One of my server has been compromised from this virus, and I can't seem to
block it out! I have shut down the infected server, but I need to figure
out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer 2000
Can anyone point me to some good resources for this? This is urgent!
Thanks alot
Lance
--
Support Fairtax Legislation www.fairtax.org
"A government big enough to give you everything you want, is strong enough
to take everything you have."
-Thomas Jefferson 18 1920
Well, do your ASP pages use ad hoc SQL? Do you validate input? Are you
using an over-privileged account to connect to the database from ASP? You
should read up on SQL injection, and determine what you are doing now that
allows it, and fix it.
I don't think anyone has given explicit instructions on how to check for it
and stop it, because there aren't enough details available about the actual
exploit. But most of the articles talk about SQL injection, so that is a
pretty good place to start.
"Lance Wynn" <La********@com munity.nospamwr ote in message
news:%2******** ********@TK2MSF TNGP05.phx.gbl. ..
One of my server has been compromised from this virus, and I can't seem to
block it out! I have shut down the infected server, but I need to figure
out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer 2000
Can anyone point me to some good resources for this? This is urgent!
Thanks alot
Lance
Hi, thanks for responding so quickly, there are adhoc queries, and I do
validate input. I must just be missing something... I watched the logs last
night, and saw many failed attempts come in, and then this morning, it found
a way in, and I'm not sure how...
Lance
--
Support Fairtax Legislation www.fairtax.org
"A government big enough to give you everything you want, is strong enough
to take everything you have."
-Thomas Jefferson
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraawrote in message
news:u6******** ******@TK2MSFTN GP02.phx.gbl...
Well, do your ASP pages use ad hoc SQL? Do you validate input? Are you
using an over-privileged account to connect to the database from ASP? You
should read up on SQL injection, and determine what you are doing now that
allows it, and fix it.
I don't think anyone has given explicit instructions on how to check for
it and stop it, because there aren't enough details available about the
actual exploit. But most of the articles talk about SQL injection, so
that is a pretty good place to start.
"Lance Wynn" <La********@com munity.nospamwr ote in message
news:%2******** ********@TK2MSF TNGP05.phx.gbl. ..
>One of my server has been compromised from this virus, and I can't seem to block it out! I have shut down the infected server, but I need to figure out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer 2000
Can anyone point me to some good resources for this? This is urgent!
Thanks alot Lance
Lance Wynn wrote:
One of my server has been compromised from this virus, and I can't
seem to block it out! I have shut down the infected server, but I
need to figure out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer
2000
Can anyone point me to some good resources for this? This is urgent!
Thanks alot
Lance
The simplest, and most effective, way to stop sql injection is to stop
using dynamic (ad hoc0 sql ... anywhere. Use parameters instead. For
situations where dynamic sql must be used (for example, where object
names - columns, tables, etc. - need to be dynamic), then you need to
validate all user input that will be going into that sql statement. Do
not allow any string that has not been validated to be concatenated with
another string to form a sql statement. Here are some of my canned
replies on the subject: http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 http://www.nextgenss.com/papers/adva..._injection.pdf http://www.nextgenss.com/papers/more..._injection.pdf http://www.spidynamics.com/papers/SQ...WhitePaper.pdf
See here for a better, more secure way to execute your queries by using
parameter markers (tokens): http://groups-beta.google.com/group/...e36562fee7804e
Personally, I prefer using stored procedures, or saved parameter queries
as they are known in Access:
Access: http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl http://groups.google.com/groups?hl=e...tngp13.phx.gbl
SQL Server: http://groups.google.com/group/micro...09dc1701?hl=en
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
"Lance Wynn" wrote:
Hi, thanks for responding so quickly, there are adhoc queries,
and I do validate input. I must just be missing something... I
watched the logs last night, and saw many failed attempts come
in, and then this morning, it found a way in, and I'm not sure
how...
You say you validate, but does that include your free-text [Search] fields?
