A Slight Case of Hacking
As some of you may know, we have been doing a lot of work on Studybuddy.
Unfortunately, some hacker used SQL Insertion to compromise the database. It is a bit embarrassing that the code did not anticipate such a dull attack, but as it was still in pilot and not all that visible, we had down-prioritized security in favor of getting content and functionality in place.
Be that as it may, the purpose of this page is to inform about the attack. The information here will help protect you against this particular attack, and hopefully similar attacks from other malicious bores.
There is good information available on this attack. See this blog post ; the ASPROX Information Toolkit is a must read for all webmasters. (I have no connection with networkcloaking.com or Sentinel IPS, except that I appreciate the free information they provide on this problem.) There is a good, accessible article from ars technica (again, no connection).
Hacker email: email@example.com. Recommend you add to 'blocked' senders.
List of Known Servers . You may want to add these to your 'Restricted' or 'Blocked' site list. I have also created a registry file (zipped) that blocks these sites in your Internet zone, if you use Windows. The registry import will: create a new, sixth zone #5 (per instructions), disable all script and download access on this zone, then add the known malicious servers to this zone. You should not run this registry import directly. Caution is advised. Download the registry script, review it, modify it as you see fit -- for instance, if you already have a sixth security zone, you need to change the number of the new one -- back up your registry, and then perhaps you can run it. I'm only providing it as an aid to get started, if you want to block the servers. Unfortunately, the hackers keep adding domains, so the server list is probably already out of date. It's only a start, but lots of compromised sites out there refer to these domains.
Name Server IPs (whois):
Client IPs (from where the SQL Insertion attacks occurred -- these are gateway and/or proxy servers, so unfortunately, you cannot summarily block them -- I'm listing them here for completeness' sake):
188.8.131.52 - BEIJING/China
Granite Tower, Copyright (C) 2004-2009
Last updated: Jan, 2009