Solved

Virus Scripts in SQL Database

Posted on 2012-03-20
7
388 Views
Last Modified: 2013-11-22
I'm not sure what happened but all of a sudden a few of the "text" database fields in our sql database have virus scripts appeneded to them. For example we have a notes field that had user typed in notes, and then at the bottom of that their are what I can only imagine are virus scripts with a link in them.

Obviously their was a security flaw somewhere along the line. Is there a way to determine how these are getting in there and what is the best way to remove them? I'd prefer not to clear out the existing user notes, but if that is a necessity I guess its my only choice. Any help would be appreciated. Thanks.
0
Comment
Question by:nextmedstaff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 

Author Comment

by:nextmedstaff
ID: 37744286
Thanks for that link, 2 of the scanners reported it as malware.

I don't know if there is a script i could run to remove all of the malicious scripts while preserving the orginal information. The other big issue is trying to determine where it came from.. any suggestions where to start looking... a particular log? etc..
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37745977
is that database accessable from a webserver?
if so I assume that your web application has a SQL Injection vulnerability
first check your server logfiles, if you identify malicious requests disconnect that server from internet until you fixed the vulnerability
then you need to check (penetration test or SCA) your application and fix all flaws in the source code, then check again
0
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 500 total points
ID: 37748290
I agree with ahoffman and this is likely a result of SQL Injection which is essentially people inserting malicious SQL script into forms on your website that you do not check for validity.  IE: If you ask for a comment do you strip out SQL code and only accept alpha numeric text and simple punctuation characters.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37750155
> .. and only accept alpha numeric text
  42 union select table_name from information_schema where table_name between 0x61 and 0x7a

> .. and simple punctation
      4 or 2=2 into outfile 'result.txt'

*neverever* use blacklists or sanatised input data, always use a whitlist and reject anything not matching the whitelist
0
 
LVL 63

Expert Comment

by:btan
ID: 37750973
Was thinking the log from the web and app tier may also captured some request log which may be close to the script injected at database side. Probably is to trace back who is the source and who has access or download it so far... Window of exposure has already widen since the gap is opened up due to vulnerable web code...I suspect

E.g http://blogs.technet.com/b/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx

There she be some detection by is or firewall online but seems like they are bypass..we application firewall can serve well to trace out the events leading to it. Log parser are avail for the analysis if is or apache log are available....
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37843400
can someone please explain why the accepted comment is the answer?
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question