against Web servers and

Web applications, ranging from simple password guessing to more advanced exploits that can infect thousands of servers at once. In general, these attacks aim at altering Web-site content to redirect visitors to servers controlled by the attacker. The following sections expand on some examples of recent dominant server attacks.

SQL injection attacks.

SQL injection is an exploitation technique commonly used against Web servers that run vulnerable database applications.

The vulnerability happens when user input is not properly sanitized (for example, by filtering escape characters and string literals), therefore causing well-crafted user input to be interpreted as code and executed on the server. SQL injection has been commonly used to perpetrate unauthorized operations on a vulnerable database server such as harvesting users’ information and manipulating the contents of the database. In Web applications running an SQL database to manage users’ authentication, attackers use SQL injection to bypass login and gain unauthorized access to user accounts or, even worse, to gain administrative access to the Web application. Other variants of these attacks allow the attackers to alter the contents of the server’s database and inject their own content.

Last year, a major SQL injection attack was launched by the Asprox botnet, ¹⁵ in which several thousand bots were equipped with an SQL injection kit that sent specially crafted queries to Google searching for servers that run ASP.net, and then launched SQL injection attacks against the Web sites returned from those queries. In these attacks the bot sent an encoded SQL query containing the exploit payload (similar to the format shown here) to the target Web server:

FIGURE
1 Decoded Snippet of an SQL Injection Query

DECLARE @T VARCHAR(255),@C VARCHAR(255)

DECLARE Table _ Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype=’u’ AND (b.xtype=99 OR b.xtype= 35 OR b.xtype=231 OR b.xtype=167) OPEN Table _ Cursor FETCH NEXT FROM Table _ Cursor INTO @T,@C WHILE(@@FETCH _ STATUS=0) BEGIN EXEC(‘UPDATE [‘+@T+’] SET [‘+@C+’]=RTRIM(CONVERT(VARCHAR(4000),[‘+@C+’]))+””’) FETCH NEXT FROM Table _ Cursor INTO @T,@C END CLOSE Table _ Cursor DEALLOCATE Table _ Cursor

http://www.victim-site.com/asp_application. asp?arg=<encoded sql query>

The vulnerable server decoded and executed the query payload, which, in the Asprox case, yielded SQL code similar to the snippet shown in figure 1.¹³

The decoded payload searched the Web server folders for unicode and ASCII files and injected an IFrame or a script tag into them. The injected content redirected the Web-site users to Web servers controlled by the attacker, therefore subjecting them to direct exploitation.

We monitored the Asprox botnet over the past eight months and observed bots getting instructions to refresh their lists of the domains to inject. Overall, we have seen 340 different injected domains. Our analysis of the successful injections revealed that approximately 6 million URLs belonging to 153,000 different Web sites were victims of SQL injection attacks by the Asprox botnet. While the Asprox botnet is no longer active, several victim sites are still redirecting users to the malicious domains. Because bots inject code in a noncoordinated manner, many Web sites end up getting multiple injections of malicious scripts over time.

Redirections via .htaccess. Even when the Web pages on a server are harmless and unmodified, a Web server may direct users to malicious content. Recently, attackers compromised Apache-based Web servers and altered the configuration rules in the .htaccess file. This configuration file not only can be used for access control, but also allows for selective redirection of URLs to other destinations. In our analysis of Web servers, we found several