• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 180
  • Last Modified:

SQL Injection - Viewing the Logs

Hello,
One of our databases keeps getting infected by a SQL injection. We clean the data, the next day, the DB is infected with the same code. It's pretty much acting like a worm. We've modified some of the code of the pages that we think are vulnerable, but still not luck. I know we have to go through all the pages in our web server, but we have so many that by the time we're done, we will probably get infected many times.

I was wondering if there's a way to check the SQL logs to see where/time  this is coming from?

Also, since we're getting infected every day. There's also a possibility that there could be a backdoor. How can we check for these?

Thanks!
0
HumanScaleDev
Asked:
HumanScaleDev
3 Solutions
 
chapmandewCommented:
No, not really much you can do in the logs.  You should run SQL profiler to see what is hitting your databases.
0
 
JohnSansomCommented:
If you are being injected with a frequently occurring string i.e. a particular web URL, you can use this to setup a SQL Server Profiler trace and filter it for the specific string you are seeing.

This way you can identify the specific SQL Server T-SQL queries or stored procedures that are being injected with SQL.

If you have time I would be interested to see what scripts you are being injected with. I have a number of scripts that are designed to automatically clean up a number of well know SQL Injection attacks which may be of use to you.

Kind Regards,
John
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
SidFishesCommented:
I've written a blog post more in regards to the cf side of things but have listed many useful testing tools to find the vulnerable code, a tool to clean up the db (scrubbr) and a couple of examples in regards to XSS which is at least as dangerous as SQLi

http://sidfishes.wordpress.com/2009/03/17/60/

basically... if you use cfqueryparam on every query you will stop these injections from occurring
0
 
HumanScaleDevAuthor Commented:
Thank you all! We didn't get infected last night. Sometimes it happens every other day. We'll going to see what happens this week. Since we don't know for sure if the solutions work for us, I will assign the points at the end of the week or even  before if we get infected again.

SidFishes--
Our newest applications contain the cfqueryparam tag - there might be some of the old ones that don't use it. However, we've done some testing and the DB can get infected when using cf_sql_varchar as the cfsqltype. Any ideas on how to prevent this, using cfqueryparam?
We basically don't allow any inserts if some suspicious code is being passed in the forms.
I also tried the Scrawlr in one of our sites that don't require authentication and it found a couple of vulnerable pages. -- Thank you!

0
 
SidFishesCommented:
"DB can get infected when using cf_sql_varchar as the cfsqltype. "

afaik, that's not possible as it relates to SQLi but remember that SQLi is different than XSS. SQLi manipulates the db in some way (adding users, deleting records etc) whereas XSS injects malicious code into the db

as I mentioned in my blog post, cfqueryparam won't protect you from XSS. the reason is simple

<script>alert('pwnd')</script>

is perfectly valid cf_sql_varchar so the insert works just fine. Lot's of people including myself store html in db's and js is really just a variant of html (as far as a db is concerned it's just text)

Of course the problem with that is if some one adds a script to a record your db that gets displayed to other users, it can do some really nasty things like open a hidden iframe, redirect them to a malware site and completely compromise your users box.

To get around this do not allow html or js in form submissions. The easiest way is simply to add this bit of code to every place that form submissions are made

<cfset myvar = rereplacenocase(form.myformvariable,<[^>]*>, , All)>
<cfquery...>
insert into mytbl (field1) values <cfqueryparam type="cf_sql_varchar" value="#myvar#">
</cfquery>

the regex simply replaces all starting and closing tags < >

so
<script>alert('pwnd')</script>
becomes

scriptalert('pwnd')/script

which is harmless










0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now