• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

Injection attack advice?

I have a number of legacy sites written in Classic ASP using a SQL Server 2008 Database.

Recently they have been targetted with what I presume is an Injection attack - altering the script on the home page to show spam. Luckily this is the extent of the attack.

I set up a script to record the IP address, page name and query string (URL arguments) of each request.

When it last happened I reviewed the results and there is nothing out of the ordinary - I was expecting some SQL appended to the URL but there is nothing obvious.

The last time, I replaced all files andI have also checked and there isn't an extra file present.

What else can I monitor or investigate?

Regards
Kevin Russell
0
Fairweather_Web
Asked:
Fairweather_Web
  • 4
  • 4
2 Solutions
 
EyalCommented:
you didn't mentioned what kind of attack so I assume you experience XSS attack

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
0
 
EyalCommented:
attacks can also be made from forms/ajax calls

also I would recommend to change your passwords
0
 
Daniel WilsonCommented:
If replacing your ASP files removed the spam, it's not a SQL injection attack.  You should, of course, guard against that, but that doesn't appear to be the current problem.
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
Fairweather_WebAuthor Commented:
Thanks chaps. The code that was inserted into my home page just broke the code which threw an error. How can I check to see how my file is being rewritten?

Kevin
0
 
EyalCommented:
1) firewall
2) IIS logs
0
 
Fairweather_WebAuthor Commented:
...on a Reseller Hosting account.
0
 
EyalCommented:
change FTP passwords
change SQL password
check all inputs in code
htmlencode all outputs
0
 
Fairweather_WebAuthor Commented:
It turns out that my Reseller Server was infected - an ARP atack?

Thanks for your help.
0
 
Fairweather_WebAuthor Commented:
The problem turned out to be on my server rather than the code
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now