Solved

How to detect and clean an SQL Injection

Posted on 2008-06-22
2
1,218 Views
Last Modified: 2008-10-27
Hi,

I believe that we have been hit with an SQL injection attack. At the top of our website page it has the following;

<script src=http://www.chinabnr.com/b.js></script>

Can you tell me how to detect and clean if this is the case.??

TIA

Lee
0
Comment
Question by:Lee025_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 12

Expert Comment

by:patrikt
ID: 21844359
If it is realy comming from outside atack you have to fix all hole in your applications.
Every textbox without validataion can be hole to SQL if it is used insorrectly.
I can give you guiodelines for this but you have to do¨cleaning manualy.

As I know there is no automatic test tool, but somone may know about it.

Patrik
0
 
LVL 1

Accepted Solution

by:
rezen earned 500 total points
ID: 21849587
Same thing happened to me. Damn Chinese hackers!

What I did was run the SQL code here: http://alexduggleby.com/2008/05/09/off-topic-t-sql-replace-all-occurrences-in-all-columns-in-all-tables/

This allowed me to generate a sql script that parses all my tables and erases all the the injected text in all character storing columns.

NOTE:
The code on the guy's site is not entirely working. I had to erase a smiley tag and fix the comments. Once it ran, it generated all the update statements needed. Make sure you tweak the code to replace the '<script...' with an empty string: ''
Also note that this does not clean NTEXT columns, which are affected by the SQL Injection. What I did was convert all my NTEXT columns to VARCHAR(MAX) [supported in SQL Server 2005].

Good luck, and don't forget to fix your vulnerabilities.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Everyone has problem when going to load data into Data warehouse (EDW). They all need to confirm that data quality is good but they don't no how to proceed. Microsoft has provided new task within SSIS 2008 called "Data Profiler Task". It solve th…
It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Via a live example, show how to shrink a transaction log file down to a reasonable size.

634 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question