Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SQL Injected data?

Posted on 2016-11-02
8
Medium Priority
?
189 Views
Last Modified: 2016-11-04
Hello everyone!

I believe we may have been a victim of a SQL injection.  This morning we found some peculiar data in a few tables within our website database and have no clue where it came from.  Doing a google search shows that quite a few sites seem to have this same data.  Has anyone seen this for by chance?
I've found 2 variances of it:

<div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div>

Open in new window

and
<a href=http://<div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div> ><div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div></a>

Open in new window


Thank you for your help!
0
Comment
Question by:stdmfgco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 

Author Comment

by:stdmfgco
ID: 41871047
When you search for this part: wer54w66sf32re2  Quite a few websites have it in their code as well.  We only found it because it broke our google maps function on our website.  It's almost like a tracking key.
0
 
LVL 30

Assisted Solution

by:Alexandre Simões
Alexandre Simões earned 1000 total points
ID: 41871693
Hi mate,
it's strange, I've never seen this.
Looks like you've been flagged for some purpose.

The second line is even malformed HTML so it's either an error, or your parser broker but in any way, it was never meant to be displayed, but still it get's indexed by Google as you noticed when you searched by that key value.

Clean-up all that from your DB and test your application against that kind of attacks. I think it's the best you can do.

Cheers,
Alex
1
 
LVL 35

Expert Comment

by:ste5an
ID: 41872087
Why do  you think it is SQL Injection?

In this case you need to check your database layer..
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 
LVL 51

Expert Comment

by:Steve Bink
ID: 41872090
That's a canary.

Hackers don't just find a target and sit for hours on end trying to break in.  They have a bot army run automated scans and penetration tests against ranges of IPs.  When something interesting is found, they leave a little breadcrumb to indicate that the site is vulnerable.  A live (evil) person comes back later to dress up the victim.

At the very least, that indicates you have an injection vulnerability in your site.  Time to do a code audit, and the sooner the better.  You can expect more dedicated, specifically targeted attacks in the future.
0
 
LVL 51

Accepted Solution

by:
Steve Bink earned 1000 total points
ID: 41872250
Thinking about this further, this is not indicative of an injection vulnerability.  This shows that you are not scrubbing/filtering your input data as well as you probably should.  The potential vulnerability here lies in the possibility that this HTML is visible on your site.

When an attacker encounters a form, they try to push some HTML into it and detect if it is visible on any of the resulting pages.  If it is visible, then the site is vulnerable to cross-site/forgery attacks.  Imagine an attacker injecting an <iframe> instead of some garbage HTML.  That frame could point to anywhere - spam advertisement, malicious payloads, rick roll videos - and any user of that site would be a potential target.

So, still time for a code audit.  Works towards making any user input "safe".  if you're expecting a number make sure it is a number.  If you're expecting text, strip out any HTML.  If you're expecting HTML, limit the input elements you will accept.  If it comes from the client, it is unsafe.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 41872467
Luckily, this is a common and well-documented issue, with tons of ready-made solutions available to you.  The first few results of a Google search led me to a variety of workable possibilities.  The basic process is to take each piece of user input and run it through an algorithm designed to remove "bad" stuff.  In this case, you're looking for anything that looks like HTML.  

In truth, the more important aspect of this issue is to make sure you're not RENDERING the input unsafely.  Simply encoding the output into HTML entities or URL encoding should be sufficient to defend against the attack.  In the long run, though, it is better to scrub the input when you first get it rather than worry about having to encode it on each output.
0
 

Author Closing Comment

by:stdmfgco
ID: 41873925
I believe we found the issue.  We had a lost password field that wasn't locked down to only allow email addresses.  So far so good! Thanks everyone!
0
 
LVL 30

Expert Comment

by:Alexandre Simões
ID: 41874002
Hi mate,
make sure you "lock it" on both front and back ends.
Locking it only on the front-end is still very easy to by-pass.

Cheers,
Alex
0

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question