More than 4,000 websites may have been infected by a massive SQL injection attack.
According to a blog by the SANS Internet Storm Centre handler Mark Hofman, several reports had been seen of sites being injected with a string that is inserted into several tables. “From the information gathered so far it looks targeted at ASP, IIS and MSSQL backends, but that is just speculation,” he said.
He later said that around 80 sites originally showed up in a Google search, this increased to 200 around 12 hours later on Friday morning, a few hours later it increased to 1,000 and at a last check had exceeded 4,000. Visitors to hacked sites are being redirected to pages trying to push rogue anti-virus programs or another payload.
“The hex will show in the IIS log files, so monitor those,” Hofman wrote. “Make sure that applications only have the access they require, so if the page does not need to update a (database), then use an account that can only read.” He also recommended blocking access to the malicious redirect site.
Similar waves of SQL injection attacks have been common for years, including a major one that occurred earlier this year.