SQL Injection Attacks on IIS Web Servers

You may have seen recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week.

Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.

Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.  More information on SQL injection attacks can be found here and here.

Guidance from Microsoft for web application development best practices can also be found on this MSDN page. Best practices guidelines that developers may follow to mitigate SQL injection, can be located here. As we continue to make progress in our investigation on this attack, we will provide updated guidance and information on the IIS.net site. For the latest information on this issue, please subscribe or visit the IIS security forum.

For end-users, the investigation also shows no indication of an un-patched vulnerability in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so we recommend customers apply the latest updates to be protected from these attacks.

To further protect themselves from reported attacks, we encourage all customers to apply our most recent security updates to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit: www.microsoft.com/protect.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country.  Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY.  Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov

Published Friday, April 25, 2008 9:33 PM by bills
Filed under: , , , ,

Comments

# microsoft » Blog Archive » SQL Injection Attacks on IIS Web Servers

Saturday, April 26, 2008 1:18 AM by microsoft » Blog Archive » SQL Injection Attacks on IIS Web Servers

Pingback from  microsoft  » Blog Archive   » SQL Injection Attacks on IIS Web Servers

# Questions about Web Server Attacks

Saturday, April 26, 2008 1:25 AM by The Microsoft Security Response Center (MSRC)

Hi there this is Bill Sisk. There have been conflicting public reports describing a recent rash of web

# SQL Injection Attacks on IIS Web Servers - BillS IIS Blog

Saturday, April 26, 2008 2:04 AM by SQL Injection Attacks on IIS Web Servers - BillS IIS Blog

Pingback from  SQL Injection Attacks on IIS Web Servers - BillS IIS Blog

# re: SQL Injection Attacks on IIS Web Servers

Saturday, April 26, 2008 5:00 AM by VolkerD

Pingback

# Recent slate of IIS attacks - more info

Saturday, April 26, 2008 8:25 AM by K. Brian Kelley - Databases, Infrastructure, and Security

The recent slate of attacks on IIS servers don't seem to be an attack directly against IIS or against

# SQL Injection Attacks on IIS Web Servers

Saturday, April 26, 2008 8:35 AM by Guy Barrette

There have been conflicting reports about SQL Server injection attacks and a possible new IIS vulnerability

# SQL Injection Attacks on IIS Web Servers

Saturday, April 26, 2008 8:35 AM by Guy Barrette's Blog

# Hundreds of Thousands of Microsoft Web Servers Hacked « Smokey’s Security Weblog

Saturday, April 26, 2008 8:59 AM by Hundreds of Thousands of Microsoft Web Servers Hacked « Smokey’s Security Weblog

Pingback from  Hundreds of Thousands of Microsoft Web Servers Hacked « Smokey’s Security Weblog

# Microsoft f?hlt sich nicht f?r die Webserver-Attacken verantwortlich - WinSupportForum

Saturday, April 26, 2008 3:00 PM by Microsoft f?hlt sich nicht f?r die Webserver-Attacken verantwortlich - WinSupportForum

Pingback from  Microsoft f?hlt sich nicht f?r die Webserver-Attacken verantwortlich - WinSupportForum

# Clarifying SQL Web Server Attacks » D' Technology Weblog: Technology, Blogging, Tips, Tricks, Computer, Hardware, Software, Tutorials, Internet, Web, Gadgets, Fashion, LifeStyle, Entertainment, News and more by Deepak Gupta.

Saturday, April 26, 2008 11:33 PM by Clarifying SQL Web Server Attacks » D' Technology Weblog: Technology, Blogging, Tips, Tricks, Computer, Hardware, Software, Tutorials, Internet, Web, Gadgets, Fashion, LifeStyle, Entertainment, News and more by Deepak Gupta.

Pingback from  Clarifying SQL Web Server Attacks » D' Technology Weblog: Technology, Blogging, Tips, Tricks, Computer, Hardware, Software, Tutorials, Internet, Web, Gadgets, Fashion, LifeStyle, Entertainment, News and more by Deepak Gupta.

