14 DAY TRIAL // The website of a highly popular newspaper from Venezuela and others have been altered with a piece of code that can compromise the integrity of databases.
Websense Security Labs informs us that the site was compromised on September 19 with a script that looks something like “dfrgcc.com/ur.php”.
After a close look at the Últimas Noticias page, the program sequence seems to be removed, but in an effort to find more information on the attack, which according to Websense resembles a variant of the iTunes injection attack, I performed a simple Google search on the URL listed above.
The results were shocking!
A large number of results came up, showing many website sources that contain the malicious code. The first link, owned by My Spiritual Experts is already shutdown, maybe because the webmasters noticed the exploit.
Other links point to Gulf Coast, Weekly Gripe, personal blogs and restaurants, so there appears to be no typical pattern for the category of the locations targeted.
In the past few hours, Microsoft's ASP.net forum has been flooded with posts relating to this attack. Members complain about SQL injections that inserted the script into every single row in their databases.
At first it was believed that GoDaddy hosted locations were the primary objective, but it seems that others were also affected.
To protect your website against such SQL injections, Mikesdotnetting recommends the use of parameter queries. He proposes a method long implemented by C# developers to create placeholders for values to make sure a wrong data type isn't inserted where it doesn't belong.
Basically, the technique creates equivalent SQL placeholders for values that are supplied to a query at runtime. These parameters actually ensure type safety, as an exception is thrown if a numeric value cannot be passed into a database field that expects one. In our current case, this would make sure that the malicious code cannot be inserted that easily as an instance of an attribute.