Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
gormly
Starting Member
2 Posts |
 Posted - 2008-07-25 : 09:53:59
|
Hello AllDetails:Windows 2K3 Server IIS 6.0asp/vbscript pages SQL Server 2005I run a members only (not very busy) website shopping cart.I am in desperate sorts.Twice in the last two weeks I have come into work to find that the All the tables in my order database had been deleted.  (none of my other databases have been touched, so I am assuming it is being down with webpage injection??)I panicked as you can imagine, but luckily I had a once daily backup to restore. It happened again last week and I now backup each hour to a removable disk.So, we are covered (almost)I need to find out how someone is doing this and how to prevent it.I am NOT an expert in SQL.My skills are "jack of all trades, master of none" when it comes to computers. I can run software without looking at the manual, build tweaked systems, even code in VB a little VB.net and vbscript.SQL is fairly new to me, but the permissions and security are what get me. I have tried to lock it down but obviously I am not very good at it.anyone have advice on how to help prevent this, how to find out what I might have left open?I am really worried.... |
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2008-07-25 : 10:40:12
|
| http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspxhttp://www.4guysfromrolla.com/webtech/061902-1.shtml |
 |
|
|
Transact Charlie
Master Smack Fu Yak Hacker
3451 Posts |
Posted - 2008-07-25 : 10:42:49
|
| Hows the outside work interact with your database?I assume that you have some sort of web app serving the webpages and taking client input. It probably suffers from some sort of injection attack as you have surmised.There are a ton of things you can do but the most important ones are to set up a user account that your front end uses that has only the permissions it needs to do it's job. not permissions to Drop table, delete from tables it shouldn't etc, etc. This is a nice easy (relatively speaking) step that won't effect your application logic too muchThe other vitally important thing to do is to validate your database inputs. Either by stored procedures or some parsing function.Type typing "preventing sql injection" into google or similar. There is so much scope for insecurity that without specifics it will be hard to give you definitive answers.-------------Charlie |
|
|
|
Transact Charlie
Master Smack Fu Yak Hacker
3451 Posts |
Posted - 2008-07-25 : 10:44:03
|
| or check out visakh16 links.Man he always seems to be one step ahead when I'm in the middle of posting something.Good work fella!-------------Charlie |
|
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2008-07-25 : 10:46:01
|
quote:
Originally posted by Transact Charlie
or check out visakh16 links.Man he always seems to be one step ahead when I'm in the middle of posting something.Good work fella!-------------Charlie
seems like i have faster refresh rate than you  |
|
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2008-07-25 : 11:19:00
|
| Looks like you were a victim of a “Little Bobby Tables” attack.http://xkcd.com/327/CODO ERGO SUM |
|
|
|
gormly
Starting Member
2 Posts |
Posted - 2008-07-25 : 12:04:05
|
quote:
Originally posted by Transact Charlie
Hows the outside work interact with your database?
Basic webapp. All vbscript code.quote:
Originally posted by Transact CharlieThere are a ton of things you can do but the most important ones are to set up a user account that your front end uses that has only the permissions it needs to do it's job. not permissions to Drop table, delete from tables it shouldn't etc, etc. This is a nice easy (relatively speaking) step that won't effect your application logic too much
This sounds stupid.. but how do I verify that?I have the user set up for that database in [Database Propeerties] - (permissions)with only the following:connect, delete, update, execute, insert, selectquote:
Originally posted by Transact CharlieThe other vitally important thing to do is to validate your database inputs. Either by stored procedures or some parsing function.
Not sure how to do that but I will check the injection links on Google and from visakh16.visakh16, thanks for the links. Thanks |
|
|
|
|
|
|
|
|
Need Help! Database is being deleted