Solved

SQL Server was hacked need advice

Posted on 2008-06-23
10
165 Views
Last Modified: 2010-04-21
I came into work today to a missing set of tables in a database.
This was a complete order database holding all of our members orders. (Yikes!)

The database was there, but it was completely empty.
Clicking on it in SQL Sever Management did nothing but highlight the name.

After the mini heart attack and the quick check of the classifieds I took stock and restored from a database backup (unfortunately it was a full day old)

My question is about permisions.
what is the best way to secure this database in the future?
Previously in my ignorance  and to get this running I set up a bunch of users and did trial and error, in the process I am sure I set some kind of permisson to that let this happen.

On the Table, I have removed ALL users except one and I have made the password tougher for that one.
I removed all permissions and sdtarted over.  The one user now has Select, Update, Delete and Insert checked on the permissions section.

On the database permissions section I have the same user with "connect" permissions.,
I also have
BUILTIN\Administrators
SERVERNAME\SQLManager
SERVERNAME\SQLSERVERMANAGER
SERVERNAME\SQLSERVER2005AGENTUser$Servername
with "Connect" permisssions.

Is this the safest way? I am assuming some hacker or injection script or something caused this?
Are these permissions good enough?
0
Comment
Question by:EGormly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846020
Did you make sure that the password for your sa account is not blank and that you don't have xp_cmdshell enabled?
0
 

Author Comment

by:EGormly
ID: 21846038
chapmandew:

No, how do I make sure?
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846068
In management studio or EM, go to the server then to the security tab.  Find the sa account and make sure the password isn't blank.  For xp_cmdshell, run this:


sp_configure 'xp_cmdshell'

if the run_value is 1, then it is enabled.  If you do not use it for anything, disable it.  

Also, check out this link for some free SQL security tools:

http://www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:EGormly
ID: 21846129
sp_configure 'xp_cmdshell' gives off errord and the SP password is not blank.

so other than that is my scheme above OK?
How do you supposed someone did this?
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846151
It may not be blank, but it could be easily guessable.

Also, do you have a website that uses inline SQL code and passes it to the DB?  If so, it might be some sort of SQL Injection attack.

The changes you made above are a good start...
0
 

Author Comment

by:EGormly
ID: 21846580
The database is used strickly for the website, it is a shopping cart application.
The SA password is 12 characters long alphanumeric, I will add a special character or two as well (@!)

How can I prevent Sql Injection attacks?  
Just better passwords and all hotfixes?
0
 
LVL 60

Accepted Solution

by:
chapmandew earned 500 total points
ID: 21846691
A great place to start is to start using stored procedures to interact w/ the database rather than executing sql code on your web page...also, where input is allowed on your web page disallow any type of SQL constructs that may be used in attacks....a good one to include would be the tick mark (') used to end text data and the semicolon..used to end and start new sql statements.
0
 

Author Comment

by:EGormly
ID: 21846780
>> "a good one to include would be the tick mark (') used to end text data and the semicolon..used to end and start new sql statements."

You mean like using a replace function to make sure the ' or '' are not being inserted with the form fields being posted?  Is there a list of SQL constructs?


as far as stored procedures.. I don't know how to do that and almost all of the database access is accessed by variables, I no little about stored procedures but I am fairly certaina astored procedure can't store a variable I would need to pull data on a certain item (out of thousands)
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846876
Yes, that is what I mean....not sure that there is a definitive list.

Really, you're better off hiring a consulting company to go in and do an analysis on your database/web code for this very reason.  
0
 

Author Closing Comment

by:EGormly
ID: 31469726
Thanks, you pointed me in the right direction!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.
Viewers will learn how the fundamental information of how to create a table.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question