DB hack

  • I have hosted an asp.net website (that publicly available) on a server with connectivity to MS SQL 2005 as the database.

    Recently somebody attacked the database by inserting a script in all the varchar and text fields of the database which lead to a corrupt database. Are there any means to avoid this situation?

    Some additional information:

    My web site and the database are hosted on the same server with the same IP address.

    The database currently being used has a customized username/password which is accessed through the connection string in the web.config of the website.

    I have implemented code to handle SQL injection in my code and I use parameterized stored procedures to interact with the database.

    Please suggest how can I make my database secure from such a hack in the future?

  • Try to find out SQLInjection and check how it work. It will help you to design the database to secure it's data from these injection.

  • I have implemented code to handle SQL Injection. Also, all db operations are performed by the use of parameterized stored procedures.

    We have insured that any malicious code entering through the UI is verified for SQL Injection and is stored in the database as data and is not executed.

  • 1)Change default port 1433 for SQL to some other port.

    2)If possible use just windows authentication mode

    3)Change password of sa login periodically

    4)Make sure your xp_cmdshell is off

    5)It will be great if u can host your application and database on different servers.

    6)Disable all the accounts which you are not using like your Guest account.

    7)Apply latest patches

    8)Encrypt secure data with Symmetric keys.

  • What do you mean by "the database is corrupted"? Is it corrupt in the sense that SQL Server reported corruption of the data files? Or is it just the data is effectively corrupted due to all the attempted SQL injection text being saved in the database?

    Assuming you meant the data is bad, and if you've properly handled SQL Injection attacks (which you say you have), then the only other option I know of is to implement value checking in the server side web code to not allow those kinds of entries. Which isn't easy, especially if you have free-form text entry fields.

    As long as the web site is open to the public, you'll have the potential of this kind of problem. Requiring logins can reduce it some, if for no other reason than you may have the bad data tied to a login for easier removal.

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply