[nsp-sec] Thoughts on the mass SQL injections
Shelton, Steve
sshelton at Cogentco.com
Tue Jun 24 07:18:09 EDT 2008
Donald et al,
You have a very good point and we all know that a percentage of elements tied to the underground economy have been data mining search engines for years and is a sore spot that needs some attention in order to curtail the current trend.
I know of at least three irc networks that run pretty much on auto pilot from OS - web application "dork" or "string" searches, data returned and tested for exploitation, content uploaded via URL injection or script injection - ID theft via SQL injection against victim's sites that are found to be exploitable which all seems to be based on data mining search engines for victim's.
I would suspect that any effort by the major search engine players to defeat their bots from data mining for known "strings" or "dorks" would make it much more difficult for them to target victims.
As I see it day in and day out, I'd say we would see a drastic decrease in the following areas.
- Phishing
- Spam [419 - Phishing]
- DOS [UDP fragmented and HTTP]
- SQL injection
- Script injection
- URL inclusion
- SSH Brute force
While the following is not an all inclusive list, I plucked the following from one such server a few minutes ago.
<@GigoloBali-975> ¤[D3DYscan]¤ Results for "powered by siteframe"
<@GigoloBali-975> ¤[D3DYscan]¤ Google 600 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ MSN 1944 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ AllTheWeb 960 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ ASK 1824 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ UOL 0 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Lycos 0 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ FireBall 3330 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ UOL 5232 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Altavista 909 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ MSN-FR 414 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ MSN-DE 900 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ MSN-BE 312 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ MSN-CA 420 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ MSN-JP 180 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Libero 0 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Alice 303 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Hotbot 66 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Mozbot 0 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Search 498 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Gigablast 0 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Guruji 0 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Baidu 0 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Naver 1800 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Startpoint 0 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ AOL 0 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Yahoo 759 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Mamma 0 Sites
<@GigoloBali-975> ¤[D3DYscan]¤ Total Keseluruhan 18651 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 2430 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 2460 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 30 of 436 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 2490 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 60 of 436 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 2520 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 2550 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 90 of 436 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 120 of 436 Sites
* Joins: Prince (Prince at MILD-6FD07F50.server4you.de)
<@GigoloBali-975> |.:Scan:.| Exploiting 2580 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 2610 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 2430 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 2460 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 30 of 436 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 2490 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 60 of 436 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 2520 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 2550 of 5310 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 90 of 436 Sites
<@GigoloBali-975> |.:Scan:.| Exploiting 120 of 436 Sites
* Joins: Prince (Prince at MILD-6FD07F50.server4you.de)
<@GigoloBali-975> |.:Scan:.| Exploiting 2580 of 5310 Sites
Steve Shelton
Network Security Engineer
Cogent Communications
-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Smith, Donald
Sent: Monday, June 23, 2008 3:08 PM
To: Seth Hall; Chris Morrow
Cc: nsp-security NSP
Subject: Re: [nsp-sec] Thoughts on the mass SQL injections
----------- nsp-security Confidential --------
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Seth Hall
> Sent: Monday, June 23, 2008 10:40 AM
> To: Chris Morrow
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] Thoughts on the mass SQL injections
>
> ----------- nsp-security Confidential --------
>
>
> On Jun 23, 2008, at 11:58 AM, Chris Morrow wrote:
> > I think, thought someone chunked the particular query type
> 2+ weeks
> > ago so it'd return nothing or some interstitial page... if there's
> > an example query I can take a poke around.
>
>
> I don't really know what could be done to filter these results from
> the search engine, but here's an example of what I'm talking about...
> http://www.google.com/search?q=wow112
Filtering those out of google only "fixes" one search engine.
There are a lot of search engines out there do we expect to get this
type of "cooperation" from other search engine owners?
Speaking of which are there other search engine owners we should have on
this list?
>
> It comes back with a lot of sites with definite SQL injection
> vulnerabilities. I checked the first site that showed up, and it
> looks like they cleaned up the content on the page but they're still
> vulnerable to SQL injection attacks. Because all of these sites are
> pretty certain to be MSSQL behind ASP and tools already exist for
> dumping the database schema in this scenario (a tool named
> HackomatiX,
> but its site's down) it doesn't take too much of a stretch of the
> imagination to foresee an malicious individual writing a script that
> grabs all sorts of sensitive data from these sites.
>
> Doing a search for the second level domain of almost any of
> the names
> on http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
> comes up with similar results.
>
> .Seth
>
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list