Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Virus Scripts in SQL Database

Posted on 2012-03-20
7
Medium Priority
?
393 Views
Last Modified: 2013-11-22
I'm not sure what happened but all of a sudden a few of the "text" database fields in our sql database have virus scripts appeneded to them. For example we have a notes field that had user typed in notes, and then at the bottom of that their are what I can only imagine are virus scripts with a link in them.

Obviously their was a security flaw somewhere along the line. Is there a way to determine how these are getting in there and what is the best way to remove them? I'd prefer not to clear out the existing user notes, but if that is a necessity I guess its my only choice. Any help would be appreciated. Thanks.
0
Comment
Question by:nextmedstaff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 

Author Comment

by:nextmedstaff
ID: 37744286
Thanks for that link, 2 of the scanners reported it as malware.

I don't know if there is a script i could run to remove all of the malicious scripts while preserving the orginal information. The other big issue is trying to determine where it came from.. any suggestions where to start looking... a particular log? etc..
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37745977
is that database accessable from a webserver?
if so I assume that your web application has a SQL Injection vulnerability
first check your server logfiles, if you identify malicious requests disconnect that server from internet until you fixed the vulnerability
then you need to check (penetration test or SCA) your application and fix all flaws in the source code, then check again
0
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 1500 total points
ID: 37748290
I agree with ahoffman and this is likely a result of SQL Injection which is essentially people inserting malicious SQL script into forms on your website that you do not check for validity.  IE: If you ask for a comment do you strip out SQL code and only accept alpha numeric text and simple punctuation characters.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37750155
> .. and only accept alpha numeric text
  42 union select table_name from information_schema where table_name between 0x61 and 0x7a

> .. and simple punctation
      4 or 2=2 into outfile 'result.txt'

*neverever* use blacklists or sanatised input data, always use a whitlist and reject anything not matching the whitelist
0
 
LVL 64

Expert Comment

by:btan
ID: 37750973
Was thinking the log from the web and app tier may also captured some request log which may be close to the script injected at database side. Probably is to trace back who is the source and who has access or download it so far... Window of exposure has already widen since the gap is opened up due to vulnerable web code...I suspect

E.g http://blogs.technet.com/b/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx

There she be some detection by is or firewall online but seems like they are bypass..we application firewall can serve well to trace out the events leading to it. Log parser are avail for the analysis if is or apache log are available....
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37843400
can someone please explain why the accepted comment is the answer?
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question