mass website hacking + LAMP vs .NET comparison



As I am writing these lines, history is happening. The biggest mass-hacking campaign in the history of the web is happening right now. The campaign is named LizaMoon and more than 1.5 million websites have already been hacked and counting.

The infection uses vulnerability in the security of the Microsoft .net based web applications. The two worst nightmares me and every other web developer have are SQL Injections and XSS. While everyone is talking about XSS, I was left with the impression the SQL Injection vulnerabilities are not that common anymore and that XSS was a bigger issue.

I am glad that this happened in the times when everyone is thinking about moving from PHP to .NET. Let me show you a comparison between LAMP and .NET

Closed source – only Microsoft knows what’s inside the code Open-source everyone can see what the code is.
You must pay top use it You don’t have to pay to use it – it’s FREE!
Every 3 years a new version comes out and you need to pay to upgrade. Corporations have to spend millions on licensing in order to upgrade which they do not do. As a result the infrastructure gets out dated – millions of organisations are using Microsoft software more than 10 years old which is out of support. New versions come out often and its free to upgrade. Corporations are free to upgrade and don’t need to pay anything.
You must pay Microsoft to get support Millions of people from the open-source community are ready help you in Forums, Newsgroups, IRC.. And they don’t want a penny from you.
Developed by people being paid to work 9-5 working under pressure to chase deadlines and in the rush they miss many things Developed by people who do it because they love it. Then the code is released and other people help them improve it. All done because they love what they are doing and available free.
Compiled code – the only advantage I can see. The code is in machine language so it’s executed faster The code is in “human” format and the machine has to be interpreted every time the website is requested which slows it down a little.

From the above table my conclusion is that if you choose to develop in .net you choose to pay Microsoft all the time because this is Microsoft’s business model. They don’t care about you – they want your money. And now that the biggest attack is happening because of a problem in their software and they are sitting quiet about it.

We know that LizaMoon is a SQL Injection, but we don’t know what the vulnerability exactly is. With such a large number of websites infected I would guess it’s something in .net on a lower level but this is just a guess.

They already said it’s not their fault:

Microsoft is aware of reports of an ongoing SQL injection attack. Our investigation has determined these sites were exploited using a vulnerability in certain third-party content management systems. This is not a Microsoft vulnerability.

Now that the bad guys have a database with all the vulnerable websites its only a matter of time until they launch their next attack. God knows what they are going to do next.

Good luck to all of you guys fixing this, I know some of you have had sleepless nights. I know god will help you! Don’t lose faith!

Latest information about lizamoon