Prev: bcp format file - error SQLState HY000, NativeError = 0,IO
Next: MSSQL$SQLEXPRESS
From: Mike Myers on 21 Jul 2010 12:24
Hello

Periodically, some of the records in one table have one field updated to the
following value:

<!--<1586567094>-->

It is the most bizarre thing I have ever seen. We have checked all our
servers and stored procedures for any occurrence of this value in scripts or
ASP pages but none exist. We're fearing SQL injection or similar but in our
application this field is only updated from one place and it's tight against
hacking.

If it was a hack we would think the value might be something else, so we're
presuming some sort of corruption or similar. We're at a loss.

Does anyone have any suggestions?

Thanks and regards

Mike


From: Dan Guzman on 21 Jul 2010 13:02
> If it was a hack we would think the value might be something else, so
> we're presuming some sort of corruption or similar. We're at a loss.

This could very well be a hack. For example, the value 1586567094 might be
someone's SSN that the hacker was able to harvest and display on a web page.
I suggest run run a server side trace (not Profiler) continuously with a
filter to log the problem update when it occurs.

I don't know what steps you've taken to prevent SQL injection, but here is
my short list is:

- perform data access exclusively from stored procedures

- execute procedures from app code using command type stored procedure along
with parameter objects (never build and execute SQL Statement strings with
concatenation, especially form fields and URL data)

- grant no permissions on tables and leverage ownership chaining security

- use a minimally privileged account with only stored procedure execute
permissions

- no dynamic SQL in stored procedures

Separately, you can mitigate other security vulnerabilities (e.g. criss-site
scripting) with stringent input and output validation.

--
Hope this helps.

Dan Guzman
SQL Server MVP
http://weblogs.sqlteam.com/dang/

"Mike Myers" <bookham_measures(a)yahoo.com> wrote in message
news:#QyMGFPKLHA.1996(a)TK2MSFTNGP06.phx.gbl...
> Hello
>
> Periodically, some of the records in one table have one field updated to
> the following value:
>
> <!--<1586567094>-->
>
> It is the most bizarre thing I have ever seen. We have checked all our
> servers and stored procedures for any occurrence of this value in scripts
> or ASP pages but none exist. We're fearing SQL injection or similar but
> in our application this field is only updated from one place and it's
> tight against hacking.
>
> If it was a hack we would think the value might be something else, so
> we're presuming some sort of corruption or similar. We're at a loss.
>
> Does anyone have any suggestions?
>
> Thanks and regards
>
> Mike
>
From: Eric Isaacs on 21 Jul 2010 13:05
It's hard to tell from here, but it has the signatures of a SQL
injection attack.

-Eric Isaacs
From: Bob Barrows on 21 Jul 2010 13:07
Mike Myers wrote:
> Hello
>
> Periodically, some of the records in one table have one field updated
> to the following value:
>
> <!--<1586567094>-->

I might be wrong, but this appears to be harmless - it does not appear
to be encrypted script.

>
> It is the most bizarre thing I have ever seen. We have checked all
> our servers and stored procedures for any occurrence of this value in
> scripts or ASP pages but none exist. We're fearing SQL injection or

With good reason ...

> similar but in our application this field is only updated from one
> place and it's tight against hacking.
>
The evidence suggests otherwise ... :-)
Where does the application get the data it puts in this field?


> If it was a hack we would think the value might be something else, so
> we're presuming some sort of corruption or similar. We're at a loss.
>
> Does anyone have any suggestions?
>

Conjecture A:
A hacker or hacking bot has figured out that your site is vulnerable to
sql injection and has been able to figure out the name of a single field
in a single table and is probably trying to figure out more of your
schema (probably by causing informative error messages to be returned
from your application). The data inserted into your table is probably a
byproduct of those attempts, rather than the actual payload, since the
string seems to be harmless. If there were more to it, or it is actually
encrypted script, then the hacker is counting on your application
sending that string to a client browser without html-encoding it.

Conjecture B:
No sql injection is involved: a user of your app is purposely entering
that string into an input element and submitting it

--
HTH,
Bob Barrows


From: Mike Myers on 22 Jul 2010 05:31
"Bob Barrows" <reb01501(a)NOyahoo.SPAMcom> wrote in message
news:i279gp$gra$1(a)news.eternal-september.org...
> Mike Myers wrote:
>> Hello
>>
>> Periodically, some of the records in one table have one field updated
>> to the following value:
>>
>> <!--<1586567094>-->
>
> I might be wrong, but this appears to be harmless - it does not appear
> to be encrypted script.
>
>>
>> It is the most bizarre thing I have ever seen. We have checked all
>> our servers and stored procedures for any occurrence of this value in
>> scripts or ASP pages but none exist. We're fearing SQL injection or
>
> With good reason ...
>
>> similar but in our application this field is only updated from one
>> place and it's tight against hacking.
>>
> The evidence suggests otherwise ... :-)
> Where does the application get the data it puts in this field?
>
>
>> If it was a hack we would think the value might be something else, so
>> we're presuming some sort of corruption or similar. We're at a loss.
>>
>> Does anyone have any suggestions?
>>
>
> Conjecture A:
> A hacker or hacking bot has figured out that your site is vulnerable to
> sql injection and has been able to figure out the name of a single field
> in a single table and is probably trying to figure out more of your
> schema (probably by causing informative error messages to be returned
> from your application). The data inserted into your table is probably a
> byproduct of those attempts, rather than the actual payload, since the
> string seems to be harmless. If there were more to it, or it is actually
> encrypted script, then the hacker is counting on your application
> sending that string to a client browser without html-encoding it.
>
> Conjecture B:
> No sql injection is involved: a user of your app is purposely entering
> that string into an input element and submitting it
>
> --
> HTH,
> Bob Barrows
>
>

Thank you for your help everyone. I shall run a trace and see what that
yields. I understand the concerns of SQL injection but it is a simple HTML
form that records based on their primary key and the owner User ID as well.
Everything is escaped properly and all numbers/IDs converted/checked to be
numbers before they hit the database.

I was going to create a trigger to audit the setting of these values but as
the field is text (it's an old app, else we'd be using varChar(max)), they
can't be used.

Regards

Mike


 |  Next  |  Last
Pages: 1 2 3
Prev: bcp format file - error SQLState HY000, NativeError = 0,IO
Next: MSSQL$SQLEXPRESS