Solved

Virus Scripts in SQL Database

Posted on 2012-03-20
7
381 Views
Last Modified: 2013-11-22
I'm not sure what happened but all of a sudden a few of the "text" database fields in our sql database have virus scripts appeneded to them. For example we have a notes field that had user typed in notes, and then at the bottom of that their are what I can only imagine are virus scripts with a link in them.

Obviously their was a security flaw somewhere along the line. Is there a way to determine how these are getting in there and what is the best way to remove them? I'd prefer not to clear out the existing user notes, but if that is a necessity I guess its my only choice. Any help would be appreciated. Thanks.
0
Comment
Question by:nextmedstaff
7 Comments
 

Author Comment

by:nextmedstaff
ID: 37744286
Thanks for that link, 2 of the scanners reported it as malware.

I don't know if there is a script i could run to remove all of the malicious scripts while preserving the orginal information. The other big issue is trying to determine where it came from.. any suggestions where to start looking... a particular log? etc..
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37745977
is that database accessable from a webserver?
if so I assume that your web application has a SQL Injection vulnerability
first check your server logfiles, if you identify malicious requests disconnect that server from internet until you fixed the vulnerability
then you need to check (penetration test or SCA) your application and fix all flaws in the source code, then check again
0
 
LVL 51

Accepted Solution

by:
tedbilly earned 500 total points
ID: 37748290
I agree with ahoffman and this is likely a result of SQL Injection which is essentially people inserting malicious SQL script into forms on your website that you do not check for validity.  IE: If you ask for a comment do you strip out SQL code and only accept alpha numeric text and simple punctuation characters.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37750155
> .. and only accept alpha numeric text
  42 union select table_name from information_schema where table_name between 0x61 and 0x7a

> .. and simple punctation
      4 or 2=2 into outfile 'result.txt'

*neverever* use blacklists or sanatised input data, always use a whitlist and reject anything not matching the whitelist
0
 
LVL 61

Expert Comment

by:btan
ID: 37750973
Was thinking the log from the web and app tier may also captured some request log which may be close to the script injected at database side. Probably is to trace back who is the source and who has access or download it so far... Window of exposure has already widen since the gap is opened up due to vulnerable web code...I suspect

E.g http://blogs.technet.com/b/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx

There she be some detection by is or firewall online but seems like they are bypass..we application firewall can serve well to trace out the events leading to it. Log parser are avail for the analysis if is or apache log are available....
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37843400
can someone please explain why the accepted comment is the answer?
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now