On June 7, Cisco Systems’ Web-tracking subsidiary, ScanSafe started tracking the affects of a new web attack that has been described as the “worst since a large number of WordPress-based sites were hacked in April,” by Andre DeMino, a co-founder of the Shadowserver malware-tracking group.
Some sites are totally compromised while others only have small sections affected.
Security researchers at this point are still unsure how the attacks work, but they think that hackers are using an SQL injection attack to run database commands, which then allow the hackers to install malicious HTML which then redirects victims to another malicious Web server. This server attempts to load software on Web visitors’ computers which if successful give the criminals a way to remotely control their victims’ computers.
The team at Sucuri.net have so far found that all of the infected sites appear to be using the Microsoft Internet Information Services Web-server software running with Active Server Pages.
“The SQL injection attacks that allow the systems to be compromised are occurring due to vulnerabilities in third-party web applications and do not demonstrate vulnerabilities in Microsoft software,” said Microsoft spokesman Jerry Bryant via e-mail : Source
The third party applications that Microsoft refer to appear to be servers running supplementary services such as advertising. Often, hackers get limited access because they break into a partner site — an ad company, for example — that is allowed to post on certain parts of the larger company’s Web site.
HP and Microsoft have released a free tool called Scrawlr that helps users check their Web sites for SQL injection vulnerabilities.
SophosLabs is adding detection for this SCRIPT injection as Mal/Badsrc-C.
While many marketers use linux based hosting systems and are not directly affected at this time it is a timely reminder to make sure you are taking the appropriate steps to secure and back up your site files and databases on a regular basis.
WordPress users can follow the Triple “P” Of WordPress Security advice or Top 5 WordPress Security Tips You Most Likely Don’t Follow
It might not be your site that gets hit directly but if you are pulling content from somewhere else you may at some point be affected by attacks like this.
While the post above outlines how the servers might be attacked, web users should update Adobe Flash Player ASAP and take extra care when using Reader and Acrobat.
We expect to provide an update for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29, 2010.”
For more info on the vulnerability see CVE-2010-1297