?
Solved

SQL Injection - Viewing the Logs

Posted on 2010-01-11
6
Medium Priority
?
177 Views
Last Modified: 2013-12-24
Hello,
One of our databases keeps getting infected by a SQL injection. We clean the data, the next day, the DB is infected with the same code. It's pretty much acting like a worm. We've modified some of the code of the pages that we think are vulnerable, but still not luck. I know we have to go through all the pages in our web server, but we have so many that by the time we're done, we will probably get infected many times.

I was wondering if there's a way to check the SQL logs to see where/time  this is coming from?

Also, since we're getting infected every day. There's also a possibility that there could be a backdoor. How can we check for these?

Thanks!
0
Comment
Question by:HumanScaleDev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 60

Assisted Solution

by:chapmandew
chapmandew earned 500 total points
ID: 26283462
No, not really much you can do in the logs.  You should run SQL profiler to see what is hitting your databases.
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 26283468
0
 
LVL 3

Assisted Solution

by:JohnSansom
JohnSansom earned 500 total points
ID: 26283566
If you are being injected with a frequently occurring string i.e. a particular web URL, you can use this to setup a SQL Server Profiler trace and filter it for the specific string you are seeing.

This way you can identify the specific SQL Server T-SQL queries or stored procedures that are being injected with SQL.

If you have time I would be interested to see what scripts you are being injected with. I have a number of scripts that are designed to automatically clean up a number of well know SQL Injection attacks which may be of use to you.

Kind Regards,
John
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 36

Expert Comment

by:SidFishes
ID: 26284274
I've written a blog post more in regards to the cf side of things but have listed many useful testing tools to find the vulnerable code, a tool to clean up the db (scrubbr) and a couple of examples in regards to XSS which is at least as dangerous as SQLi

http://sidfishes.wordpress.com/2009/03/17/60/

basically... if you use cfqueryparam on every query you will stop these injections from occurring
0
 

Author Comment

by:HumanScaleDev
ID: 26293071
Thank you all! We didn't get infected last night. Sometimes it happens every other day. We'll going to see what happens this week. Since we don't know for sure if the solutions work for us, I will assign the points at the end of the week or even  before if we get infected again.

SidFishes--
Our newest applications contain the cfqueryparam tag - there might be some of the old ones that don't use it. However, we've done some testing and the DB can get infected when using cf_sql_varchar as the cfsqltype. Any ideas on how to prevent this, using cfqueryparam?
We basically don't allow any inserts if some suspicious code is being passed in the forms.
I also tried the Scrawlr in one of our sites that don't require authentication and it found a couple of vulnerable pages. -- Thank you!

0
 
LVL 36

Accepted Solution

by:
SidFishes earned 1000 total points
ID: 26293484
"DB can get infected when using cf_sql_varchar as the cfsqltype. "

afaik, that's not possible as it relates to SQLi but remember that SQLi is different than XSS. SQLi manipulates the db in some way (adding users, deleting records etc) whereas XSS injects malicious code into the db

as I mentioned in my blog post, cfqueryparam won't protect you from XSS. the reason is simple

<script>alert('pwnd')</script>

is perfectly valid cf_sql_varchar so the insert works just fine. Lot's of people including myself store html in db's and js is really just a variant of html (as far as a db is concerned it's just text)

Of course the problem with that is if some one adds a script to a record your db that gets displayed to other users, it can do some really nasty things like open a hidden iframe, redirect them to a malware site and completely compromise your users box.

To get around this do not allow html or js in form submissions. The easiest way is simply to add this bit of code to every place that form submissions are made

<cfset myvar = rereplacenocase(form.myformvariable,<[^>]*>, , All)>
<cfquery...>
insert into mytbl (field1) values <cfqueryparam type="cf_sql_varchar" value="#myvar#">
</cfquery>

the regex simply replaces all starting and closing tags < >

so
<script>alert('pwnd')</script>
becomes

scriptalert('pwnd')/script

which is harmless










0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Mark Wills Attending one of Rob Farley's seminars the other day, I heard the phrase "The Accidental DBA" and fell in love with it. It got me thinking about the plight of the newcomer to SQL Server...  So if you are the accidental DBA, or, simp…
Data architecture is an important aspect in Software as a Service (SaaS) delivery model. This article is a study on the database of a single-tenant application that could be extended to support multiple tenants. The application is web-based develope…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question