| Author |
Topic |
|
medman
Starting Member
4 Posts |
 Posted - 2010-08-05 : 14:39:06
|
I am a windows sysadmin and I'm temporarily filling in the SQL admin role. I am definitely a newbie SQL admin. We got hit by a SQL injection attack yesterday out of South Korea and most of the fields in our Customer tables have the following script: <script src=http//wtrc.kangwon.ac.kr/skin/rook.js>.Needless to say with this script running thousands of times it's bringing our server to its knees. What is the best method to do a delete or search and replace across all tables and columns?P.S. I have really, really strenthened our passwords  |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
medman
Starting Member
4 Posts |
Posted - 2010-08-05 : 16:18:27
|
| Thanks Tara:Can you also point me to a page that instructs me how to set up a stored procedure?Thanks |
 |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
Kristen
Test
22859 Posts |
Posted - 2010-08-06 : 02:11:09
|
| "P.S. I have really, really strenthened our passwords"That won't help if it WAS a SQL injection attack.If you want to get original customer data back then you will have to restore from backup, or restore to a temporary database and selectively merge the data back - i.e. replace <SCRIPT> rubbish with the original Customer Name (or whatever was there before) |
|
|
|
medman
Starting Member
4 Posts |
Posted - 2010-08-06 : 14:41:45
|
| Hi Kristen. Thanks for the reply. Why do you say that? What is it that I have to do to stop these nasties from getting into SQL Server in the future? |
|
|
|
medman
Starting Member
4 Posts |
Posted - 2010-08-06 : 14:46:19
|
| Hi Kristen. I didn't read the rest of the post. Nothing in the Customer records was deleted. Just the scripts were concatenated on the end on the text in the various Customer DB fields. SO I think a straight forward replace would work fine. |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2010-08-06 : 17:07:50
|
| "Just the scripts were concatenated on the end on the text in the various Customer DB fields. SO I think a straight forward replace would work fine."Sounds fine. The normal issue is when the field is not big enough for the original data plus the <SCRIPT> data and, depending on how the hack is made, sometime some original data can be lost. If it is just concatenated then you will be fine - however, watch out for where only part of the script was added (field was too small and truncated the remainder) - then a REPLACE won't remove it."Why do you say that? What is it that I have to do to stop these nasties from getting into SQL Server in the future?"You need to read up on SQL Injection. It has nothing to do with password security, but the way that your program is written. It is possible that the hack was via the password, and not SQL Injection. But if it was SQL injection then your application will be vulnerable until you fix the application. |
|
|
|
|
Tables Currupted w/ rogue SQL Injection