged date : 2008 Apr 29
Considering a lot of RIA apps run on IIS with SQL this headline caught my attention.
So far one of the best write ups is from Wired . However the article ends with: "So far there have been no details about who is behind the attacks."
However further internet searching revealed that this most like came from China. From the iis.net forums we learned that
<<
the domain nihaorr1.com was registered. IP geolocation shows this machine in Beijing, China
>>
www.nihaorr1.com/1.js is where the javascript originated. This is not suprising considering we learned from Tolffer's latest book:
Revolutionary Wealth: How it will be created and how it will change our lives
that the chinese gov't is training the People's Liberation Army as well as its citizens in Information warfare.
Even though the "great firewall" of China filters out Google searches it is OK for using Google to find SQL Injection vulnerable sites.
The latest advisory for this is here: http://www.microsoft.com/technet/security/advisory/951306.mspx
It really looks like a clever attack ... a very generic approach to just find all sites on IIS with ASP that have a potential SQL Injection attack. (Any ASP code that posts to a SQL database that does not validate the input.
From the iis.net forum:<<
Looks like someone is doing a lot of script code injection into a lot of vulnerable (read: poorly written) forms that aren't validating input to strip out script code.
>>
References:
Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
Published: April 17, 2008 | Updated: April 23, 2008
http://www.microsoft.com/technet/security/advisory/951306.mspx
American Foreign Policy Council
http://www.afpc.org/crm/crm271.htm
Microsoft Security Bulletin MS08-006 – Important
Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830)
http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx
Microsoft rings alarm on Windows rights bug
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9078959
Microsoft: Massive site attacks not our fault
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080678
Thread: Anyone know about www.nihaorr1.com/1.js ?
http://forums.iis.net/t/1148917.aspx
Wired Blog Network
http://blog.wired.com/monkeybites/2008/04/microsoft-datab.html
Forbes
http://www.forbes.com/2008/04/28/hackers-google-china-tech-security-cx_ag_0428hack.html?partner=msn
Huge Web hack attack infects 500,000 pages
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9080580&taxonomyId=17&intsrc=kc_top
