Definitely a nice write up, but when you comb your IIS logs and set seeing DECLARE and CAST statements in the url sequences, you had better be on your guard because those are some tell-tale signs of SQLi.. I don’t know of many webapplications that are accepting that as INPUT.. so if you have things in place like URLSCAN, or WAF's you might want to make sure you drop that type of traffic and report on it as possible SQLI accordingly.
Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Tuesday, June 15, 2010 6:19 PM To: NT System Admin Issues Subject: Re: Time to verify your IIS setup Here's an update on the issue: http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html On Tue, Jun 15, 2010 at 14:45, Andrew S. Baker <[email protected]> wrote: > More important to me is, "How many discrete managers of IIS > systems/environments does this represent?" > I mean, on one level, if a single ISP hosting 500 discrete sites for clients > is a victim, that's not exactly the same thing as those 500 clients failing > to manage this risk. > On the other hand (and from a more practical standpoint), they're still > victims just the same... > -ASB: http://XeeSM.com/AndrewBaker > > > On Tue, Jun 15, 2010 at 5:38 PM, Sam Cayze <[email protected]> wrote: >> >> Dang. >> I was just curious... >> >> How many IIS sites are there in the world? Roughly 780K. So if the >> Sucuri.net's 111K number is accurate, that's about 1 in 7 IIS sites that >> are affected. >> Yikes. >> >> Source: >> http://news.netcraft.com/archives/category/web-server-survey/ >> >> (most places on my search pointed to NetCraft having the most accurate >> results). >> >> Sam >> >> >> >> >> >> On Wed, Jun 9, 2010 at 3:43 PM, Kurt Buff <[email protected]> wrote: >> > about 111,000 sites infected >> > >> > http://isc.sans.edu/diary.html?storyid=8935 >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
