Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
arpee
Starting Member
2 Posts |
 Posted - 2008-08-09 : 09:51:18
|
| I'm running SQL Server 2000 on Win 2003 Server running mostly ASP for my sites.. Almost every day a few of my databases are getting hacked and someone is injecting.appending a russian script tag to several db fields.I've tried to check all my ASP scripts and block for injection but I just can't figure out how they are getting in.Is there a built-in monitor for SQL Server that will log each query. Maybe if I knew which update, select or insert query they were using I could pinpoint it and block it.Any other ideas would be greatly appreciated. |
|
|
TG
Master Smack Fu Yak Hacker
6065 Posts |
Posted - 2008-08-09 : 11:32:17
|
| Do you keep any web logs? Check for calls with a long, hex string. We recently had a bunch of unsucceessfull attempts made. The request resolved to an exec'd string which attempts to loop through sys tables and generate UPDATE statements.It didn't work because we use only data-typed, parameterized SPs, (almost) no dynamic sql, and the account the webservice uses to access the database has minimal privs.Be One with the OptimizerTG |
 |
|
|
arpee
Starting Member
2 Posts |
Posted - 2008-08-09 : 11:54:28
|
| Yes I've reviewed the log files and there are no injections via URLs that I can see. I'm looking for another way someone may be accessing SQL Server. Can I run some sort of logs on all queries? |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2008-08-09 : 14:06:57
|
| Don't try to block injection, fix the root cause. If you're concatenating strings together to form queries and executing them, you are vulnerable.Best option - use only stored procedures and restrict the account that the web app is using to only have execute rights to the stored procedures and no rights to the base tables.If that isn't feasible, change all the concatenated strings to use parameters and not to concatenate in conditions.Run profiler for a while, catch the RPC:completed and T-SQL batch completed events. Make sure that you have the columns TextData, ApplicationName, HostName, UserName at a minimum. That should show you where the stuff is coming from--Gail ShawSQL Server MVP |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-08-09 : 14:47:55
|
Agreed. Fix the damn root cause!Use parametrized stored procedures. And don't to concatenation nor dynamic SQL in the stored procedures.If you get hacked once, that's bad luck.If you get hacked twice, all we can say is "we told you how to fix it".
E 12°55'05.25"N 56°04'39.16" |
|
|
|
pootle_flump
1064 Posts |
|
|
slaurie
Starting Member
2 Posts |
Posted - 2008-08-12 : 22:04:08
|
| you should use the IIS Lock down tool 2.1 (free download),Baseline security scanner (free download), and Windows 2003 security templates this is installed with 2003 sp2 go to add remove programs windows components, |
|
|
|
|
|
|
|
|
I keep getting hacked!