coerrace
asked on
SQL Server 2008 injection problem
Hello someone tried to hack our sites with SQL injection our sites are LMS tha use databases in SQL Server 2008. Look the users added by the hacker:
User Name: !S!WCRTESTINPUT000000!E! aNd 7=7
Email Address: !S!WCRTESTINPUT000004!E!
Address 1: !S!WCRTESTINPUT000005!E!
Address 2: !S!WCRTESTINPUT000006!E!
Post Code: !S!WCRTESTINPUT000007!E!
State: !S!WCRTESTINPUT000008!E!
Country: !S!WCRTESTINPUT000009!E!
User Name: 99999999] | * | user[@role=admin
Email Address: !S!WCRTESTINPUT000004!E!
Address 1: !S!WCRTESTINPUT000005!E!
Address 2: !S!WCRTESTINPUT000006!E!
Post Code: !S!WCRTESTINPUT000007!E!
State: !S!WCRTESTINPUT000008!E!
Country: !S!WCRTESTINPUT000009!E!
How can we defend of that or what that people do was bad or just were attempts.
Thank you
User Name: !S!WCRTESTINPUT000000!E! aNd 7=7
Email Address: !S!WCRTESTINPUT000004!E!
Address 1: !S!WCRTESTINPUT000005!E!
Address 2: !S!WCRTESTINPUT000006!E!
Post Code: !S!WCRTESTINPUT000007!E!
State: !S!WCRTESTINPUT000008!E!
Country: !S!WCRTESTINPUT000009!E!
User Name: 99999999] | * | user[@role=admin
Email Address: !S!WCRTESTINPUT000004!E!
Address 1: !S!WCRTESTINPUT000005!E!
Address 2: !S!WCRTESTINPUT000006!E!
Post Code: !S!WCRTESTINPUT000007!E!
State: !S!WCRTESTINPUT000008!E!
Country: !S!WCRTESTINPUT000009!E!
How can we defend of that or what that people do was bad or just were attempts.
Thank you
I suggest the following:
Review the site and it's security. Upgrade all passwords so they are more secure and don't allow visitors to insert records unless their are approved and know to your organization.
Review the database and build in safety measures to make it more secure.
Make sure the server has the latest Microsoft security patches and updates applied to it.
review your client list and if you don't have any users in foreign countries, block access from foreign countries in your firewall. We did that this year and it make a considerable reduction in the number of malicious attempts on our server.
Review the site and it's security. Upgrade all passwords so they are more secure and don't allow visitors to insert records unless their are approved and know to your organization.
Review the database and build in safety measures to make it more secure.
Make sure the server has the latest Microsoft security patches and updates applied to it.
review your client list and if you don't have any users in foreign countries, block access from foreign countries in your firewall. We did that this year and it make a considerable reduction in the number of malicious attempts on our server.
ASKER
How can we put in the firewall protection for foreign countries?
Thank you
Thank you
LMS?
Well, when they are proberly coded, then there is no problem.
You may consider using more restrictive checks on the columns who form the e-mail and other adress columns. E.g. prohibt the exclamation mark.
The exception in the event log shows that some tried a prohibited path, which was blocked by IIS.
Well, when they are proberly coded, then there is no problem.
You may consider using more restrictive checks on the columns who form the e-mail and other adress columns. E.g. prohibt the exclamation mark.
The exception in the event log shows that some tried a prohibited path, which was blocked by IIS.
First, find out if you have a hardware firewall like Sonicwall, Watchdog or Cisco. next determine if an option is available on that firewall to add that functionality.
We use a Sonicwall firewall and that option is called Geo-IP which allows us to block any country. By default, we block all foreign countries since all of our employees and clients are in the US.
Hope this helps.
We use a Sonicwall firewall and that option is called Geo-IP which allows us to block any country. By default, we block all foreign countries since all of our employees and clients are in the US.
Hope this helps.
ASKER
ste5an yes LMS we not coded that LMS for that we don´t know how they control that. But now what with: "You may consider using more restrictive checks on the columns who form the e-mail and other adress columns. E.g. prohibt the exclamation mark." where and who can do that?
And yes was blocked for the IIs but that person could add a user name in the database without knowing the database password or administration password of the site and what event viewer shows is what I pasted.
Thank you
We just have the firewall of Windows 2008 server but we found this:
http://cyber-defense.sans.org/blog/2011/10/25/windows-firewall-script-block-addresses-network-ranges
And we are looking the list of IP´s because we don´t have appears that person tried to enter from sweden.
Thank you
And yes was blocked for the IIs but that person could add a user name in the database without knowing the database password or administration password of the site and what event viewer shows is what I pasted.
Thank you
We just have the firewall of Windows 2008 server but we found this:
http://cyber-defense.sans.org/blog/2011/10/25/windows-firewall-script-block-addresses-network-ranges
And we are looking the list of IP´s because we don´t have appears that person tried to enter from sweden.
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We installed snort like this video:
https://www.youtube.com/watch?v=_ic07nBoweg
Now how can we run snort to protect from webapps is snstalled with rules and all. We just question to know what command will need to give or if needed to create files to protect from that kind of strings I pasted in the original topic of this forum.
Thank you
https://www.youtube.com/watch?v=_ic07nBoweg
Now how can we run snort to protect from webapps is snstalled with rules and all. We just question to know what command will need to give or if needed to create files to protect from that kind of strings I pasted in the original topic of this forum.
Thank you
ASKER
Really using snort solve the problem for now.
Thank you
Thank you
ASKER
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 3/31/2014 2:57:16 AM
Event time (UTC): 3/31/2014 7:57:16 AM
Event ID: 8bfcbeda5244418f9f1d1faa9c
Event sequence: 8
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT-1-1304072
Trust level: Full
Application Virtual Path: /
Application Path: C:\inetpub\wwwroot\
Machine name: ourmachine
Process information:
Process ID: 11012
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
Exception type: HttpException
Exception message: A potentially dangerous Request.Path value was detected from the client (:).
at System.Web.HttpRequest.Val
at System.Web.HttpApplication
Request information:
Request URL: http://ourwebpage/pages/Password:
Request path: /pages/Password:
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
Thread ID: 7
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Web.HttpRequest.Val
at System.Web.HttpApplication