Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Summary: Irony at its best. It appears that Redmond - The Independent Voice of the Microsoft IT Community, formerly known as Microsoft Certified Professional Magazine is currently flagged as a badware site, and third-party exploit detection tools are also detecting internal pages as exploit hosting ones, in this particular case Mal/Badsrc-A.

SHARE:

Irony at its best. It appears that Redmond - The Independent Voice of the Microsoft IT Community, formerly known as Microsoft Certified Professional Magazine is currently flagged as a badware site, and third-party exploit detection tools are also detecting internal pages as exploit hosting ones, in this particular case Mal/Badsrc-A. What is Mal/Badsrc-A? Mal/Badsrc-A is a malicious web page also known as HTML.XORER, that has been compromised to load a script from a malicious website.

Redmond Magazine SQL Injected

Redmond's site is part of yet another massive and naturally automated SQL injection attack, whose main malicious URL appears to be down when last checked. Who's behind it, and was Redmond's magazine targeted on purposes? Chinese hacktivists attempting to SQL inject as many sites as possible seem to have come across Redmond's site with no specific intention to do so, comment spammed it, and left a message on the malicious domain (wowyeye.cn) which is descriptive enough to speak for itself:

"The invasion can not control bulk!!!!If the wrong target. Please forgive! Sorry if you are a hacker. send email to kiss117276@163.com my name is lonely-shadow TALK WITH ME! china is great! f**k france! f**k CNN! f**k ! HACKER have matherland!"

Two more related sites are affected as well, namely, Redmond Developer News and Redmond Channel Partner Online. To bottom line -  despite that wowyeye.cn/ m.js is currently down, it managed to get injected at 49,900 sites, which like the majority of sites that were participating in the most recent tidal wave of successful SQL injection attacks, continue to remain vulnerable to copycats introducing new malicious domains within the vulnerable sites.

Redmond Magazine SQL Injected

It is also important to emphasize on the fact that this is a lone gunman operation, and not necessarily one backed up by a botnet such as Asprox, which got some publicity for its involvement in automated SQL injections attacks. Whether or not a standalone SQL injecting tool was used (screenshots included), the concept of using botnets which would create their hitlists from public search engines' indexes (screenshots included) and automatically SQL inject or Remotely File Include them, has been around for years with the availability of such scanning modules available for the botnet masters to take advantage of.

Redmond Magazine SQL Injected

And now that the probability of locating and successfully exploiting vulnerable sites is increasing due to the success rate of previous campaigns, what we would be dealing with for the next couple of months are the copycats who just memorized a new buzz word -- SQL injection -- and efficiently execute massive unethical web applications pen-testing all over the Web.

Topics: Malware, Microsoft, Security, Software

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • But MSFT...

    ...has the best security in the universe.....

    Yeah, right!
    Jeremy W
    • Its hard to pin it on MS...

      BUT...aren't parameters supposed to protect you from SQL Injection in .Net. Are the developers of the hacked sites using these or are there flaws in it?

      I'm willing to bet alot of them aren't. A culture of skill-lacking developers and admins has formed around MS and its click next technologies. Thats not to say every development culture doesn't have its dummies. But you seem to be guaranteed to find them in an MS shop.
      storm14k
      • I could say the same for web developers who use Linux/Unix...

        It's very important to implement code to sanitize user input and any other code to follow security practices...

        I do have an example: A web developer using ASP.net 2.0 and are running Windows Server 2003 can be a lot smarter and wiser than those who code PHP 5 running Linux. Of course I could change the wording, but again, lack of implementation and user input validation can be developers' fault and that's no matter the programming/scripting languages the developers are using.
        Grayson Peddie
    • Are you for real?

      Or are you just another paid troll from a competing company?
      AllKnowingAllSeeing
  • Wow... So the owners of the websites don't know how to validate input?

    They should implement code to sanitize user input and protect the SQL database...
    Grayson Peddie
    • "Developers" Instead of "Owners"

      I actually meant "developers" instead of "owners," but oh well...
      Grayson Peddie
    • Stop blaming the victim

      The point of the whole Web 2.0 trend is that you don't have to be a programming expert to put your content on the web. You use WYSIWYG content management systems, blogs, and other out-of-the-box tools. If the tools have vulnerabilities, is it right to blame the website owner that bought and used the tool?

      That's like blaming the driver of a car when a tire blows out because of a manufacturing defect. He should have examined and repaired the tires before he got in, right?

      My organization's website uses a content management system that was vulnerable to SQL Injection. The vendor hasn't offered any support or patches. Luckily, I was able to modify the source code to fix it. But for the most part, enterprises buy applications like that precisely because they don't have programming expertise on staff.
      j.daniluk@...
      • Read the story again very carefullly.

