SQL Injection - Viewing the Logs
Hello,
One of our databases keeps getting infected by a SQL injection. We clean the data, the next day, the DB is infected with the same code. It's pretty much acting like a worm. We've modified some of the code of the pages that we think are vulnerable, but still not luck. I know we have to go through all the pages in our web server, but we have so many that by the time we're done, we will probably get infected many times.
I was wondering if there's a way to check the SQL logs to see where/time this is coming from?
Also, since we're getting infected every day. There's also a possibility that there could be a backdoor. How can we check for these?
Thanks!
One of our databases keeps getting infected by a SQL injection. We clean the data, the next day, the DB is infected with the same code. It's pretty much acting like a worm. We've modified some of the code of the pages that we think are vulnerable, but still not luck. I know we have to go through all the pages in our web server, but we have so many that by the time we're done, we will probably get infected many times.
I was wondering if there's a way to check the SQL logs to see where/time this is coming from?
Also, since we're getting infected every day. There's also a possibility that there could be a backdoor. How can we check for these?
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
chapmandew
http://msdn.microsoft.com/en-us/library/aa173918(SQL.80).aspx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I've written a blog post more in regards to the cf side of things but have listed many useful testing tools to find the vulnerable code, a tool to clean up the db (scrubbr) and a couple of examples in regards to XSS which is at least as dangerous as SQLi
http://sidfishes.wordpress.com/2009/03/17/60/
basically... if you use cfqueryparam on every query you will stop these injections from occurring
http://sidfishes.wordpress.com/2009/03/17/60/
basically... if you use cfqueryparam on every query you will stop these injections from occurring
ASKER
Thank you all! We didn't get infected last night. Sometimes it happens every other day. We'll going to see what happens this week. Since we don't know for sure if the solutions work for us, I will assign the points at the end of the week or even before if we get infected again.
SidFishes--
Our newest applications contain the cfqueryparam tag - there might be some of the old ones that don't use it. However, we've done some testing and the DB can get infected when using cf_sql_varchar as the cfsqltype. Any ideas on how to prevent this, using cfqueryparam?
We basically don't allow any inserts if some suspicious code is being passed in the forms.
I also tried the Scrawlr in one of our sites that don't require authentication and it found a couple of vulnerable pages. -- Thank you!
SidFishes--
Our newest applications contain the cfqueryparam tag - there might be some of the old ones that don't use it. However, we've done some testing and the DB can get infected when using cf_sql_varchar as the cfsqltype. Any ideas on how to prevent this, using cfqueryparam?
We basically don't allow any inserts if some suspicious code is being passed in the forms.
I also tried the Scrawlr in one of our sites that don't require authentication and it found a couple of vulnerable pages. -- Thank you!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.