| Author |
Topic |
|
mountainguide_se
Starting Member
4 Posts |
 Posted - 2007-10-15 : 11:00:15
|
| Dear members of this forumI might be in the wrong forum, if so please transfer my question...Yeasterday my entire database was updatet and all the data erased.All the fields, all rows in all tables got the following into them:<meta http-equiv="refresh" content="0;URL=http://www.ilgisiz.org/"> look at http://www.mountainguide.se/default2.asp?Id=4&languageId=46 to se where it goes, islam propaganda.I need to make a rollback or restore (if possible) any tip? |
|
|
harsh_athalye
Master Smack Fu Yak Hacker
5581 Posts |
Posted - 2007-10-15 : 11:02:54
|
| Do you have backups of the database? If yes, you can restore the most recent one.Harsh AthalyeIndia."The IMPOSSIBLE is often UNTRIED" |
 |
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2007-10-15 : 11:09:12
|
First of all, remove the meta tag http-equiv="refresh" immediately!Also, I need to ask... How in earth did they get access to the tables? Are you by chance using dynamic SQL to get username and password to login to the database?If so, the turkish hackers simply used SQL injection to get access. Sad yes, but mostly true.As Harsh suggested, backup latest log file and restore latest backup and restore latest logbackup up to before the point in time when "attack" was made.And learn from the lesson to never ever use dynamic SQL in favor of parametrized queries when handling user entered data.
E 12°55'05.25"N 56°04'39.16" |
|
|
|
mountainguide_se
Starting Member
4 Posts |
Posted - 2007-10-15 : 11:19:37
|
| dont know how, i'm a mountaing guide not a hacker...The webb hotell, surftown, says that it was by sql inject. I dont know...I can see there is a lod file on the sever. But I kan only get access to the database by the admin at surftown.They say that they kan do It but want 1500swedish/ hour for the work. If its a 1 hour jobb thats fine but if its a 10h?Is there a way to do it from a script prompt? |
|
|
|
mountainguide_se
Starting Member
4 Posts |
Posted - 2007-10-15 : 11:23:55
|
| And, if i now update att the date and replace the "propaganda redirect" with a "Under update. Please come back later" will that be a problem for the restore work later on?thanks for all your help! |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
|
|
Kristen
Test
22859 Posts |
Posted - 2007-10-15 : 11:28:18
|
| "Is there a way to do it from a script prompt?"Yes, you can Backup / Restore the database from a script prompt.1) If your database is in FULL Recovery Model make a TLog backup. If you are not sure try making one anyway, you'll get an error if you are using SIMPLE Recovery model.2) I would recommend a FULL backup. Just in case someting goes wrong after this and you need to get back to this point!3) Restore from last backupThis thread will show you the syntax, a bit lower down it will show you how to interogate the MSDB database to see a history of what backups were made. (NOTE: Make sure you see the backup that you did at (1) and (2) above, otherwise they didn't work!)http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=55210&SearchTerms=RESTORE%20syntax%20/%20example,Restore%20Full%20and%20all%20TLogs%20backups,RestoreRestore the full backup from before when the attack was made. Then any Transaction backups after than (and use the STOPAT command if you want to restore up to a specific point in time)4) Before you put your site live again make sure you have fixed the SQL Infection attack, otherwise they will just do it again.Kristen |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2007-10-15 : 11:28:24
|
If you can live with some data probalby gone missing, just ask for restore of latest full backup.That shouldn't take more than 1 hour to finish.I don't know how often you data is updated or inserted. If they do full backup every night then maybe you can live with that the data inserted/updated during the same day hack took place is lost?
E 12°55'05.25"N 56°04'39.16" |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
|
|
mountainguide_se
Starting Member
4 Posts |
Posted - 2007-10-16 : 08:05:06
|
| Thank you for your answers.I got a restore, and it works. Now i will read the topic och how to stop the sql inject.. |
|
|
|
sonicth
Starting Member
1 Post |
Posted - 2007-10-26 : 09:35:45
|
| Regarding to the redirection to the propaganda website mentioned above lame crackers also used title tag in head to insert <script>location="http://www.._DONT_INDEX_JUNK_ i.l.g.i.. _DONT_INDEX_JUNK_ ..siz.org"</script> in eutopia.atusing old joomla cms (probably looked up at bugs and spent days using cracking tools searching for victims) |
|
|
|
|
Hacker attack erased/ updated my database