Solved

MS SQL Customer DB returning Hex Code from website

Posted on 2007-04-09
12
184 Views
Last Modified: 2010-04-20
I use MS SQL and our customer database has recently started returning odd code that looks like hex from our website.  This just started in the past couple of months and I think it's coming from the catalog request link.  I'm not a DB admin so I'm looking for any advice or possible causes for this behavior.
0
Comment
Question by:aloyd18
  • 5
  • 5
  • 2
12 Comments
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18876980
What do you mean, returning code FROM your website?  Do you mean that this was data posted to your customer DB?
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18878570
Yes, normally the DB fills up with name, address, number, etc.  Just recently it started populating with the hex looking characters.  And yes the data is coming from the website when a customer enters the catalog request.
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18878708
Phew...and your web page code didn't change??  It could be tha tthe character code page that the web page uses has been corrupted.
0
 
LVL 30

Expert Comment

by:nmcdermaid
ID: 18879401
Can you first verify what it looks like in the database? Then you can identify whether the issue is in the database or in the web code.

Its quite possible that your database is unicode, and you have someone entering non-english characters in a web page.

The non english characters are saved to the database (totally valid) but when they are selected out to an English - only browser, the characters look strange because they can't be represented.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18907818
Where the customer name, number, State, Phone Number etc usually show up I'm getting a bunch of garbage that looks like this...

936658CB-CC6E-43 936658CB-CC6E-43 1 WAITFOR DELAY '0:0:20'--
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18907955
The problem seems to be between our web site and the business system we use called Ecometry.  Does anyone have any suggestions on troubleshooting the website side?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18908073
That isn't hex, it's some kind of serial number stuff, possibly incomplete GUIDs, and the WAITFOR DELAY is script code of some sort.  

I have a wild idea that you are under some sort of script-insertion attack.  In this strange scenario, the inserted script is being mapped to parameters in a stored procudure you are using, causing it to look like your web site is posting garbage.  The fact that in this scenario you've used a stored procedure has prevented the attacking script from executing something evil on either your web server or on your SQL Server.

Server-side validation of field length and type prior to posting to SQL Server should help you eliminate this garbage.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18908110
Can you give me some pointers on setting up server side validation?  You're talking on the SQL server right?
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18908151
No, I'm talking on the web server.  However, you can also do a base-level validation on the SQL Server if you're performing your updates with stored procedures.  Are you doing so?
0
 
LVL 30

Expert Comment

by:nmcdermaid
ID: 18909538
Yes I most definitely agree, you could be having a script attack. Very suspicious.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18919831
I'm not sure if updates are done by stored procedures.  Where would one start in troubleshooting this?
0
 
LVL 23

Accepted Solution

by:
Christopher Kile earned 500 total points
ID: 18919922
You need the web code.  You need to analyze the code triggered by form submission as this is the most likely place where updates would be performed.  This is where you can see if SQL queries are being composed on the fly, or if stored procedures are being called.

Also, you can examine the stored procedures in your database.  Use SQL-EM to generate a script of all stored procedures, then load it into an editor and search for INSERT and UPDATE, also for the name of the table where the garbage has been posted.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will learn how the fundamental information of how to create a table.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now