Incident Response: The Importance of Anti-Virus

Heading home from the CSS Security Global Summit on Friday, I got stuck in Cincinnati’s airport.  While walking through baggage claim, I saw this displayed on the arrivals board: (I didn’t have a proper camera with me so, if that’s hard to read, it’s a Symantec AntiVirus Auto-Protect notification of a trojan horse found.  Symantec…


SQL Injection Hijinks

or Why I Keep Harping On Blacklisting   Summary: An incident reveals attempts to get around blacklisting by manipulating behavior in ASP, illustrating the weakness of blacklist approaches. A new version of UrlScan is shipping today with a change specifically to address this. Discussion: I was working with a colleague on an incident last week…



My colleague Greg, who has forgotten more about command line scripting than I will ever know, put together a sample on CodePlex that automates finding SQL injection attacks from the ongoing mass SQL injection attack ("SQL Storm", as I saw it dubbed today).  This is a fairly convenient approach to searching logfiles on an IIS…


SQL Injection — A Comment

Kumar comments here and I think he has some questions/concerns that are worth addressing.  I’m going to add my own comments (and, please note, the comments I make here are my own and do not necessarily reflect Microsoft’s corporate opinions). ————————————————————————————— My site extensively uses asp and sql server. My site ranking is good with…


Mass SQL Injection — Get Used To It

It looks like another wave of the mass SQL injection I talked about last month is going on.  The inserted link is different and, in the one specific incident I’ve seen, the source IP address is different; however, other than that, the attack looks to be identical. 2.1K websites so far, this month.


Anatomy of a SQL Injection Incident, Part 2: Meat

Intro It would appear that the incident I wrote about yesterday is still ongoing.  I’ve been using a search engine to query for the *.js file that’s being injected and it looks something like this: Wednesday: 10K hits (This is Avert’s number.  I didn’t look until Thu.) Thursday: 12.1K hits Friday: 12.9K hits Saturday: 14K…


Anatomy of a SQL Injection Incident

A number of people are reporting that 10K+ websites have been hacked via a SQL injection attack that injected a link to a malicious .js file into text fields in their database.  For example, here’s Avert Labs report. The reports that I’ve seen talk about how the .js file tries to compromise clients that connect…


Detecting ARP Spoofing Attacks

After investigating an ARP spoofing incident recently, I started thinking of how we could easily ferret out this sort of information when responding to a potential incident. In this particular case, there were two important parts of the attack: ARP spoofing forced all traffic bound for the default gateway to be funneled through the infected…


ARP Cache Poisoning Incident

I recently worked on an interesting incident response with several of my colleagues.  The problem, as defined by the customer, is that the following code is being injected into some websites (both external and internal to his environment) that his users are surfing: <iframe src=http://<redacted>/ 123.htm width=0 height=0></iframe>  The page referenced (123.htm) includes a link…