Is pluggins like No-Script really needed?

JonM33 said:

Oddly enough I have been visiting only legitimate websites and never used No-Script and I don't have any malware.

Not sure if I trust an AV company who would most likely try to spread FUD in order to sell product.

I visit all websites and I don't have any malware.

A lot of the affected domains were legitimate: Over 62,000 New URLs Serving Exploit Cocktail - Vulnerable visitors get infected with backdoors and info stealing trojans - Softpedia

You can find many supposedly legitimate websites listed on host files.

noobvious said:

You're just a bundle of sunshine in every thread, aren't you?

It depends on the subject. Sorry, maybe I was harsh on the terminology there. No offense intended.

malexous said:

I visit all websites and I don't have any malware.

A lot of the affected domains were legitimate: Over 62,000 New URLs Serving Exploit Cocktail - Vulnerable visitors get infected with backdoors and info stealing trojans - Softpedia

You can find many supposedly legitimate websites listed on host files.

If I search Google for that string I get a whopping 1,400 (not 62,000) results, most just asking questions.

I wonder what websites were actually effected?

malexous said:

If I search for that string without quotes I receive 32,600 results. With quotes 158,000.

The article is nearly a year old.

I found one website still containing the code (I only checked a few). The domain hosting the script is thankfully down.

Edit: According to Site Profile Search | Compete one of the legitimate affected websites had 150,000 unique visits during August 2009.

Without quotes in Google I get 1,440 hits. With quotes I get 10,200 hits. MOST of these are all people asking about it, not actual websites with the embedded script.



When digging I could only find portal/forum based websites as these are most susceptible, the DotNetNuke portal for example: Script Injection on DNN 4.9.4 - Administration and Configuration - DotNetNuke

Of course people running portals and forums should be protecting themselves against SQL injections anyway but it doesn't seem like any real (or major) websites were affected.

malexous said:

I was searching at Google.ie | I get the same results as you at Google.com

The most major affected website was probably feedzilla.com (it's clean now).

Many major websites have been or are vulnerable to different attacks.

Google, Symantec, Ebay, Intel, MPAA, Kaspersky, Avast, ESET, RIAA, U.S. Bank, Bank of America, McAfee, AVG, F-Secure, Avira, Paypal, etc.

Thanks to Team Elite.

Other major websites have been exploited maliciously and non-maliciously. Incidents - News - page 1 - Softpedia

Edit: I remember reading about a news site being attacked. This is probably be it: Mass Web attack hits Wall Street Journal, Jerusalem Post

Curious...I'm no hacker but I do have experience on websites, primarily using PHP based portals with SQL backends.

How is a SQL injection (adds information into database) going to modify HTML code of a website? HTML (or even PHP) is generally stagnant and permissions are set so that you'd need something like FTP permission to modify them. I have experience with an SQL injection a couple times on a website I ran. It forced me to use NukeSentinel on top of my web portal. After I installed that the SQL attacks stopped (NS can ban IP addresses attempting scripts against your website) so then my website was DDOSed.

Anyway, I'm confused at the articles pointing to SQL injections modifying HTML code.

I guess the debate would be whether you trust the admin of the website you are visiting? Did they go the extra mile to protect their databases?