Problem getting hacked with this new SQL injection Tool. Adword71 and direct84
in [ASP]
|
Prev: RSS - Whitespace is not allowed at this location.
Next: Problem getting hacked with this new SQL injection Tool. Adword71
From: Lance Wynn on 15 May 2008 08:33 One of my server has been compromised from this virus, and I can't seem to block it out! I have shut down the infected server, but I need to figure out how to check for this, and stop it. The site is running iis5 on Windows2000, the backend DB is SQLServer 2000 Can anyone point me to some good resources for this? This is urgent! Thanks alot Lance -- Support Fairtax Legislation www.fairtax.org "A government big enough to give you everything you want, is strong enough to take everything you have." -Thomas Jefferson
From: Aaron Bertrand [SQL Server MVP] on 15 May 2008 08:42 Well, do your ASP pages use ad hoc SQL? Do you validate input? Are you using an over-privileged account to connect to the database from ASP? You should read up on SQL injection, and determine what you are doing now that allows it, and fix it. I don't think anyone has given explicit instructions on how to check for it and stop it, because there aren't enough details available about the actual exploit. But most of the articles talk about SQL injection, so that is a pretty good place to start. "Lance Wynn" <Lance_Wynn(a)community.nospam> wrote in message news:%23Wpq8fotIHA.2588(a)TK2MSFTNGP05.phx.gbl... > One of my server has been compromised from this virus, and I can't seem to > block it out! I have shut down the infected server, but I need to figure > out how to check for this, and stop it. > > The site is running iis5 on Windows2000, the backend DB is SQLServer 2000 > > Can anyone point me to some good resources for this? This is urgent! > > Thanks alot > Lance
From: Lance Wynn on 15 May 2008 08:55 Hi, thanks for responding so quickly, there are adhoc queries, and I do validate input. I must just be missing something... I watched the logs last night, and saw many failed attempts come in, and then this morning, it found a way in, and I'm not sure how... Lance -- Support Fairtax Legislation www.fairtax.org "A government big enough to give you everything you want, is strong enough to take everything you have." -Thomas Jefferson "Aaron Bertrand [SQL Server MVP]" <ten.xoc(a)dnartreb.noraa> wrote in message news:u6gI5kotIHA.4876(a)TK2MSFTNGP02.phx.gbl... > Well, do your ASP pages use ad hoc SQL? Do you validate input? Are you > using an over-privileged account to connect to the database from ASP? You > should read up on SQL injection, and determine what you are doing now that > allows it, and fix it. > > I don't think anyone has given explicit instructions on how to check for > it and stop it, because there aren't enough details available about the > actual exploit. But most of the articles talk about SQL injection, so > that is a pretty good place to start. > > > > "Lance Wynn" <Lance_Wynn(a)community.nospam> wrote in message > news:%23Wpq8fotIHA.2588(a)TK2MSFTNGP05.phx.gbl... >> One of my server has been compromised from this virus, and I can't seem >> to block it out! I have shut down the infected server, but I need to >> figure out how to check for this, and stop it. >> >> The site is running iis5 on Windows2000, the backend DB is SQLServer 2000 >> >> Can anyone point me to some good resources for this? This is urgent! >> >> Thanks alot >> Lance > >
From: Bob Barrows [MVP] on 15 May 2008 09:02 Lance Wynn wrote: > One of my server has been compromised from this virus, and I can't > seem to block it out! I have shut down the infected server, but I > need to figure out how to check for this, and stop it. > > The site is running iis5 on Windows2000, the backend DB is SQLServer > 2000 > > Can anyone point me to some good resources for this? This is urgent! > > Thanks alot > Lance > > The simplest, and most effective, way to stop sql injection is to stop using dynamic (ad hoc0 sql ... anywhere. Use parameters instead. For situations where dynamic sql must be used (for example, where object names - columns, tables, etc. - need to be dynamic), then you need to validate all user input that will be going into that sql statement. Do not allow any string that has not been validated to be concatenated with another string to form a sql statement. Here are some of my canned replies on the subject: http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 http://www.nextgenss.com/papers/advanced_sql_injection.pdf http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf See here for a better, more secure way to execute your queries by using parameter markers (tokens): http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e Personally, I prefer using stored procedures, or saved parameter queries as they are known in Access: Access: http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=e6lLVvOcDHA.1204%40TK2MSFTNGP12.phx.gbl http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=eHYxOyvaDHA.4020%40tk2msftngp13.phx.gbl SQL Server: http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/5d3c9d4409dc1701?hl=en -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
From: Bob Barrows [MVP] on 15 May 2008 09:07
Lance Wynn wrote: > Hi, thanks for responding so quickly, there are adhoc queries, and I > do validate input. I must just be missing something... I watched the > logs last night, and saw many failed attempts come in, and then this > morning, it found a way in, and I'm not sure how... > > There is an exploit that some have termed "secondary sql injection", that involves causing malicious code to be inserted into a database table. The developer, not considering values he retrieves from the database to be user input, fails to validate them before using them in a dynamic sql statement, and ... the hacker is in. Read through all the articles I posted in my previous reply, and take to heart my advice to stop using dynamic sql. -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup. |