?
Solved

SQL injection (/b.js) - track database actions...

Posted on 2008-06-18
2
Medium Priority
?
1,090 Views
Last Modified: 2008-10-27
I have fallen victim to what appears to be a SQL Injection attack (...banner82.com/b.js is inserted in all tables).  My system is an old ASP applicaiton that requires some protection updates (stored procedures and so on). I wonder if there is a way to track actions in my SQL server to see where (or on what table) the SQL injection is executed? The SQL injection happens several times each hour!
0
Comment
Question by:webressurs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
Chrisedebo earned 2000 total points
ID: 21812288
I would suggest leaving a trace running on the SQL database using the SQL Server Profiler, it will slightly hamper performance, but you will have a list of each action performed on the database. you can then search it to find out the syntax being used to modify your data.
0
 

Expert Comment

by:mcomedia
ID: 21875655
There is a way to clean out this particular injection.

Originally found on this website.
http://blogs.msdn.com/jay_akhawri/archive/2008/06/25/latest-sql-injection-of-script-components.aspx




use [your DB name]
 
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
  EXEC(
 --PRINT(
    'update ['+@T+'] set ['+@C+'] = left(
            convert(varchar(8000), ['+@C+']),
            len(convert(varchar(8000), ['+@C+'])) - 6 -
            patindex(''%tpircs<%'',
                      reverse(convert(varchar(8000), ['+@C+'])))
            )
      where ['+@C+'] like ''%<script%'''
      );
  FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

Open in new window

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question