

Mass Infection of IIS/ASP Sites - juanufrj
http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html?iscsans

======
juanufrj
More details:

<http://isc.sans.edu/diary.html?storyid=8935>

[http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-
mass...](http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-
infection.html)

According to the articles, more than 100k sites hacked.

------
kogir
Yawn. Sql injection again. Can happen on any platform.

Hint: Use SPs for all your data access and don't give your app direct access
to the tables. Makes stuff like this infinitely less likely to work.

~~~
rbanffy
By using SPs you more or less double the effort to port your application away
from whatever database you are using.

Better to use an ORM.

~~~
tptacek
You mean, except for the part where ORM-based applications are usually still
injectable.

~~~
johns
Same can be said for sprocs. Any popular ORM will have proper handling for
parameters. In both cases you can't rely on the tool, you have to know what
you're doing.

~~~
tptacek
It's true that stored procedures can be injectable, but it's extremely rare,
and you can find the 0.1% of them that might be with a simple grep regex,
unlike ORMs.

------
poundy
I got hacked similarly on my blog and it went undetected when my wordpress
code files were changed. Now I can detect the website/server is hacked using
this php code [http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-
web...](http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-
hacked-and-get-alerted/) (like tripwire)

This helped me a couple of times and once when a hack on my wordpress blog
only showed different page links to the google bot!

------
jgg
Can anyone give me a technical reason to deploy on a IIS and ASP platform
instead of Apache/Nginx and one of the dozens of open source solutions for
deploying a web application? From where I'm sitting, it seems to me the
reasoning is "I drank the Microsoft Kool-Aid". Surely there's a better reason
than that.

~~~
thrdOriginal
Is this a real question or a silly jab at Microsoft? I think you're
underestimating the number of existing businesses who have .NET at their core,
in which case the question is what justifies moving off of .NET? In my
experience .NET can be - while not as hip - a very solid framework.

~~~
jgg
Yes it was a real question, and I note that you've failed to answer it.

>I think you're underestimating the number of existing businesses who have
.NET at their core, in which case the question is what justifies moving off of
.NET? In my experience .NET can be - while not as hip - a very solid
framework.

I wanted to know why you'd deploy on that platform initially. Of course if
you're already fucking using it, you're probably not going to switch.

~~~
thrdOriginal
Sorry, I thought you were being intentionally daft by stating the only reason
to deploy on IIS would be "Kool-Aid" etc. In any case, you quoted my short
answer to what I thought was not really a question to begin with ("a very
solid framework").

