?
Solved

SQL injection (/b.js) - track database actions...

Posted on 2008-06-18
2
Medium Priority
?
1,093 Views
Last Modified: 2008-10-27
I have fallen victim to what appears to be a SQL Injection attack (...banner82.com/b.js is inserted in all tables).  My system is an old ASP applicaiton that requires some protection updates (stored procedures and so on). I wonder if there is a way to track actions in my SQL server to see where (or on what table) the SQL injection is executed? The SQL injection happens several times each hour!
0
Comment
Question by:webressurs
2 Comments
 
LVL 7

Accepted Solution

by:
Chrisedebo earned 2000 total points
ID: 21812288
I would suggest leaving a trace running on the SQL database using the SQL Server Profiler, it will slightly hamper performance, but you will have a list of each action performed on the database. you can then search it to find out the syntax being used to modify your data.
0
 

Expert Comment

by:mcomedia
ID: 21875655
There is a way to clean out this particular injection.

Originally found on this website.
http://blogs.msdn.com/jay_akhawri/archive/2008/06/25/latest-sql-injection-of-script-components.aspx




use [your DB name]
 
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
  EXEC(
 --PRINT(
    'update ['+@T+'] set ['+@C+'] = left(
            convert(varchar(8000), ['+@C+']),
            len(convert(varchar(8000), ['+@C+'])) - 6 -
            patindex(''%tpircs<%'',
                      reverse(convert(varchar(8000), ['+@C+'])))
            )
      where ['+@C+'] like ''%<script%'''
      );
  FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

Open in new window

0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Access has a limit of 255 columns in a single table; SQL Server allows tables with over 255 columns, but reading that data is not necessarily simple.  The final solution for this task involved creating a custom text parser and then reading…
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question