Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 442
  • Last Modified:

MSSQL Table disappear

HELLO,
A MSSQL Server that handles several queries daily,
last night on of my tables just got empty.... I have no stored procedure that could do that or what ever,
What could it be ?
I am thinking of injection, somehow, i dont really know because all users that access the sql via website are restricted and do not have delete operation enabled
0
netwhw
Asked:
netwhw
  • 8
  • 5
  • 2
  • +1
1 Solution
 
netwhwAuthor Commented:
Its a MSSQL 2000 Website
0
 
momi_sabagCommented:
there is a free log analyzer for sql server 2000
http://www.red-gate.com/products/SQL_Log_Rescue/index.htm

use it and find out which statement got your table empty
0
 
RiteshShahCommented:
well, every transaction is written in transaction log file, if you are talking backup of transaction log than there is a chance to restore transaction log backup until the exact time you doubts for deleting records. one easy method is provided above, use red-gate tool which is free for SQL Server 2000. other than these, there is no way to do so.
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
netwhwAuthor Commented:
But have you ever seem that ?
0
 
netwhwAuthor Commented:
A table complelty wiped ?
How can i check if my server has been compromised ?
0
 
RiteshShahCommented:
>>But have you ever seem that ?<<

didn't get you...
0
 
RiteshShahCommented:
red-gate can help you to recover data but can't help you to check whether you are injection affected or not, that you will have to find out with few different ways.

--check you logs (SQL Server log and OS log)
--keep watch on your transaction log file
0
 
netwhwAuthor Commented:
Can you guide me on that ?
--check you logs (SQL Server log and OS log)
--keep watch on your transaction log file

BEcause, i had a autobackup at 2 am, and at 2:07 the table was wiped.
I dont know, could it be a malfuncition ?
0
 
netwhwAuthor Commented:
I already recovered the data, but my website is offline for now
0
 
RiteshShahCommented:
go to your log in control panel and check whether any failed attempt to login was happened or not.
0
 
netwhwAuthor Commented:
No, it doesnt show any failed logins on my logs
0
 
netwhwAuthor Commented:
Do you can think of any other place to search ?
0
 
RiteshShahCommented:
I always used to see logs in any doubts, nowhere else.
0
 
gr8gonzoConsultantCommented:
My guess is that you got hit by SQL injection or by a bad query that deleted too many rows.

If you have an auto-incrementing primary key, then try inserting a new row in the table. See if the ID starts at 1 or if it's a larger number.

If it's 1, then someone probably ran a TRUNCATE query. If it's greater than 1, then you might have had a DELETE FROM ... query that didn't have enough limits or was done in a way that all records matched the criteria.

Red Gate's tools should be able to help you search through your transaction logs. Search for TRUNCATE or DELETE FROM queries. You may be able to trace the offending query back to a malformed page request (SQL injection or just data that wasn't properly escaped or something).

Suggestion: Use a tool like ParosProxy to scan your application for vulnerabilities after it comes back up.
0
 
gr8gonzoConsultantCommented:
While my guess is that it's an application-related problem, you never know about server security. I know MSSQL has some EXEC privileges that are often left wide open and can be exploited to gain access to a server. Some things to look for:

1. See if there are any unexpected tasks running in Task Manager.

2. Download and install Security Task Manager from Neuber - it can sometimes see tasks that are hidden from the regular Windows Task Manager, and if your server's been compromised by a rootkit or anything, then it's probably going to be a hidden process.

3. Look for any unexpected differences on the system. For example, sudden decrease in available disk space, new/unexpected services (run "services.msc" to see the services on the system), decrease in general speed, new tray icons, etc...
0
 
netwhwAuthor Commented:
It was a TRUNCATE Command, we fixed the problem ! Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 8
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now