Friday, June 13, 2008

Solution to flyzhu.9966.org

A website that I was helping to maintain recently got itself infected with something pointing to flyzhu.9966.org. Searching google for more information on flyzhu brings up tonnes of infected sites but no clear information about flyzhu except that it is some sort of SQL injection attack.

The urgency of the matter meant that I turned to specialist sites such as the antivirus companies to try to find more information about how to disinfect or protect against flyzhu. However, the search had not yield much tangible results. No antidote or system patch was found to specifically address the flyzhu problem.

The most likely solution to flyzhu ended up to be the one that will require the most significant work; sanitising parameter values before using them to construct the SQL statements for execution. This solution brings up the realisation that the vendor whom had been contracted to create the website was delivering substandard coding that is vulnerable to SQL injections.

Flyzhu infection would had been avoided if we had enforced strict standards of not allowing coding with inline SQL statements. The use of parameterised queries would have rendered SQL injections almost impossible. The trading of short term gain in simplicity of coding to deliver a product has resulted in perhaps longer term pain in trying to determine which are the vulnerable areas and trying to patch them.

With no quick antidote for flyzhu infection, the website was restored using a backup. While the site is now running fine, the underlying SQL injection vulnerability has yet to be fully addressed. It is now a race against time to harden the website before the next SQL injection attempt, be it flyzhu or exec51, succeeds in bringing down the site again.

Anyone whom has additional information on solving the flyzhu problem, please share with me. Thanks.

2 comments:

logeshwaran said...

My site database also affected by the script of flyzhu.9966.org.
For Emergency i cleared that manually from the database tables. After some days In my database,once again scripts are affected in the name of tlcn.net, jkn3.ru, bce8.ru. Recently my database affected by the www.loopk.ru/script.js

Still now i couldn't find the solution for overcome this problem.Any One Could u plz give me permanent solution for this Problem.

Thanks and Regards
R.Logeshwaran
rlogeshwaran@gmail.com

Ice said...

The best solution will be to look at your site's implementation and ensure that the coding is secure. By sanitising inputs, using stored procedures instead of inline SQL, etc. my site has managed to remain relatively secure so far.