JPCERT-AT-2008-0005
JPCERT/CC
2008-03-14 (First edition)
2008-04-08 (Updated)
<<< JPCERT/CC Alert 2008-03-14 >>>
Websites Compromised by SQL Injection Attacks
http://www.jpcert.or.jp/at/2008/at080005.txt
I. Overview
For the last several days, SQL injection attacks have been observed
both inside and outside Japan, resulting in many websites being
altered. When a user views an altered website, malware could be
installed on the user's computer.
1) An attacker, exploiting a web application vulnerability, embeds
script tags in data stored in a database. This alters content that is
viewed by users.
2) A malicious script may be executed on the computer of a user who
visits an attacked site, and malware may be installed.
*** Update: Added on April 8, 2008 *********************************
JPCERT/CC has found that the domains used for attacks have
changed at the beginning of April, and that many websites inside and
outside of Japan have been altered by these attacks. Users should be
careful when viewing websites since these attacks may still be ongoing.
********************************************************************
II. Solution
JPCERT/CC recommends the following solutions:
[End users]
The attacks exploit known vulnerabilities. The solutions below
will reduce the risk of attacks.
- Keep the OS and installed applications up-to-date.
- Use an antivirus software with the latest definition file
applied.
Also, attacks may be mitigated by disabling JavaScript execution
because these attacks use JavaScript installed in an external
site.
[Server administrators]
Due to the SQL injection attacks, unintended scripts may be
inserted in the contents that are dynamically generated by a web
server. Make sure that public contents and databases are not
altered.
Characteristics: JavaScript that refers to an unfamiliar domain
or IP address
*** Update: Added on April 8, 2008 *************************
Note: JavaScript with other file names may also be used.
************************************************************
If an alteration is found, a vulnerability may exist in the web
application. It is recommended to consider taking an appropriate
response such as an investigation.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN
"How to Secure Your Web Site 3rd Edition"
http://www.ipa.go.jp/security/vuln/websecurity.html
III. References
US-CERT
Compromised Websites Redirect Users to Malicious Websites
http://www.us-cert.gov/current/archive/2008/03/13/archive.html#website_compromises_facilitating_exploitation_of
Little eArth Corporation Co., Ltd.
Web page alterations by SQL injection attacks targeting Japan,
and malware infection due to accessing the altered pages
http://www.lac.co.jp/news/press20080312.html
If you have any information you could provide regarding this alert,
please contact us.
________
Revision history
2008-03-14 First edition
2008-04-08 Added that the SQL injection attacks are still continued
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: 03-3518-4600 FAX: 03-3518-4602
http://www.jpcert.or.jp/