# Teste » Clarifying SQL Web Server Attacks ?? D' Technology Weblog …

Sunday, April 27, 2008 4:09 AM by Teste » Clarifying SQL Web Server Attacks ?? D' Technology Weblog …

Pingback from  Teste » Clarifying SQL Web Server Attacks ?? D' Technology Weblog …

# fashion » Blog Archive » Clarifying SQL Web Server Attacks ?? D' Technology Weblog …

Sunday, April 27, 2008 6:55 AM by fashion » Blog Archive » Clarifying SQL Web Server Attacks ?? D' Technology Weblog …

Pingback from  fashion  » Blog Archive   » Clarifying SQL Web Server Attacks ?? D' Technology Weblog …

# re: SQL Injection Attacks on IIS Web Servers

Sunday, April 27, 2008 12:04 PM by Peter

Ahhh BS, what's all this hoopla about?! Just tell it like it is: A LOT of developers are just plain lazy and don't care enough to use parameterized queries; end of story.

# SQL Infection Hits Over 500K Webpages, Infiltrates DHS And UN

Sunday, April 27, 2008 7:16 PM by SQL Infection Hits Over 500K Webpages, Infiltrates DHS And UN

Pingback from  SQL Infection Hits Over 500K Webpages, Infiltrates DHS And UN

# MSBLOG

Sunday, April 27, 2008 7:50 PM by MSBLOG

Pingback from  MSBLOG

# SQL Infection Hits Over 500K Webpages, Infiltrates DHS And UN

Monday, April 28, 2008 8:08 AM by SQL Infection Hits Over 500K Webpages, Infiltrates DHS And UN

Pingback from  SQL Infection Hits Over 500K Webpages, Infiltrates DHS And UN

# Nuova ondata di attacchi SQL Injection/iFrame: l'importanza della sicurezza applicativa e del security patching

Monday, April 28, 2008 10:07 AM by Security Blog di Feliciano Intini

La blogosfera "sicura" (nome scherzoso con cui identifico l'insieme di blog/e-magazines in

# Microsoft Afasta Responsabilidade de Ataque Massivo

Monday, April 28, 2008 11:19 AM by Microsoft Afasta Responsabilidade de Ataque Massivo

Pingback from  Microsoft Afasta Responsabilidade de Ataque Massivo

# Weak SQL coding techniques result in Huge SQL Injection attacks

Monday, April 28, 2008 1:47 PM by Harry Waldron - My IT Forums Blog

A new major security attack occurred over the weekend, where over one half million web pages became infected

# Weak SQL coding techniques result in Huge SQL Injection attacks

Monday, April 28, 2008 1:47 PM by Harry Waldron - Microsoft MVP Blog

A new major security attack occurred over the weekend, where over one half million web pages became infected

# re: SQL Injection Attacks on IIS Web Servers

Monday, April 28, 2008 2:33 PM by Paintworkzstudio

Does denying access to the webserver, still allow a sql attack >?

# Developers at fault: SQL Injection attacks lead to wide-spread compromise of IIS servers | Zero Day | ZDNet.com

Monday, April 28, 2008 4:51 PM by Developers at fault: SQL Injection attacks lead to wide-spread compromise of IIS servers | Zero Day | ZDNet.com

Pingback from  Developers at fault: SQL Injection attacks lead to wide-spread compromise of IIS servers |  Zero Day | ZDNet.com

# Massive Attack: Half A Million Microsoft-Powered Sites Hit With SQL Injection | MeltedCube

Monday, April 28, 2008 6:00 PM by Massive Attack: Half A Million Microsoft-Powered Sites Hit With SQL Injection | MeltedCube

Pingback from  Massive Attack: Half A Million Microsoft-Powered Sites Hit With SQL Injection | MeltedCube

# Microsoft Report on SQL Injection Attacks on IIS Web Servers | ReadersZone

Monday, April 28, 2008 7:34 PM by Microsoft Report on SQL Injection Attacks on IIS Web Servers | ReadersZone

Pingback from  Microsoft Report on SQL Injection Attacks on IIS Web Servers | ReadersZone

# re: SQL Injection Attacks on IIS Web Servers

Monday, April 28, 2008 8:32 PM by kazım

thank you

# re: SQL Injection Attacks on IIS Web Servers

Tuesday, April 29, 2008 12:36 AM by John.B

Even if Microsoft is not at fault for the SQL injection attacks, the malware specifically targets Windows clients.

