Solved

Virus Scripts in SQL Database

Posted on 2012-03-20
7
385 Views
Last Modified: 2013-11-22
I'm not sure what happened but all of a sudden a few of the "text" database fields in our sql database have virus scripts appeneded to them. For example we have a notes field that had user typed in notes, and then at the bottom of that their are what I can only imagine are virus scripts with a link in them.

Obviously their was a security flaw somewhere along the line. Is there a way to determine how these are getting in there and what is the best way to remove them? I'd prefer not to clear out the existing user notes, but if that is a necessity I guess its my only choice. Any help would be appreciated. Thanks.
0
Comment
Question by:nextmedstaff
7 Comments
 

Author Comment

by:nextmedstaff
ID: 37744286
Thanks for that link, 2 of the scanners reported it as malware.

I don't know if there is a script i could run to remove all of the malicious scripts while preserving the orginal information. The other big issue is trying to determine where it came from.. any suggestions where to start looking... a particular log? etc..
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37745977
is that database accessable from a webserver?
if so I assume that your web application has a SQL Injection vulnerability
first check your server logfiles, if you identify malicious requests disconnect that server from internet until you fixed the vulnerability
then you need to check (penetration test or SCA) your application and fix all flaws in the source code, then check again
0
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 500 total points
ID: 37748290
I agree with ahoffman and this is likely a result of SQL Injection which is essentially people inserting malicious SQL script into forms on your website that you do not check for validity.  IE: If you ask for a comment do you strip out SQL code and only accept alpha numeric text and simple punctuation characters.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37750155
> .. and only accept alpha numeric text
  42 union select table_name from information_schema where table_name between 0x61 and 0x7a

> .. and simple punctation
      4 or 2=2 into outfile 'result.txt'

*neverever* use blacklists or sanatised input data, always use a whitlist and reject anything not matching the whitelist
0
 
LVL 63

Expert Comment

by:btan
ID: 37750973
Was thinking the log from the web and app tier may also captured some request log which may be close to the script injected at database side. Probably is to trace back who is the source and who has access or download it so far... Window of exposure has already widen since the gap is opened up due to vulnerable web code...I suspect

E.g http://blogs.technet.com/b/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx

There she be some detection by is or firewall online but seems like they are bypass..we application firewall can serve well to trace out the events leading to it. Log parser are avail for the analysis if is or apache log are available....
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37843400
can someone please explain why the accepted comment is the answer?
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question