        [b]formerly known as Microsoft Certified Professional Magazine[/b]

        Maybe they changed the name because they realised they weren't really experts? Maybe they're exactly the people who should have known better.

        Now, if the victim had been informed of the manufacturing defect, was told not to drive the car until it had been fixed for their own safety and still got in the car and it killed them then yeah, it's their own dumb fault.

        Bit like you expect a marine not to accidentally shoot themselves after so much training. The 'Independent Voice of the Microsoft IT Community' should, oh, I don't know, have a clue.
        odubtaig
  • The term "hacktivist" should go away

    Politically motivated vandalism is still vandalism. The term glorifies criminal behavior (yes, vandalizing other people's computers is or should be a crime) and is therefore unconscionable.
    John L. Ries
  • The developers used "modern" techniques

    The developers of the website used "modern" techniques:

    1. Security in the application, not in the database. This means that anyone who gets around the application can do anything in the database.

    2. They regarded the DBMS as a "storage engine" and thus implemented the business logic in the application layer. Deciding which users can see which data is part of the business logic. If you put the business logic in its proper place (in the database) then the users can only see the data they are meant to see, independent of which application is running.

    3. Generic logins in the database to improve performance. Hey, the hackers can steal your data really quickly - isn't that great? In any case the performance issue regarding user specific logins is largely a red herring anyway, at least for those who have moved on from CGI.

    To believe that an RDBMS is a "storage engine" is to show a profound misunderstanding of one of the most important and widely used technologies available today. Believing that the RDBMS is a "storage engine" will inevitably lead to inconsistent, inflexible, unmaintainable, slow and insecure systems.

    In essence we can see many of these problems as arising from a serious lack of education about the relational model and the RDBMS in the IT industry. This has nothing to do with Microsoft as the open source community is just as lacking in this respect.
    jorwell
    • well said... coders and programmers!!

      The saddest part is that these things (security and databases) [FUBAR user input] where being taught in CS collages 35 years ago. Of course back then, we had coders and programmers. Today anyone who writes a few lines code is considered a "programmer".

      We use deep penetration testing services offered by outfits like http://www.scanalert.com to keep things tight. It's all about testing and retesting.

      And while we are on the subject, why on earth would anyone permit any from of ["<script"]["</script"] to stored or displayed from the database?
      dragon@...
      • Different case these days.

        Plenty degrees where someone can graduate not knowing anything about either databases [i]or[/i] security. Conversely there are degrees centred entirely around nothing but security (but there's always the addition of biometrics and the like). There's been just a slight splitting of the CS disciplines same as there has been in biology and physics and it doesn't seem to have gone entirely well. At some points the essentials have been discarded.

        Even that asides, it's difficult to find decent programmers just because proper programming techniques for avoiding security holes aren't being taught, partly because it's enough of a job sometimes to teach some people how to get something basic working.

        It's also disappointing how many people just can't be bothered to keep up with the required knowledge. PHP itself has been a hideous security problem in the past because the official team just couldn't be bothered to take security seriously until one of the devs broke off and created Suhosin followed by the setup of Month of PHP Bugs which gave them a good kick up the arse (but not before they spent some time blaming the messenger). However, with the amount of freely available code for sanitising input it's just inexcusable for anyone to allow an injection attack, or at least easily allow it.
        odubtaig
        • In the database case

          There seems to be a strong tendency for courses to fail to teach fundamentals and concentrate on products.

          It doesn't matter whether you are using SQL Server, Oracle, MySQL, Postgres, Sybase or Access, the underlying theoretical principles are the same. If people are not educated in the underlying theory then they only learn the quirks of particular implementations.

          More generally, if people only learn SQL (a deeply flawed implementation of the relational model) then they are unlikely to produce well designed databases - and security is part of the database design.

          Unfortunately the job market tends to work in terms of products. I suspect that this phenomenon may be a conscious effort by job agencies to create non-existent scarcities. A job agency may say that you need someone with Oracle 11 (but how different is Oracle 11 from Oracle 8 really? Not much fundamentally).

          An interviewer who knows the theory will be able to tell in the first five minutes of the interview if someone knows their stuff. Products come and go, the theory does change, but in mathematical time, not internet time (internet time is a euphemism for the constant recycling of old ideas under new acronyms).

          Learn relational database theory and you'll have something that will be useful for the rest of your life. Learn the latest version of company X's SQL-DBMS and you'll understand what fads they've succumbed to in the last six months (XML, Object-Relational mapping and so on).
          jorwell