Fairweather_Web
asked on
Injection attack advice?
I have a number of legacy sites written in Classic ASP using a SQL Server 2008 Database.
Recently they have been targetted with what I presume is an Injection attack - altering the script on the home page to show spam. Luckily this is the extent of the attack.
I set up a script to record the IP address, page name and query string (URL arguments) of each request.
When it last happened I reviewed the results and there is nothing out of the ordinary - I was expecting some SQL appended to the URL but there is nothing obvious.
The last time, I replaced all files andI have also checked and there isn't an extra file present.
What else can I monitor or investigate?
Regards
Kevin Russell
Recently they have been targetted with what I presume is an Injection attack - altering the script on the home page to show spam. Luckily this is the extent of the attack.
I set up a script to record the IP address, page name and query string (URL arguments) of each request.
When it last happened I reviewed the results and there is nothing out of the ordinary - I was expecting some SQL appended to the URL but there is nothing obvious.
The last time, I replaced all files andI have also checked and there isn't an extra file present.
What else can I monitor or investigate?
Regards
Kevin Russell
attacks can also be made from forms/ajax calls
also I would recommend to change your passwords
also I would recommend to change your passwords
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks chaps. The code that was inserted into my home page just broke the code which threw an error. How can I check to see how my file is being rewritten?
Kevin
Kevin
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
...on a Reseller Hosting account.
change FTP passwords
change SQL password
check all inputs in code
htmlencode all outputs
change SQL password
check all inputs in code
htmlencode all outputs
ASKER
It turns out that my Reseller Server was infected - an ARP atack?
Thanks for your help.
Thanks for your help.
ASKER
The problem turned out to be on my server rather than the code
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet