<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
SQL Server 7,2000
»
Replication
»
injection attack
injection attack
Rate Topic
Display Mode
Topic Options
Author
Message
saeed_edp
saeed_edp
Posted Wednesday, July 02, 2008 5:03 AM
Forum Newbie
Group: General Forum Members
Last Login: Tuesday, June 30, 2009 10:38 AM
Points: 3,
Visits: 96
Pleas help me!
I'm under injection attack and i don't no what can i do.
This script ' script src=http://www.hdadwcd.com/b.js /script' is injected to may database (sql server 2000).
It not only injected in many of databases field but also renamed my publication name to :
"
publication name
script src=http://www.hdadwcd.com/b.js /script "
How can i repair it and stop this injection
How can I edit binary fields in MSrepl_commands and delete this script from command field.
Post #527164
GilaMonster
GilaMonster
Posted Wednesday, July 02, 2008 6:01 AM
SSC-Dedicated
Group: General Forum Members
Last Login: Today @ 3:18 PM
Points: 37,744,
Visits: 30,025
You need to find the application that is vulnerable to injection (you can use profiler to see the commands coming to the database)
There isn't a quick silver bullet on this. You need to find the vulnerable pages and fix them. Change SQL statements to parameterised rather than built up. Restrict the app's permissions to not allow it to directly acces the tables but to use stored procs.
I would suggest that you drop the publication in question and recreate it.
Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild
: Discussions on DB performance with occasional diversions into recoverability
We walk in the dark places no others will enter
We stand on the bridge and no one may pass
Post #527203
bitbucket-25253
bitbucket-25253
Posted Thursday, July 03, 2008 3:59 PM
SSCertifiable
Group: General Forum Members
Last Login: Today @ 12:39 PM
Points: 5,103,
Visits: 20,220
When reading this. Scroll up to the top of this page in the upper frame you will see
Search:
type in the word "injection" (without the quotes) and then click the button labelled
Go
. And be prepared to read a vast amount of information concerning your problem and some recommended solutions from articles and forums here on SQL ServerCentral
If everything seems to be going well, you have obviously overlooked something.
Ron
Please help us, help you -before posting a question please
read
Before posting a performance problem please
read
Post #528427
saeed_edp
saeed_edp
Posted Thursday, July 24, 2008 3:29 AM
Forum Newbie
Group: General Forum Members
Last Login: Tuesday, June 30, 2009 10:38 AM
Points: 3,
Visits: 96
Hi
Thank you for your last reply.
I resolved that problem by editing all tables and removing that script.
I think it was a new injection method.
This link was helpful:
http://www.msblog.org/index.php?s=yp
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
But I couldn’t resolve a part of problem:
There were many Binary fields in MSrepl_commands containing bad script.
I deleted them because I couldn’t edit them.
I will be pleased to teach “how to edit MSrepl_commands command field and alter its data?”
Yours truly
saeed.
Post #539951
GilaMonster
GilaMonster
Posted Thursday, July 24, 2008 3:31 AM
SSC-Dedicated
Group: General Forum Members
Last Login: Today @ 3:18 PM
Points: 37,744,
Visits: 30,025
The safest fix is probably to completely drop the replication and recreate it.
Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild
: Discussions on DB performance with occasional diversions into recoverability
We walk in the dark places no others will enter
We stand on the bridge and no one may pass
Post #539955
britinusa
britinusa
Posted Friday, October 26, 2012 9:26 AM
Grasshopper
Group: General Forum Members
Last Login: Thursday, April 18, 2013 10:56 AM
Points: 17,
Visits: 30
Wow, this is an old thread but still very pertinent.
We are rapidly migrating to SQL 2005.
But we were attacked by injection ... every vharchar field in every table replaced with similar .js crap. We restored and the world was good.
But we're trying to find the vulnerability ... of the publically visible pages on the site, (only 5 or 6) all are derived with stored procs and / or our own in house brewed trap.
We are told that SQL2005 and SQL2008 handle SQL injections far better.
We are also about to, within a month, implement a proper SQL Server 2005 mirror. But of course mirrors will merely mirror the injection; right?
I'm babbling ... but beyond stored procs and home grown filters, are there any other known hardware sotweare remedies.
You refer to a
profiler
to see commands ... where is that?
Post #1377677
GilaMonster
GilaMonster
Posted Friday, October 26, 2012 9:32 AM
SSC-Dedicated
Group: General Forum Members
Last Login: Today @ 3:18 PM
Points: 37,744,
Visits: 30,025
Can you post this in a new thread please?
Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild
: Discussions on DB performance with occasional diversions into recoverability
We walk in the dark places no others will enter
We stand on the bridge and no one may pass
Post #1377684
britinusa
britinusa
Posted Friday, October 26, 2012 9:38 AM
Grasshopper
Group: General Forum Members
Last Login: Thursday, April 18, 2013 10:56 AM
Points: 17,
Visits: 30
Sorry .. by all means .. I'm new here ... my bad.
A new thread or somewhere you'd prefer?
Robert
Post #1377693
GilaMonster
GilaMonster
Posted Friday, October 26, 2012 9:43 AM
SSC-Dedicated
Group: General Forum Members
Last Login: Today @ 3:18 PM
Points: 37,744,
Visits: 30,025
New thread in the appropriate forum. Probably SQL 2005 T-SQL. Some people will look at a thread with lots of replies and not check it, assuming it's answered already.
Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild
: Discussions on DB performance with occasional diversions into recoverability
We walk in the dark places no others will enter
We stand on the bridge and no one may pass
Post #1377698
britinusa
britinusa
Posted Friday, October 26, 2012 9:48 AM
Grasshopper
Group: General Forum Members
Last Login: Thursday, April 18, 2013 10:56 AM
Points: 17,
Visits: 30
Ok, will do BUT ... the main gist of this post was
your
mention of the "profiler"?
We are trying to determine the vulnerability?
Post #1377700
« Prev Topic
|
Next Topic »
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
