ASPROX SQL Injection Attacks

[Kuahara]

I'm rather curious as to what, if anything, hostmonster is recommending against this SQL-Injection attack. I personally have fallen victim to it twice in the last month. I am currently reading up on the ASPROX Toolkit being distributed by Sentinel IPS.

For anyone curious, I highly recommend the following reading:
http://www.networkcloaking.com/ASPROX_Toolkit.pdf

Additionally, connections from these domains should be automatically blocked by every host. This list is taken from Greg Martin's InfoSec blog found here: http://infosec20.blogspot.com/

These are the latest ASPROX domains (do not visit these sites, just blacklist)

***removed links to malicious sites***

[shadmego]

I appreciate you posting this information, but I fail to see why you would name certain known malicious sites. I am assuming the links you provided will give sufficient information on how to block the sites you listed and thus, feel there is no need to list them here for people to click on.

Besides, search engine crawlers are all over these boards and links to malicious sites will only help to increase their page rankings. We don't want that either.

~regards, and welcome to the community

[Kuahara]

ah, my apologies. This info is only intended for preventative maintenance; but you are correct, the domain names can be found in the blog mentioned above, so posting them here probably wasn't necessary and I don't, in any way, intend to be "of use" to these malware authors.

I just hate the idea of people (myself included) unintentionally putting their visitors at risk because script-kiddies with too much time on their hands think this is funny... or receive ill-gotten monetary gains from it.

[shadmego]

No worries. I figured it was an oversight. That's why I'm here, to help keep you all safe!

About this attack though, the name says alot "ASPRox". This attack is focused on ASP driven sites and HM only runs Linux-based servers. Thus we only have php.

The pdf you linked to mentions that the attack can affect php sites, but doesn't go into any details about how this is done. It only provides asp code, which we as HM customers are safe from.

That doesn't mean we are all safe from SQL injection attacks in general. There is a great rule of thumb for all php/mysql driven sites:

Never trust the data provided by your forms.

Always run tests against them. Always run them through "cleaner" scripts to parse out the potentially bad stuff and NEVER allow direct access to php code that inserts data into the database.

Again, good heads-up on the reminder for protecting against SQL-injection attacks.

~regards

[Kuahara]

I used to work with ASP a lot on windows servers and understand that being on a linux server prevents me from executing server-side asp scripts in my web pages.

However, both times my html and php files were hijacked, the attacks came from asprox domains. I'm obviously not claiming that they were using asp based attacks just because the domain is listed as an asprox domain. The first attack was from gitporg and the 2nd from oics.

Always run them through "cleaner" scripts to parse out the potentially bad stuff

You sound like you have more experience with this than I do. Is there a simple explanation for how to do this? I am, as we speak, still reading up on services offered by IPS, and have several firefox tabs opened so that I can continue reading up on various other SQL injection attacks / security tips. Some of these "tips" are rather tedious.

[shadmego]

I don't have time to really go into this right now as I'm headed to bed ...

I'm also not really an expert, I just remember reading some things in these boards from the real experts about it. Here is what I do:

1. Try never to allow arbitrary code from the URL (I try hard not to use the $_GET function. I typically only use $_POST.
2. I always make sure that the form submission parser I make looks for the actual form to be submitted. Sometimes I name the submit button something strange and then I look for that at the start of my parsing code:

Code:

<!-- Input Form HTML -->
<form>
..........
<input type="submit" name="submit" value="Register" />
</form>

PHP Code:

/****
* php page for parsing form submission data
*
****/
<?php
 
if $_POST['submit'] {
 
/* Do something with the form data */
 
} else {
  echo "The form wasn't submitted properly. Please Try again.";
}
?>

There are other things to do also, like make sure only certain characters are present in certain form fields.

If someone is submitting a first and last name, there should only be alpha characters present in the field. If someone is submitting an email address, make sure it is a valid format and doesn't contain any illegal characters. In textareas, make sure there are no HTML characters present. Basically, make sure there is nothing but raw text.

There are a bunch of other things to do as well but they get more advanced, and as I said, I can't get into it right now!

~regards

[Matty]

If you're using something like MySQLi

Code:

if (get_magic_quotes_gpc())
  {
  $Username = stripslashes($Username );
  $Password = stripslashes($Password);
  }
$Username = mysqli_real_escape_string($dbi, $Username);
$PasswordHash = md5($Password);

$SQL = "SELECT * FROM `Users` WHERE `Username` = '$Username' LIMIT 1";

Something like this usually works for me...

First bit removes any "automatic" security features.
Second bit adds new security bits.