If not, this is a possible point of vulnerability. Here's one common avenue:
Your form includes this field:
<input type="text" name="SearchTer m" />
Your ASP script assembles a SQL statement using that submitted value:
MySQLSearchStri ng = "SELECT ... WHERE Description LIKE '%" +
Request.Form("S earchTerm").Ite m + "%'"
RS = CN.Execute(MySQ LSearchString)
You have a vulnerability if your connection uses credentials with INSERT or
UPDATE privileges in the database. The user submits input values that turn
MySQLSearchStri ng into a series of SQL statements, rather than just one
SELECT.
This is made easier for him if you send detailed error messages, since those
messages tell him what he is guessing wrong about your database, and as the
messages change, they also tell him what he is guessing correctly.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Thanks all, I typically do use parameterized queries, especially in.NET, but
This is a pretty old asp app (over 10 years) I think or close to it. I have
found a couple queries that look something like this:
"Select Fieldlist from table where id=" & ID
I am almost positive these are the holes. As a short term fix, will the
following work?
Select FieldList from table where id='" & replace(ID,"'", "''") & "'"
This seems pretty straight foward as it will escape any single quotes in the
variable, and place two outside to catch the rest, or is there still a hole
in there?
thanks
Lance
--
Support Fairtax Legislation www.fairtax.org
"A government big enough to give you everything you want, is strong enough
to take everything you have."
-Thomas Jefferson
"Bob Barrows [MVP]" <re******@NOyah oo.SPAMcomwrote in message
news:OA******** ******@TK2MSFTN GP06.phx.gbl...
Lance Wynn wrote:
>One of my server has been compromised from this virus, and I can't seem to block it out! I have shut down the infected server, but I need to figure out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer 2000
Can anyone point me to some good resources for this? This is urgent!
Thanks alot Lance
The simplest, and most effective, way to stop sql injection is to stop
using dynamic (ad hoc0 sql ... anywhere. Use parameters instead. For
situations where dynamic sql must be used (for example, where object
names - columns, tables, etc. - need to be dynamic), then you need to
validate all user input that will be going into that sql statement. Do
not allow any string that has not been validated to be concatenated with
another string to form a sql statement. Here are some of my canned
replies on the subject:
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 http://www.nextgenss.com/papers/adva..._injection.pdf http://www.nextgenss.com/papers/more..._injection.pdf http://www.spidynamics.com/papers/SQ...WhitePaper.pdf
See here for a better, more secure way to execute your queries by using
parameter markers (tokens): http://groups-beta.google.com/group/...e36562fee7804e
Personally, I prefer using stored procedures, or saved parameter queries
as they are known in Access:
Access: http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl
http://groups.google.com/groups?hl=e...tngp13.phx.gbl
SQL Server: http://groups.google.com/group/micro...09dc1701?hl=en
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
"Lance Wynn" wrote:
I am almost positive these are the holes. As a short term fix, will the
following work?
Select FieldList from table where id='" & replace(ID,"'", "''") & "'"
This seems pretty straight foward as it will escape any single quotes in
the variable, and place two outside to catch the rest, or is there still a
hole in there?
The most recent round of SQL injection attacks typically did not involve
quotes[1], so adding them will help. But in the absence of using parameters,
why are you continuing to use credentials with INSERT/UPDATE privileges?
[1] There are no quotes in this querystring:
id=1234;DECLARE %20@S%20NVARCHA R(4000);SET%20@ S=CAST(0x4400.. .7200%20AS%20NV ARCHAR(4000));E XEC(@S);
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
[1] There are no quotes in this querystring:
id=1234;DECLARE %20@S%20NVARCHA R(4000);SET%20@ S=CAST(0x4400.. .7200%20AS%20NV ARCHAR(4000));E XEC(@S);
I agree with your other points (less privileges, use parameters, etc.). But
if the "id" value is passed into a statement like:
sql = "SELECT * FROM table WHERE id = '" &
REPLACE(Request .QueryString("i d"), "'", "''") & "';"
I don't see how the querystring above could be executed, since you don't
have a way of terminating the SELECT and starting a new statement. Now, if
the expected value was numeric, I agree, this exploit is possible... unless
you first try to convert the querystring value to a numeric.
So, in the case of strings/dates, preventing string termination is a good
first step (since it is not easy to change large web apps to stored
procedures / parameterized statements at the snap of your fingers). And
likewise, ensuring that you can convert an incoming value to the expected
type before blindly passing it to statements.
