?
Solved

Virus Scripts in SQL Database

Posted on 2012-03-20
7
Medium Priority
?
396 Views
Last Modified: 2013-11-22
I'm not sure what happened but all of a sudden a few of the "text" database fields in our sql database have virus scripts appeneded to them. For example we have a notes field that had user typed in notes, and then at the bottom of that their are what I can only imagine are virus scripts with a link in them.

Obviously their was a security flaw somewhere along the line. Is there a way to determine how these are getting in there and what is the best way to remove them? I'd prefer not to clear out the existing user notes, but if that is a necessity I guess its my only choice. Any help would be appreciated. Thanks.
0
Comment
Question by:nextmedstaff
6 Comments
 

Author Comment

by:nextmedstaff
ID: 37744286
Thanks for that link, 2 of the scanners reported it as malware.

I don't know if there is a script i could run to remove all of the malicious scripts while preserving the orginal information. The other big issue is trying to determine where it came from.. any suggestions where to start looking... a particular log? etc..
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37745977
is that database accessable from a webserver?
if so I assume that your web application has a SQL Injection vulnerability
first check your server logfiles, if you identify malicious requests disconnect that server from internet until you fixed the vulnerability
then you need to check (penetration test or SCA) your application and fix all flaws in the source code, then check again
0
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 1500 total points
ID: 37748290
I agree with ahoffman and this is likely a result of SQL Injection which is essentially people inserting malicious SQL script into forms on your website that you do not check for validity.  IE: If you ask for a comment do you strip out SQL code and only accept alpha numeric text and simple punctuation characters.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37750155
> .. and only accept alpha numeric text
  42 union select table_name from information_schema where table_name between 0x61 and 0x7a

> .. and simple punctation
      4 or 2=2 into outfile 'result.txt'

*neverever* use blacklists or sanatised input data, always use a whitlist and reject anything not matching the whitelist
0
 
LVL 66

Expert Comment

by:btan
ID: 37750973
Was thinking the log from the web and app tier may also captured some request log which may be close to the script injected at database side. Probably is to trace back who is the source and who has access or download it so far... Window of exposure has already widen since the gap is opened up due to vulnerable web code...I suspect

E.g http://blogs.technet.com/b/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx

There she be some detection by is or firewall online but seems like they are bypass..we application firewall can serve well to trace out the events leading to it. Log parser are avail for the analysis if is or apache log are available....
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37843400
can someone please explain why the accepted comment is the answer?
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Although free tools can be helpful to a limited extent, it’s better to stick to paid versions for business use.
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
Viewers will learn how the fundamental information of how to create a table.
Get the source code for a fully functional Access application shell with several popular security features that Access VBA application developers desire, but find difficult or impossible to figure out how to code. You get the source code for managi…

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question