Apr 28 2008

0day gets hundreds of thousands of web servers

Published by at 5:19 am under Hacking

If you’ve got an IIS server, you’ll want to take a long look at your traffic and make sure you’re not one of the ‘hundreds of thousands’ of the Microsoft web servers that’ve been compromised. Microsoft is staying quiet on this one, it’s F-secure and Panda Security are the one’s who are reporting the problem. And it appears to be quite a problem, since the script on the sites is redirecting web surfers to sites that aren’t nearly as wholesome as the original target site. There is a Microsoft advisory with a work around to block this vulnerability, and Dancho Danchev has a write-up that includes information about the malware that’s being served up with this attack.

A 0day with an automatic discovery and dissemination tool shouldn’t be a surprise to anyone. The fact that it’s hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis? This is another SQL injection attack against the servers, so I wonder if a web app firewall would have protected against this or if tuning would have just opened a whole for the attack vector.

Edit: Microsoft does have something to say after all. Thanks Ben

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

4 Responses to “0day gets hundreds of thousands of web servers”

  1. Benon 28 Apr 2008 at 8:55 am

    They’ve not been too quiet… see this post from late Friday with links to another advisory and a blog write-up on IIS.net…
    http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx

  2. Larry Seltzeron 28 Apr 2008 at 3:36 pm

    There is no 0day and the servers aren’t compromised. It’s SQL injection attacks against poorly-written applications. The Washington Post story made an excessive leap to the conclusion that it must be as a result of the vulnerability disclosed the week before, but that vulnerability is quite difficult to exploit and probably can’t be on a default install.

  3. Martinon 28 Apr 2008 at 4:05 pm

    Thanks for the clarification Larry. Brian was a bit overzealous on this one, but he’s usually pretty close to the mark. I continue to have confidence in his writing. I didn’t have to propagate the message without further corroboration either. Live and learn.

    Martin

  4. […] Information security framework Jane Agarwal  –  Dec 08, 2011  –  Business, Information, Security  –  No Comments A 0day with an automatic discovery and dissemination tool shouldn’t be a surprise to anyone. The fact that it’s hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis? Source: Network Security Blog […]

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: