Well, there was quite some chatter over the last few weeks with regards to the massive defacements we saw based on SQL Injection Attacks. So, what was really new? Close to nothing. Well, this is not completely true. The new thing we have seen with these attacks is automation; however a lot of people did not really start with this at the beginning.
Just as an example, The Washington Post published an article called: Hundreds of Thousands of Microsoft Web Servers Hacked and said Hundreds of thousands of Web sites […]have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors’ machines. Whereas the first part was true (“just” giving a wrong impression) the content in the article was definitely wrong as it was (and still is) no Windows or IIS vulnerability but just bad programming.
What we see are tools that use Google to find web application with potential SQL Injection vulnerabilities and then try to attack them. From there on, they are trying to use the SQL Injection flaw to exploit vulnerabilities in Flash or other software.
So, what can you do about it?
Understand the current threat and read SQL Injection Attacks on IIS Web Servers on our IIS Blog and Questions about Web Server Attacks on the Microsoft Security Response Center Blog. Once you have done that I think (if you are not already) you should familiarize yourself with these kind of attacks and there are some very good resources and engineer at Microsoft compiled for you:
General Guidance on SQL Injection:
- Giving SQL Injection the Respect it Deserves (from Michael Howard)
- SQL Injection Mitigation: Using Parameterized Queries (from Neil Carpenter)
Incident Response with focus on SQL Injection:
- Anatomy of a SQL Injection Incident (from Neil Carpenter)
- Anatomy of a SQL Injection Incident, Part 2: Meat (Neil again)
And last but not least some MSDN guidance: