SQL database attack hits thousands of web pages

Injection attack comes back to haunt SQL administrators

SQL injection attacks return to clobber thousands of web pages

An old hack attack has come back to haunt SQL databases, after reports that a widespread attack has compromised thousands of web pages, including some from the Wall Street Journal.

Speaking on web security vendor ScanSafe's blog, one of its security researchers, Mary Landesman, said that "about 7,000 web pages (not sites) have been struck by SQL injected iframes pointing to malware on robint.us."

But the problem could have been worse.

Landesman added that it wasn't uncommon to see over a million web pages compromised in a single attack "so 7,000 is a vast improvement and shows that at least many sites are paying attention and taking the appropriate security measures".

As well as the potential to drive traffic away from web sites, the attacks can lead to botnet formation.

Users visiting affected sites get redirected to malicious web servers, which try to install malware used for remotely controlling end user PCs and forming botnets.

The botnets can be used to deliver distributed denial of service (DDoS) attacks or to blackmail firms with the threat of a crashed web site.

The main technique for stopping SQL injection attacks is to parse SQL statements correctly, checking that there are no user inputs embedded directly in SQL query language statements.

Checking URL parameters and cookie values can also help guard against SQL injection attacks.

The injection attack was first noticed in January.

An HP security Labs blog said HP had "started to observe these attacks in January. They spread to over 500,000 sites by April before calming down and then picking up again in May."

Working with Microsoft's Security Resource Centre, HP's Web Security Research Group has released a security tool called Scrawlr for web site managers to check their web sites for vulnerability to SQL injection attacks.