Automated SQL Injection Attacks

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: May 23, 2008
Notification Version: 1.2
   
Name: Automated SQL Injection Attacks
Public disclosure/
In the wild date:		 April 22, 2008
Description:

Over the past few months, IBM X-Force has seen an escalation of SQL injection and other web-related attacks.  In the past few weeks, these attacks have culminated into  automated SQL injection attacks that, in some cases, have systematically defaced websites.

As of July 24, IBM MSS has continued to monitor escalating attack attempts. Although most exploitation had been focused on ASP (primarily fueled by the Asprox botnet and Chinese sources), recent exploitation has turned to attacks specific to ColdFusion from sources that appear to be mostly Russian.

On Aug. 12, IBM MSS has picked up evidence of a new target database, MySQL.

 

ISS Coverage
Product Content Version
Proventia Network IDS
Proventia Network IPS
Proventia Network MFS
Proventia Server (Linux)
RealSecure Network
RealSecure Server Sensor		 27.040
Proventia Desktop
Proventia Server IPS (Windows)		 2050
Propagation Techniques ISS Protection Available

remote exploit
(server compromise attempts)

remote exploit
(host infection attempts from an
infected or malicious server)

SQL_Injection*

HTML_VML_Heap_Overflow
Upx_Packed_Executable

Jun 12, 2007

Jan 10, 2007
Mar 14, 2005

* Some web applications are coded to use SQL injection in database transactions.  Before enabling blocking for this attack, please see KBA 4748 for tuning suggestions.

Detailed Description
Business Impact: Public defacement, confidential data leakage, and database server compromise can result from these attacks.  Client systems can also be targeted, and complete compromise of these client systems is also possible.
Affected Products: SQL injection can affect commercial and homegrown applications and the databases behind them.  These particular attacks have targeted and compromised LAMP (Linux Apache MySQL PHP) systems, Windows IIS ASP SQL systems, and phpBB installations.  Some of these attacks have involved IFRAMEs with JavaScript while others are outright SQL injection attacks.
Technical Description (SQL Injection): Multiple products that use data in SQL queries are vulnerable to SQL injection. Attackers can use SQL injection techniques to exploit Web sites and applications that implement SQL queries without first removing potentially harmful characters. Using SQL injection, attackers can create and modify tables, and possibly gain complete control over the database, host computer, and network of trusted computers.
Remediation:

In addition to enabling the IPS signatures listed in ISS Coverage section, customers should ensure that:

  • Browsers and plug-ins have the lastest patches and updates
  • Access to superuser or root accounts is restricted on Linux, Apache, MySQL, PHP and similar servers
  • Reusable password access to remote servers is prohibited
  • Access to ssh should be through strong authentication mechanisms such as the “authorized_keys” authentication
  • Direct remote access to the root account should be completely prohibited outside of tightly controlled applications and keys

Additionally, it is also recommended to remove "ghost" accounts (expired accounts or accounts where individuals are no longer present who own them) and to scan web applications for vulnerabilities using a specialized web application assessment product like Rational AppScan.

References
XFDB: http://xforce.iss.net/xforce/xfdb/8783
FrequencyX: http://blogs.iss.net/archive/SecondOrderXSS.html
http://blogs.iss.net/archive/MassAttackMarch.html

Revision History
1.0 Initial publication.
1.1 Added detail about recent (as of July 24th) exploitation and removed some older references.
1.2 Added note about MySQL targets that MSS picked up on Aug 12.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.