MD5 will removed any SQL injection code through it's encoding.
If it's just a number, put $i = (int)$_GET['FormNumber'];
This will make sure it can only have a number.
asd = 0
123asd = 123
asd123 = 0
like that, then just test that dad, but... injection safe...

[jerryw]

I don't understand much of this thread.
I would like to know how to protect the sites.

Every single one of my index and default files was
attacked since yesterday.

In your messages, I noticed mention of forms and
MySQL attacks. I don't know anything about
MySQL

But, I'm wondering if the attack coincided with my
installing PHP Lists from Simple Scripts. I installed
this yesterday, and re-configured the pages. Could
one of the forms be the opening for a badware attack?

If so, how can I protect the sites?

Thanks

[shadmego]

@ jerryw

This thread is mostly for those that are creating their own websites and need to create scripts themselves that guard against any kind of SQL/URL injection attacks.

I actually read your first post in another thread and was trying to figure out how to answer you, but then you posted here and this is as good a place as any.

In your first message, you mentioned that your WordPress site was attacked and that some script was injected into your index and default (html?) pages. I have a WP demo site (latest verison) installed on my demo site and I just finished checking that site and didn't see anything unusual, but I have that site resetting itself every 60 minutes so I don't know if I was attacked or not.

I can tell you I do have a TON of other scripts, installs and various programs running on my site, none of which have any unknown code inserted. At least not the ones I checked. There are too many to look at manually.

Back to your original question, SQL injection attacks take advantage of loopholes to inject malicous code into a database, or directly into a webpage. Actually, SQL injection would insert the code into a database, which would then be pulled into a page based on the code using the database.

MySQL is a type of database for websites. PHPLists and Wordpress use databases to hold various aspects of the site (content, users, certain config settings, etc). If you are using prewritten scripts like Wordpress, PHPLists, Joomla!, SMF, phpBB, etc, you should really try to stay on top of all the security updates for each program you are running.

I would be interested to know what version of Wordpress you are running and when the last time you updated your site.

I also noticed you mentioned that the attack on your site happened in the last 24 hours. That would lead me to check your recent install of PHPLists for any holes. Depending on how you set up the program, which I am unfamiliar with, it could well be the cause of the open door to the rest of your site.

Basically, the only thing you can do with your Wordpress site is to stay on top of the updates for Wordpress. You can also look around for security addons that help further harden your site against different types of attacks. We have a user, Falcon1986 that knows a thing or two about securing and optimizing WP sites.

Feel free to also check out the demo installation I have of Wordpress. Check the links out here.

~regards

[Falcon1986]

I too do not know much about these attacks, but I'm glad when folks like 'shadmego' put them in easy-to-understand terms so that even novice website owners like myself can have an idea of what is going on.

As for securing Wordpress you can do a number of things.

First and foremost, you should ensure that you are using the latest version of the blogging software (as of today, this is Wordpress 2.6). If you are using an older version you should upgrade now. The process may be longer than the quick upgrade, but the Extended Upgrade Instructions will enable you to cover all your bases and even implement some things that the quick upgrade instructions might miss.

Please heed the instructions' warning on backing up your DB and other important files. Also remember to disable all your plugins before upgrading and take your site offline during the upgrade process. It may help to put a blank index.html file in your Wordpress root directory so your index.php is not called should someone visit your site during the upgrade. You can easily delete index.html after a successful upgrade.

Use secure passwords for your Wordpress database and Admin account. PC Tools has a good one and I'm sure you can find others on the internet. Use a combination of letters, numbers and symbols. Use this information when editing your wp-config.php file and also remember to add those 3 new secret key statements.

It may also help to change your Wordpress table prefixes from the default wp_. I have yet to do this with my own Wordpress site since most of my Wordpress tables are shared between Wordpress itself and some other integrated software. I have, however, removed references to the version of Wordpress I use from the header, which I understand is no super security measure. If an attacker knows what version of Wordpress you are using it makes it much more easier for them to find vulnerabilities.

Also, keep your plugins updated and only use plugins that have a wide community usage, support and are highly rated.

Some useful resources on securing your Wordpress site are:

BlogSecurity.net > Secure WP Whitepaper > WP Vulnerability Scanner

AskApache.com > AskApache .htaccess Plugin

There are a lot of great articles on the AskApache.com website. I particularly make use of security measures implemented through the .htaccess file. Use extreme caution when using the .htaccess Plugin or manually entering the statements into your .htaccess file. Enter one entry at a time if you so wish to implement a certain security feature and reload your site to see if everything is still working. Some of the edits may give you 500 Internal Server Errors depending on your site's configuration. To reverse the effect, just edit out the entry manually in your .htaccess file.