Since the SQL injection attack is specific to T-SQL, wouldn't it be responsible to give developers and DBAs some hints to at least detect infections?  Other than using Google to find all 500,000 infected web pages?

# re: SQL Injection Attacks on IIS Web Servers

Tuesday, April 29, 2008 12:45 AM by max stirner

if this is not due to an IIS-vulnerability, why does it only affect IIS-servers?

# Prepare for Corporate Layoffs » Blog Archive » Weak SQL coding techniques result in Huge SQL Injection attacks

Tuesday, April 29, 2008 2:28 AM by Prepare for Corporate Layoffs » Blog Archive » Weak SQL coding techniques result in Huge SQL Injection attacks

Pingback from  Prepare for Corporate Layoffs  » Blog Archive   » Weak SQL coding techniques result in Huge SQL Injection attacks

# GarethWestern.com » Bookmarks for April 27th through April 29th

Tuesday, April 29, 2008 5:07 AM by GarethWestern.com » Bookmarks for April 27th through April 29th

Pingback from  GarethWestern.com » Bookmarks for April 27th through April 29th

# Microsoft ?????????????????????????????????? ???????????????? ?????????????????????????? ?????????????????? ??????????

Tuesday, April 29, 2008 5:36 AM by Microsoft ?????????????????????????????????? ???????????????? ?????????????????????????? ?????????????????? ??????????

Pingback from  Microsoft ?????????????????????????????????? ???????????????? ?????????????????????????? ?????????????????? ??????????

# re: SQL Injection Attacks on IIS Web Servers

Tuesday, April 29, 2008 10:44 AM by bills

Hi Max -

the exploit code is specific to SQL server, which is normally found behind an ASP/ASP.NET application that has not followed best practices.  The exploit code doesn't work against mysql or other databases, which is why it appears to be an IIS/ASP/ASP.NET/SQL bug, but it is not.  The same exploit could have been done with code specific to mySQL or any other database.  

# re: SQL Injection Attacks on IIS Web Servers

Tuesday, April 29, 2008 10:58 AM by SR - UK

John.B - MS do provide info for developer and DBAs either via MSDN:

msdn2.microsoft.com/.../ms161953.aspx

also via multiple blog entries, for example:

http://blogs.msdn.com/raulga/

problem is most Devs and DBAs are just not interested in doing the work...

# WordPress MU barcon.info | Microsoft ?????????????????????????????????? ???????????????? ?????????????????????????? ?????????????????? ??????????

Tuesday, April 29, 2008 11:05 AM by WordPress MU barcon.info | Microsoft ?????????????????????????????????? ???????????????? ?????????????????????????? ?????????????????? ??????????

Pingback from  WordPress MU  barcon.info | Microsoft ?????????????????????????????????? ???????????????? ?????????????????????????? ?????????????????? ??????????

# re: SQL Injection Attacks on IIS Web Servers

Tuesday, April 29, 2008 1:06 PM by RobIII

I wrote some T-SQL to scan your entire server for "<script" in all databases.

================

exec sp_msforeachdb '

Print(''Scanning Database [?]'')

