SQL injection attack on our site

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

SQL injection attack on our site

Message

15/08/2008 11:32:29

Chris ODonnell
Virginia Beach, Virginie, États-Unis

15/08/2008 11:28:30

John Niemiec
Clark County
Washington, États-Unis

Information générale

Forum:

Microsoft SQL Server

Catégorie:

Autre

Titre:

Re: SQL injection attack on our site

Versions des environnements

SQL Server:

SQL Server 2005

Divers

Thread ID:

01338988

Message ID:

01339139

Vues:

WWC has a "safe" parameter switch that filters for things like RUN, EXECSCRIPT, ..., but the injection had EXEC in it, not EXECSCRIPT. But i would expect it to pick up on that too. Need to tweek that.

>Yep, I received basically the same string Rick posted. I converted his too and it is the same except for the script they injected.
>
>
>
>>Saw something similar recently, after reading this post on Rick's site. Lots of different IP addresses involved.
>>
>>http://www.west-wind.com/weblog/posts/447503.aspx
>>
>>
>>>I just recently dealt with this on some software my employer had purchased from a third party vendor years ago. I cleaned the tables too, but the next morning all the values were back. There are programs that will try to automatically execute the code on your site over and over again.
>>>
>>>I set up SQL Profiler to trace what was going on. Once I saw what they did, it was very simple, I modified two things. I denied select permissions on the sysobjects and syscolumns tables of the login that was using the site, and then I found the web page they were using and validated the parameter being passed in via the url - because they added a long string to the end. This prevented it from actually hitting the database at all.
>>>
>>>Essentially the code I dealt with grabbed all the tables from sysobjects and all the columns from syscolumns, put them in a cursor, and executed an update on every field in every table as it walked the cursor. If the field was of the right data type and there was enough room left in the field it would insert the string similar to what you have.
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Hi everybody,
>>>>
>>>>Here is what we found in our database

<script = www.bad name.ru  /somejsfile.js>

in some fields. If you try to go to this site (as I decided to check), they immediatelly try to execute some virus.
>>>>
>>>>We're not yet sure of the scope of the problem. This particular page with the fields having this info used parameters for update.
>>>>
>>>>I'm guessing when information is retrieved and if this script is actually executed, it may cause a lot of damage. We're cleaning our tables in the meantime.
>>>>
>>>>Thanks.
>>>>
>>>>The bad name is 3njx.ru Just in case I decided to change it here to bad name .

Répondre

Fil

Voir

Click here to load this message in the networking platform