Solved

SQL Server was hacked need advice

Posted on 2008-06-23
10
159 Views
Last Modified: 2010-04-21
I came into work today to a missing set of tables in a database.
This was a complete order database holding all of our members orders. (Yikes!)

The database was there, but it was completely empty.
Clicking on it in SQL Sever Management did nothing but highlight the name.

After the mini heart attack and the quick check of the classifieds I took stock and restored from a database backup (unfortunately it was a full day old)

My question is about permisions.
what is the best way to secure this database in the future?
Previously in my ignorance  and to get this running I set up a bunch of users and did trial and error, in the process I am sure I set some kind of permisson to that let this happen.

On the Table, I have removed ALL users except one and I have made the password tougher for that one.
I removed all permissions and sdtarted over.  The one user now has Select, Update, Delete and Insert checked on the permissions section.

On the database permissions section I have the same user with "connect" permissions.,
I also have
BUILTIN\Administrators
SERVERNAME\SQLManager
SERVERNAME\SQLSERVERMANAGER
SERVERNAME\SQLSERVER2005AGENTUser$Servername
with "Connect" permisssions.

Is this the safest way? I am assuming some hacker or injection script or something caused this?
Are these permissions good enough?
0
Comment
Question by:EGormly
  • 5
  • 5
10 Comments
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846020
Did you make sure that the password for your sa account is not blank and that you don't have xp_cmdshell enabled?
0
 

Author Comment

by:EGormly
ID: 21846038
chapmandew:

No, how do I make sure?
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846068
In management studio or EM, go to the server then to the security tab.  Find the sa account and make sure the password isn't blank.  For xp_cmdshell, run this:


sp_configure 'xp_cmdshell'

if the run_value is 1, then it is enabled.  If you do not use it for anything, disable it.  

Also, check out this link for some free SQL security tools:

http://www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx
0
 

Author Comment

by:EGormly
ID: 21846129
sp_configure 'xp_cmdshell' gives off errord and the SP password is not blank.

so other than that is my scheme above OK?
How do you supposed someone did this?
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846151
It may not be blank, but it could be easily guessable.

Also, do you have a website that uses inline SQL code and passes it to the DB?  If so, it might be some sort of SQL Injection attack.

The changes you made above are a good start...
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:EGormly
ID: 21846580
The database is used strickly for the website, it is a shopping cart application.
The SA password is 12 characters long alphanumeric, I will add a special character or two as well (@!)

How can I prevent Sql Injection attacks?  
Just better passwords and all hotfixes?
0
 
LVL 60

Accepted Solution

by:
chapmandew earned 500 total points
ID: 21846691
A great place to start is to start using stored procedures to interact w/ the database rather than executing sql code on your web page...also, where input is allowed on your web page disallow any type of SQL constructs that may be used in attacks....a good one to include would be the tick mark (') used to end text data and the semicolon..used to end and start new sql statements.
0
 

Author Comment

by:EGormly
ID: 21846780
>> "a good one to include would be the tick mark (') used to end text data and the semicolon..used to end and start new sql statements."

You mean like using a replace function to make sure the ' or '' are not being inserted with the form fields being posted?  Is there a list of SQL constructs?


as far as stored procedures.. I don't know how to do that and almost all of the database access is accessed by variables, I no little about stored procedures but I am fairly certaina astored procedure can't store a variable I would need to pull data on a certain item (out of thousands)
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846876
Yes, that is what I mean....not sure that there is a definitive list.

Really, you're better off hiring a consulting company to go in and do an analysis on your database/web code for this very reason.  
0
 

Author Closing Comment

by:EGormly
ID: 31469726
Thanks, you pointed me in the right direction!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction SQL Server Integration Services can read XML files, that’s known by every BI developer.  (If you didn’t, don’t worry, I’m aiming this article at newcomers as well.) But how far can you go?  When does the XML Source component become …
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now