[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 170
  • Last Modified:

SQL Server was hacked need advice

I came into work today to a missing set of tables in a database.
This was a complete order database holding all of our members orders. (Yikes!)

The database was there, but it was completely empty.
Clicking on it in SQL Sever Management did nothing but highlight the name.

After the mini heart attack and the quick check of the classifieds I took stock and restored from a database backup (unfortunately it was a full day old)

My question is about permisions.
what is the best way to secure this database in the future?
Previously in my ignorance  and to get this running I set up a bunch of users and did trial and error, in the process I am sure I set some kind of permisson to that let this happen.

On the Table, I have removed ALL users except one and I have made the password tougher for that one.
I removed all permissions and sdtarted over.  The one user now has Select, Update, Delete and Insert checked on the permissions section.

On the database permissions section I have the same user with "connect" permissions.,
I also have
BUILTIN\Administrators
SERVERNAME\SQLManager
SERVERNAME\SQLSERVERMANAGER
SERVERNAME\SQLSERVER2005AGENTUser$Servername
with "Connect" permisssions.

Is this the safest way? I am assuming some hacker or injection script or something caused this?
Are these permissions good enough?
0
EGormly
Asked:
EGormly
  • 5
  • 5
1 Solution
 
chapmandewCommented:
Did you make sure that the password for your sa account is not blank and that you don't have xp_cmdshell enabled?
0
 
EGormlyAuthor Commented:
chapmandew:

No, how do I make sure?
0
 
chapmandewCommented:
In management studio or EM, go to the server then to the security tab.  Find the sa account and make sure the password isn't blank.  For xp_cmdshell, run this:


sp_configure 'xp_cmdshell'

if the run_value is 1, then it is enabled.  If you do not use it for anything, disable it.  

Also, check out this link for some free SQL security tools:

http://www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
EGormlyAuthor Commented:
sp_configure 'xp_cmdshell' gives off errord and the SP password is not blank.

so other than that is my scheme above OK?
How do you supposed someone did this?
0
 
chapmandewCommented:
It may not be blank, but it could be easily guessable.

Also, do you have a website that uses inline SQL code and passes it to the DB?  If so, it might be some sort of SQL Injection attack.

The changes you made above are a good start...
0
 
EGormlyAuthor Commented:
The database is used strickly for the website, it is a shopping cart application.
The SA password is 12 characters long alphanumeric, I will add a special character or two as well (@!)

How can I prevent Sql Injection attacks?  
Just better passwords and all hotfixes?
0
 
chapmandewCommented:
A great place to start is to start using stored procedures to interact w/ the database rather than executing sql code on your web page...also, where input is allowed on your web page disallow any type of SQL constructs that may be used in attacks....a good one to include would be the tick mark (') used to end text data and the semicolon..used to end and start new sql statements.
0
 
EGormlyAuthor Commented:
>> "a good one to include would be the tick mark (') used to end text data and the semicolon..used to end and start new sql statements."

You mean like using a replace function to make sure the ' or '' are not being inserted with the form fields being posted?  Is there a list of SQL constructs?


as far as stored procedures.. I don't know how to do that and almost all of the database access is accessed by variables, I no little about stored procedures but I am fairly certaina astored procedure can't store a variable I would need to pull data on a certain item (out of thousands)
0
 
chapmandewCommented:
Yes, that is what I mean....not sure that there is a definitive list.

Really, you're better off hiring a consulting company to go in and do an analysis on your database/web code for this very reason.  
0
 
EGormlyAuthor Commented:
Thanks, you pointed me in the right direction!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now