Smokey's Security Weblog

veritas odium parit

Hundreds of Thousands of Microsoft Web Servers Hacked

April 25, 2008; 8:00 AM ET Hundreds of thousands of Web sites – including several at the United Nations and in the U.K. government — have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors’ machines.

The attackers appear to be breaking into the sites with the help of a security vulnerability in Microsoft’s Internet Information Services (ISS) Web servers. In an alert issued last week, Microsoft said it was investigating reports of an unpatched flaw in IIS servers, but at the time it noted that it wasn’t aware of anyone trying to exploit that particular weakness.

“Microsoft is currently aware of and is receiving reports regarding public claims of attacks on IIS Web servers,” said Bill Sisk, a security response manager at Microsoft, in a statement e-mailed to Security Fix. “While we have not be [sic] contacted directly regarding these reports, we will continue to monitor all reports either publically [sic] shared or responsibly disclosed and investigate once sufficient details are provided. We have not yet determined whether or not these reports are related to Microsoft Security Advisory (951306) released last week.”

Dancho Danchev, an independent security analyst, has a decent write-up on signs that Web site owners can look for to tell whether their site has been hit by this attack. Danchev said all of the hacked sites appear to have Javascript coding adding to their page source that silently pulls down malware from a few domains in China, namely, and

Needless to say, if you run a Google search for these sites you will find tens of thousands that contain the script that redirects any visitors to these malicious sites. I would strongly urge people to steer clear of those sites: I mention them here so that Web site owners can more easily search the HTML code in their pages for these domains.

If you run your site with IIS, please take a moment to consider applying the workarounds in the Microsoft advisory for your version of IIS. Also, that post I mentioned earlier has some great tips to help administrators lock down their systems.


SQL Injection Attacks on IIS Web Servers

April 25, 2008 9:33 PM You may have seen recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week.

Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.

Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform. More information on SQL injection attacks can be found here and here.

Guidance from Microsoft for web application development best practices can also be found on this MSDN page. Best practices guidelines that developers may follow to mitigate SQL injection, can be located here. As we continue to make progress in our investigation on this attack, we will provide updated guidance and information on the site. For the latest information on this issue, please subscribe or visit the IIS security forum.

For end-users, the investigation also shows no indication of an un-patched vulnerability in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so we recommend customers apply the latest updates to be protected from these attacks.

To further protect themselves from reported attacks, we encourage all customers to apply our most recent security updates to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit:

Anyone believed to have been affected can visit: and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at:

Source and links provided by: BillS IIS Blog


April 25, 2008 - Posted by | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , ,

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: