Solved

SQL Server was hacked need advice

Posted on 2008-06-23
10
162 Views
Last Modified: 2010-04-21
I came into work today to a missing set of tables in a database.
This was a complete order database holding all of our members orders. (Yikes!)

The database was there, but it was completely empty.
Clicking on it in SQL Sever Management did nothing but highlight the name.

After the mini heart attack and the quick check of the classifieds I took stock and restored from a database backup (unfortunately it was a full day old)

My question is about permisions.
what is the best way to secure this database in the future?
Previously in my ignorance  and to get this running I set up a bunch of users and did trial and error, in the process I am sure I set some kind of permisson to that let this happen.

On the Table, I have removed ALL users except one and I have made the password tougher for that one.
I removed all permissions and sdtarted over.  The one user now has Select, Update, Delete and Insert checked on the permissions section.

On the database permissions section I have the same user with "connect" permissions.,
I also have
BUILTIN\Administrators
SERVERNAME\SQLManager
SERVERNAME\SQLSERVERMANAGER
SERVERNAME\SQLSERVER2005AGENTUser$Servername
with "Connect" permisssions.

Is this the safest way? I am assuming some hacker or injection script or something caused this?
Are these permissions good enough?
0
Comment
Question by:EGormly
  • 5
  • 5
10 Comments
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846020
Did you make sure that the password for your sa account is not blank and that you don't have xp_cmdshell enabled?
0
 

Author Comment

by:EGormly
ID: 21846038
chapmandew:

No, how do I make sure?
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846068
In management studio or EM, go to the server then to the security tab.  Find the sa account and make sure the password isn't blank.  For xp_cmdshell, run this:


sp_configure 'xp_cmdshell'

if the run_value is 1, then it is enabled.  If you do not use it for anything, disable it.  

Also, check out this link for some free SQL security tools:

http://www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 

Author Comment

by:EGormly
ID: 21846129
sp_configure 'xp_cmdshell' gives off errord and the SP password is not blank.

so other than that is my scheme above OK?
How do you supposed someone did this?
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846151
It may not be blank, but it could be easily guessable.

Also, do you have a website that uses inline SQL code and passes it to the DB?  If so, it might be some sort of SQL Injection attack.

The changes you made above are a good start...
0
 

Author Comment

by:EGormly
ID: 21846580
The database is used strickly for the website, it is a shopping cart application.
The SA password is 12 characters long alphanumeric, I will add a special character or two as well (@!)

How can I prevent Sql Injection attacks?  
Just better passwords and all hotfixes?
0
 
LVL 60

Accepted Solution

by:
chapmandew earned 500 total points
ID: 21846691
A great place to start is to start using stored procedures to interact w/ the database rather than executing sql code on your web page...also, where input is allowed on your web page disallow any type of SQL constructs that may be used in attacks....a good one to include would be the tick mark (') used to end text data and the semicolon..used to end and start new sql statements.
0
 

Author Comment

by:EGormly
ID: 21846780
>> "a good one to include would be the tick mark (') used to end text data and the semicolon..used to end and start new sql statements."

You mean like using a replace function to make sure the ' or '' are not being inserted with the form fields being posted?  Is there a list of SQL constructs?


as far as stored procedures.. I don't know how to do that and almost all of the database access is accessed by variables, I no little about stored procedures but I am fairly certaina astored procedure can't store a variable I would need to pull data on a certain item (out of thousands)
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846876
Yes, that is what I mean....not sure that there is a definitive list.

Really, you're better off hiring a consulting company to go in and do an analysis on your database/web code for this very reason.  
0
 

Author Closing Comment

by:EGormly
ID: 31469726
Thanks, you pointed me in the right direction!
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question