Solved

SQL Server 2008 injection problem

Posted on 2014-03-31
9
822 Views
Last Modified: 2014-04-01
Hello someone tried to hack our sites with SQL injection our sites are LMS tha use databases in SQL Server 2008. Look the users added by the hacker:

User Name: !S!WCRTESTINPUT000000!E! aNd 7=7


Email Address: !S!WCRTESTINPUT000004!E!
Address 1: !S!WCRTESTINPUT000005!E!
Address 2: !S!WCRTESTINPUT000006!E!
Post Code: !S!WCRTESTINPUT000007!E!
State: !S!WCRTESTINPUT000008!E!
Country: !S!WCRTESTINPUT000009!E!

User Name: 99999999] | * | user[@role=admin



Email Address: !S!WCRTESTINPUT000004!E!
Address 1: !S!WCRTESTINPUT000005!E!
Address 2: !S!WCRTESTINPUT000006!E!
Post Code: !S!WCRTESTINPUT000007!E!
State: !S!WCRTESTINPUT000008!E!
Country: !S!WCRTESTINPUT000009!E!

   How can we defend of that or what that people do was bad or just were attempts.
Thank you
0
Comment
Question by:coerrace
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
9 Comments
 

Author Comment

by:coerrace
ID: 39966400
Look the Event Viewer what registered:

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 3/31/2014 2:57:16 AM
Event time (UTC): 3/31/2014 7:57:16 AM
Event ID: 8bfcbeda5244418f9f1d1faa9c86e31f
Event sequence: 8
Event occurrence: 1
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/1/ROOT-1-130407262330628159
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\
    Machine name: ourmachine
 
Process information:
    Process ID: 11012
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE
 
Exception information:
    Exception type: HttpException
    Exception message: A potentially dangerous Request.Path value was detected from the client (:).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)


Request information:
    Request URL: http://ourwebpage/pages/Password:
    Request path: /pages/Password:
    User:  
    Is authenticated: False
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE
 
Thread information:
    Thread ID: 7
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: False
    Stack trace:    at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39966438
I suggest the following:

Review the site and it's security. Upgrade all passwords so they are more secure and don't allow visitors to insert records unless their are approved and know to your organization.

Review the database and build in safety measures to make it more secure.

Make sure the server has the latest Microsoft security patches and updates applied to it.

review your client list and if you don't have any users in foreign countries, block access from foreign countries in your firewall.  We did that this year and it make a considerable reduction in the number of malicious attempts on our server.
0
 

Author Comment

by:coerrace
ID: 39966445
How can we put in the firewall protection for foreign countries?
Thank you
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 34

Expert Comment

by:ste5an
ID: 39966454
LMS?

Well, when they are proberly coded, then there is no problem.

You may consider using more restrictive checks on the columns who form the e-mail and other adress columns. E.g. prohibt the exclamation mark.

The exception in the event log shows that some tried a prohibited path, which was blocked by IIS.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39966463
First, find out if you have a hardware firewall like Sonicwall, Watchdog or Cisco. next determine if an option is available on that firewall to add that functionality.

We use a Sonicwall firewall and that option is called Geo-IP which allows us to block any country. By default, we block all foreign countries since all of our employees and clients are in the US.

Hope this helps.
0
 

Author Comment

by:coerrace
ID: 39966543
ste5an yes LMS we not coded that LMS for that we don´t know how they control that. But now what with: "You may consider using more restrictive checks on the columns who form the e-mail and other adress columns. E.g. prohibt the exclamation mark." where and who can do that?
   And yes was blocked for the IIs but that person could add a user name in the database without knowing the database password or administration password of the site and what event viewer shows is what I pasted.
Thank you

   We just have the firewall of Windows 2008 server but we found this:

http://cyber-defense.sans.org/blog/2011/10/25/windows-firewall-script-block-addresses-network-ranges
   And we are looking the list of IP´s because we don´t have appears that person tried to enter from sweden.
Thank you
0
 
LVL 34

Accepted Solution

by:
ste5an earned 500 total points
ID: 39966736
When you don't have control over the LMS source, then consider using also an IDS (Intrusion Detection System) like Snort.
0
 

Author Comment

by:coerrace
ID: 39967027
We installed snort like this video:

https://www.youtube.com/watch?v=_ic07nBoweg

   Now how can we run snort to protect from webapps is snstalled with rules and all. We just question to know what command will need to give or if needed to create files to protect from that kind of strings I pasted in the original topic of this forum.
Thank you
0
 

Author Closing Comment

by:coerrace
ID: 39969814
Really using snort solve the problem for now.
Thank you
0

Featured Post

Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have a large data set and a SSIS package. How can I load this file in multi threading?
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question