DECLARE @T varchar(255), @C varchar(255)

DECLARE Table_Cursor CURSOR FOR

select a.name,b.name from [?].dbo.sysobjects a,[?].dbo.syscolumns b

where a.id=b.id and a.xtype=''u'' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)

order by a.name, b.name

OPEN Table_Cursor

FETCH NEXT FROM Table_Cursor INTO @T,@C

WHILE(@@FETCH_STATUS=0)

BEGIN

If Left(@T,1)<>''#''

Begin

Print('' Scanning Table [''+@T+''], Column: [''+@C+'']'')

Exec(''if exists(select [''+@C+'']  from [?].dbo.[''+@T+''] where [''+@C+''] like ''''%<script%'''') print ''''>>> FOUND in [''+@T+''].[''+@C+'']'''''')

End

FETCH NEXT FROM Table_Cursor INTO @T,@C

END

CLOSE Table_Cursor

DEALLOCATE Table_Cursor

'

================

Just search the printout for ">>> FOUND" to see in what table the malicious code was found.

Be warned: this might take a LONG time!

# Huge web attack blamed on IIS?

Tuesday, April 29, 2008 5:24 PM by Out Of The Box

Don't know if you saw this, but it's certainly scary . There are several articles out about a massive

# Lots of SQL injection flying around the internet...Are you performing input field validation?

Tuesday, April 29, 2008 6:16 PM by shawnbass.com - Security blog

For those not familiar with SQL injection, it's in it's simplest form a method of injection a SQL statement into a database server by way of hiding it in a web parameter. There's a more detailed ...

# Massive Attack: Half A Million Microsoft-Powered Sites Hit With SQL Injection | Networking for Networkers

Tuesday, April 29, 2008 6:19 PM by Massive Attack: Half A Million Microsoft-Powered Sites Hit With SQL Injection | Networking for Networkers

Pingback from  Massive Attack: Half A Million Microsoft-Powered Sites Hit With SQL Injection | Networking for Networkers

# Hullanak az IIS-ek

Wednesday, April 30, 2008 6:08 AM by Balássy György (MSDNKK)

Az utóbbi időben egyre több olyan hír jelent meg a világhálón, amelyek szerint durva hiba lehet a Windows

# &nbsp; Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers&nbsp;&#8212;&nbsp;Instant Web Meetings.COM - Video Conference, Collaboration, E Learning, Unified Communications

Thursday, May 01, 2008 1:40 AM by   Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers — Instant Web Meetings.COM - Video Conference, Collaboration, E Learning, Unified Communications

Pingback from  &nbsp; Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers&nbsp;&#8212;&nbsp;Instant Web Meetings.COM - Video Conference, Collaboration, E Learning, Unified Communications

# May 2008 - Technical Rollup Mail - Internet

Thursday, May 01, 2008 3:32 AM by Technical RollUp

News Microsoft Internet Security and Acceleration Server Forefront Threat Management Gateway, the Next

# SQL Infection Hits Over 500K Webpages, Infiltrates DHS And UN | Alex McFarlane

Thursday, May 08, 2008 3:58 AM by SQL Infection Hits Over 500K Webpages, Infiltrates DHS And UN | Alex McFarlane

Pingback from  SQL Infection Hits Over 500K Webpages, Infiltrates DHS And UN | Alex McFarlane

# Jon's News Wrapup - May 8, 2008 Edition

Thursday, May 08, 2008 5:15 AM by Jon Galloway

h2.entry-title {font-size: 1.1em; clear:left;} ul.hfeed {list-style-type: none;} li.xfolkentry {clear

# re: SQL Injection Attacks on IIS Web Servers

Thursday, May 08, 2008 10:34 AM by Joseph

A few of our legacy ASP application were affected by this outbreak. It was an accident waiting to happen though. The blame is on the poorly written code, not in SQL or IIS. Since it is too expensive (and difficult) to fix all code, you have to live with it. I found an interesting and free (GNU with source code) application for IIS that proved very efficient. I am still being attacked, but the filter has blocked the effects of such attacks.

Installation and code can be found here:

www.codeplex.com/IIS6SQLInjection

The only bad thing is that it is not compatible with Windows 64 bits. I had to move all ASP application to a lesser server :(

Leave a Comment

(required) 
(required) 
(optional)
(required) 
Powered by Community Server (Commercial Edition), by Telligent Systems