Linked by Thom Holwerda on Mon 28th Apr 2008 19:22 UTC, submitted by Hakime
Last week, The Washington Post reported that hundreds of thousands of IIS webservers were hacked. Code was placed on them that installed malware on visitors' computers. Among the infectees were websites from the UK government and the United Nations. Initial reports said the attackers used a security vulnerability in Microsoft's IIS, but the company published more information on the attacks today, and denies IIS was compromised.
Thread beginning with comment 311756
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:2006-02-05
Recent Original Stories
Recent Comments
Headlines
Random Comments
Random Stories
Random OS Link
Member since:
2006-02-15
The first comment posted on the article already explains the whole issue at hand:
By default this tool searches for Microsoft ASP pages (an IIS specific web development technology) and injects a Microsoft SQL Server specific payload: these defaults, maybe, have generated the false perception that an IIS vulnerability is involved, while the infection is just leveraging trivial coding errors made by the web developers.
So, perhaps some poor default values combined with not-so-good programming caused this. It's not specifically IIS bug or anything like that at all. Switching to Linux and using Apache won't help either if you can't make your code secure. So, remember all web devs out there: ALWAYS check any variables you pass to SQL server that they are fully valid and will not contain any intended characters there.