SQL Injection Attacks on IIS Web Servers

Posted: Apr 25, 2008  134 comments  

Average Rating

Tags
Administrators
ASP.NET
Developers
IIS News Item
Security

Share this Post

You may have seen recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week.

Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.

Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.  More information on SQL injection attacks can be found here and here.

Guidance from Microsoft for web application development best practices can also be found on this MSDN page. Best practices guidelines that developers may follow to mitigate SQL injection, can be located here. As we continue to make progress in our investigation on this attack, we will provide updated guidance and information on the IIS.net site. For the latest information on this issue, please subscribe or visit the IIS security forum.

For end-users, the investigation also shows no indication of an un-patched vulnerability in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so we recommend customers apply the latest updates to be protected from these attacks.

To further protect themselves from reported attacks, we encourage all customers to apply our most recent security updates to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit: www.microsoft.com/protect.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country.  Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY.  Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov

Comments

Pingback

Apr 26 2008 by VolkerD

Ahhh BS, what's all this hoopla about?! Just tell it like it is: A LOT of developers are just plain lazy and don't care enough to use parameterized queries; end of story.

Apr 27 2008 by Peter

Does denying access to the webserver, still allow a sql attack >?

Apr 28 2008 by Paintworkzstudio

thank you

Apr 28 2008 by kazım

Even if Microsoft is not at fault for the SQL injection attacks, the malware specifically targets Windows clients.

Since the SQL injection attack is specific to T-SQL, wouldn't it be responsible to give developers and DBAs some hints to at least detect infections?  Other than using Google to find all 500,000 infected web pages?

Apr 29 2008 by John.B

if this is not due to an IIS-vulnerability, why does it only affect IIS-servers?

Apr 29 2008 by max stirner

Hi Max -

the exploit code is specific to SQL server, which is normally found behind an ASP/ASP.NET application that has not followed best practices.  The exploit code doesn't work against mysql or other databases, which is why it appears to be an IIS/ASP/ASP.NET/SQL bug, but it is not.  The same exploit could have been done with code specific to mySQL or any other database.  

Apr 29 2008 by bills

John.B - MS do provide info for developer and DBAs either via MSDN:

msdn2.microsoft.com/.../ms161953.aspx

also via multiple blog entries, for example:

http://blogs.msdn.com/raulga/

problem is most Devs and DBAs are just not interested in doing the work...

Apr 29 2008 by SR - UK

I wrote some T-SQL to scan your entire server for "<script" in all databases.

================

exec sp_msforeachdb '

Print(''Scanning Database [?]'')

DECLARE @T varchar(255), @C varchar(255)

DECLARE Table_Cursor CURSOR FOR

select a.name,b.name from [?].dbo.sysobjects a,[?].dbo.syscolumns b

where a.id=b.id and a.xtype=''u'' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)

order by a.name, b.name

OPEN Table_Cursor

FETCH NEXT FROM Table_Cursor INTO @T,@C

WHILE(@@FETCH_STATUS=0)

BEGIN

If Left(@T,1)<>''#''

Begin

Print('' Scanning Table [''+@T+''], Column: [''+@C+'']'')

Exec(''if exists(select [''+@C+'']  from [?].dbo.[''+@T+''] where [''+@C+''] like ''''%<script%'''') print ''''>>> FOUND in [''+@T+''].[''+@C+'']'''''')

End

FETCH NEXT FROM Table_Cursor INTO @T,@C

END

CLOSE Table_Cursor

DEALLOCATE Table_Cursor

'

================

Just search the printout for ">>> FOUND" to see in what table the malicious code was found.

Be warned: this might take a LONG time!

Apr 29 2008 by RobIII

A few of our legacy ASP application were affected by this outbreak. It was an accident waiting to happen though. The blame is on the poorly written code, not in SQL or IIS. Since it is too expensive (and difficult) to fix all code, you have to live with it. I found an interesting and free (GNU with source code) application for IIS that proved very efficient. I am still being attacked, but the filter has blocked the effects of such attacks.

Installation and code can be found here:

www.codeplex.com/IIS6SQLInjection

The only bad thing is that it is not compatible with Windows 64 bits. I had to move all ASP application to a lesser server :(

May 08 2008 by Joseph

Once you recover your web server from the attack you are not done.  You may find that the seach engines now have cached pages for your site that include the malicious code.  Yahoo takes a simple e-mail.  Google takes an online form.  I have been fighting for 2 weeks to get Microsoft to remove cached pages that are now 6 weeks old from their Live Search.  

May 15 2008 by Yvonne

Who should be responible for fixing a website that has recently been affect by an SQL injection attack?  Should it be the people responible for developing website or the company that purchased it?  We had a website developed a year ago and it's currently being hosted by the developer.  It has recently been attacked and now they want to charge us to fix it, but if this is due to their poor code shouldn't they be responible for fixing it?

May 20 2008 by Samuel Davis

The above component do not work and fail if SQL is defined in form action:

<form method="post" action="show.asp?PageID=123;Declare @a;Set @=123;Exec(@);">

</form>

May 20 2008 by Anonymous

It is important to learn how to implement best security practices and protect your database. There's a great tutorial test on www.microsoft.com/hellosecureworld7 where you can see an SQL Injection attack in action and learn ways to stop it. Look for the SQL Injection Lab.

May 22 2008 by Fred