Solved

SQL Injected data?

Posted on 2016-11-02
8
160 Views
Last Modified: 2016-11-04
Hello everyone!

I believe we may have been a victim of a SQL injection.  This morning we found some peculiar data in a few tables within our website database and have no clue where it came from.  Doing a google search shows that quite a few sites seem to have this same data.  Has anyone seen this for by chance?
I've found 2 variances of it:

<div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div>

Open in new window

and
<a href=http://<div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div> ><div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div></a>

Open in new window


Thank you for your help!
0
Comment
Question by:stdmfgco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 

Author Comment

by:stdmfgco
ID: 41871047
When you search for this part: wer54w66sf32re2  Quite a few websites have it in their code as well.  We only found it because it broke our google maps function on our website.  It's almost like a tracking key.
0
 
LVL 30

Assisted Solution

by:Alexandre Simões
Alexandre Simões earned 250 total points
ID: 41871693
Hi mate,
it's strange, I've never seen this.
Looks like you've been flagged for some purpose.

The second line is even malformed HTML so it's either an error, or your parser broker but in any way, it was never meant to be displayed, but still it get's indexed by Google as you noticed when you searched by that key value.

Clean-up all that from your DB and test your application against that kind of attacks. I think it's the best you can do.

Cheers,
Alex
1
 
LVL 34

Expert Comment

by:ste5an
ID: 41872087
Why do  you think it is SQL Injection?

In this case you need to check your database layer..
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 50

Expert Comment

by:Steve Bink
ID: 41872090
That's a canary.

Hackers don't just find a target and sit for hours on end trying to break in.  They have a bot army run automated scans and penetration tests against ranges of IPs.  When something interesting is found, they leave a little breadcrumb to indicate that the site is vulnerable.  A live (evil) person comes back later to dress up the victim.

At the very least, that indicates you have an injection vulnerability in your site.  Time to do a code audit, and the sooner the better.  You can expect more dedicated, specifically targeted attacks in the future.
0
 
LVL 50

Accepted Solution

by:
Steve Bink earned 250 total points
ID: 41872250
Thinking about this further, this is not indicative of an injection vulnerability.  This shows that you are not scrubbing/filtering your input data as well as you probably should.  The potential vulnerability here lies in the possibility that this HTML is visible on your site.

When an attacker encounters a form, they try to push some HTML into it and detect if it is visible on any of the resulting pages.  If it is visible, then the site is vulnerable to cross-site/forgery attacks.  Imagine an attacker injecting an <iframe> instead of some garbage HTML.  That frame could point to anywhere - spam advertisement, malicious payloads, rick roll videos - and any user of that site would be a potential target.

So, still time for a code audit.  Works towards making any user input "safe".  if you're expecting a number make sure it is a number.  If you're expecting text, strip out any HTML.  If you're expecting HTML, limit the input elements you will accept.  If it comes from the client, it is unsafe.
0
 
LVL 50

Expert Comment

by:Steve Bink
ID: 41872467
Luckily, this is a common and well-documented issue, with tons of ready-made solutions available to you.  The first few results of a Google search led me to a variety of workable possibilities.  The basic process is to take each piece of user input and run it through an algorithm designed to remove "bad" stuff.  In this case, you're looking for anything that looks like HTML.  

In truth, the more important aspect of this issue is to make sure you're not RENDERING the input unsafely.  Simply encoding the output into HTML entities or URL encoding should be sufficient to defend against the attack.  In the long run, though, it is better to scrub the input when you first get it rather than worry about having to encode it on each output.
0
 

Author Closing Comment

by:stdmfgco
ID: 41873925
I believe we found the issue.  We had a lost password field that wasn't locked down to only allow email addresses.  So far so good! Thanks everyone!
0
 
LVL 30

Expert Comment

by:Alexandre Simões
ID: 41874002
Hi mate,
make sure you "lock it" on both front and back ends.
Locking it only on the front-end is still very easy to by-pass.

Cheers,
Alex
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to write a Context Sensitive Help (an online help that is obtained from a specific point in state of software to provide help with that state) ,  first we need to make the file that contains all topics, which are given exclusive IDs. …
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question