?
Solved

SQL Server was hacked need advice

Posted on 2008-06-23
10
Medium Priority
?
167 Views
Last Modified: 2010-04-21
I came into work today to a missing set of tables in a database.
This was a complete order database holding all of our members orders. (Yikes!)

The database was there, but it was completely empty.
Clicking on it in SQL Sever Management did nothing but highlight the name.

After the mini heart attack and the quick check of the classifieds I took stock and restored from a database backup (unfortunately it was a full day old)

My question is about permisions.
what is the best way to secure this database in the future?
Previously in my ignorance  and to get this running I set up a bunch of users and did trial and error, in the process I am sure I set some kind of permisson to that let this happen.

On the Table, I have removed ALL users except one and I have made the password tougher for that one.
I removed all permissions and sdtarted over.  The one user now has Select, Update, Delete and Insert checked on the permissions section.

On the database permissions section I have the same user with "connect" permissions.,
I also have
BUILTIN\Administrators
SERVERNAME\SQLManager
SERVERNAME\SQLSERVERMANAGER
SERVERNAME\SQLSERVER2005AGENTUser$Servername
with "Connect" permisssions.

Is this the safest way? I am assuming some hacker or injection script or something caused this?
Are these permissions good enough?
0
Comment
Question by:EGormly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846020
Did you make sure that the password for your sa account is not blank and that you don't have xp_cmdshell enabled?
0
 

Author Comment

by:EGormly
ID: 21846038
chapmandew:

No, how do I make sure?
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846068
In management studio or EM, go to the server then to the security tab.  Find the sa account and make sure the password isn't blank.  For xp_cmdshell, run this:


sp_configure 'xp_cmdshell'

if the run_value is 1, then it is enabled.  If you do not use it for anything, disable it.  

Also, check out this link for some free SQL security tools:

http://www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:EGormly
ID: 21846129
sp_configure 'xp_cmdshell' gives off errord and the SP password is not blank.

so other than that is my scheme above OK?
How do you supposed someone did this?
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846151
It may not be blank, but it could be easily guessable.

Also, do you have a website that uses inline SQL code and passes it to the DB?  If so, it might be some sort of SQL Injection attack.

The changes you made above are a good start...
0
 

Author Comment

by:EGormly
ID: 21846580
The database is used strickly for the website, it is a shopping cart application.
The SA password is 12 characters long alphanumeric, I will add a special character or two as well (@!)

How can I prevent Sql Injection attacks?  
Just better passwords and all hotfixes?
0
 
LVL 60

Accepted Solution

by:
chapmandew earned 2000 total points
ID: 21846691
A great place to start is to start using stored procedures to interact w/ the database rather than executing sql code on your web page...also, where input is allowed on your web page disallow any type of SQL constructs that may be used in attacks....a good one to include would be the tick mark (') used to end text data and the semicolon..used to end and start new sql statements.
0
 

Author Comment

by:EGormly
ID: 21846780
>> "a good one to include would be the tick mark (') used to end text data and the semicolon..used to end and start new sql statements."

You mean like using a replace function to make sure the ' or '' are not being inserted with the form fields being posted?  Is there a list of SQL constructs?


as far as stored procedures.. I don't know how to do that and almost all of the database access is accessed by variables, I no little about stored procedures but I am fairly certaina astored procedure can't store a variable I would need to pull data on a certain item (out of thousands)
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 21846876
Yes, that is what I mean....not sure that there is a definitive list.

Really, you're better off hiring a consulting company to go in and do an analysis on your database/web code for this very reason.  
0
 

Author Closing Comment

by:EGormly
ID: 31469726
Thanks, you pointed me in the right direction!
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question