But in the long run, definitely, stop using sa / dbo, use parameterized
statements, and validate input.
Lance Wynn wrote:
Thanks all, I typically do use parameterized queries, especially
in.NET, but This is a pretty old asp app (over 10 years) I think or
close to it. I have found a couple queries that look something like
this:
"Select Fieldlist from table where id=" & ID
I am almost positive these are the holes. As a short term fix, will
the following work?
Select FieldList from table where id='" & replace(ID,"'", "''") & "'"
This seems pretty straight foward as it will escape any single quotes
in the variable, and place two outside to catch the rest, or is there
still a hole in there?
This will stop most ordinary hackers, but more complicated explots are
available to determined, experienced hackers, especially if you fail to
trap errors or continue to return over-informative error messages.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
This happened to me too, and it's some new SQL injection -- see http://cyberinsecure.com/phishing-bo...und-in-google/
"Lance Wynn" wrote:
One of my server has been compromised from this virus, and I can't seem to
block it out! I have shut down the infected server, but I need to figure
out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer 2000
Can anyone point me to some good resources for this? This is urgent!
Thanks alot
Lance
--
Support Fairtax Legislation www.fairtax.org
"A government big enough to give you everything you want, is strong enough
to take everything you have."
-Thomas Jefferson This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Bob Bedford |
last post by:
My database suddently dissapeared from my ISP. I've logged in and the
database doesn't exist anymore.
I don't know anything about website hacking, so my code is possibly open for
hackers.
I've my local code and would like to know if my code is open for hackers.
I'd like to see if it's possible to drop a database by simply insert mysql...
|
by: Gabriel Mejía |
last post by:
Services or applications using ActiveX Data Objects (ADO) 2.0 or greater may
intermittently return empty recordsets on queries that should be returning
valid results. At the time the problem occurs, the same queries successfully
return the expected data when run from non-ADO sources, such as from ISQL in
Microsoft SQL Server. This problem...
|
by: Doc |
last post by:
I keep reading about various websites being hacked into and wonder, how is
this done? Not for any nefarious reasons, but to take measures to protect
mine. Apparently this has been done to some high profile sites that you
would think would have good security in place. In fact, if memory serves,
wasn't one of Microsoft's site hacked?
Since...
|
by: Jack |
last post by:
Hi, I have a asp page where part of the code is as follows. This builds up
the sql statement partially.
sql01 = "UPDATE EquipmentTbl SET "
sql01 = sql01 & "SerialNumber = '" & request.form(strSerialNum) & "', "
sql01 = sql01 & "Description = '" & request.form(strDesc) & "', "
sql01 = sql01 & "Location = '" & request.form(strLoc) & "', "
|
by: auron |
last post by:
Hi there,
I have a really stupid and banal problem with showing the results of a
MySQL query in PHP, preciselly with MySQL count() function that gives
to a variable in PHP the result.
NOTE:
The problem here is PHP not MySQL, in MySQL everything works just
fine.
Here is the query that I wrote for getting the number of how much
| |
by: wizofaus |
last post by:
I previously posted about a problem where it seemed that changing the
case of the word "BY" in a SELECT query was causing it to run much much
faster.
Now I've hit the same thing again, where basically almost any change I
make to how the query is executed (so that it still performs the same
function) causes the performance to jump from a...
|
by: .Net Sports |
last post by:
I get an incorrect syntax error pointing to the semicolon when I run
this sql statement with a dynamic querystring (geid is primary key
integer datatype):
sql="SELECT firstname,lastname from general where geid = " &
request.QueryString("id") & ";"
...i've tried every possible combination, obviously breaking syntax
rules, and keep...
|
by: Keith G Hicks |
last post by:
I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of...
|
by: raviviswanathan.81 |
last post by:
Hello,
So we have a webmaster who sets document.domain to some domain. After
that, we try to create and inject text inside an iframe by getting the
iframeID.contentDocument (or iframeID.contentWindow.document for
MSIE). This results in an 'access denied' issue in MSIE (No problem in
Mozilla). Note that if there is document.domain...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| |