One of my server has been compromised from this virus, and I can't seem to
block it out! I have shut down the infected server, but I need to figure
out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer 2000
Can anyone point me to some good resources for this? This is urgent!
Thanks alot
Lance
--
Support Fairtax Legislation www.fairtax.org
"A government big enough to give you everything you want, is strong enough
to take everything you have."
-Thomas Jefferson
Jun 27 '08
18 1927
Lance Wynn wrote:
Hi, thanks for responding so quickly, there are adhoc queries, and I
do validate input. I must just be missing something... I watched the
logs last night, and saw many failed attempts come in, and then this
morning, it found a way in, and I'm not sure how...
There is an exploit that some have termed "secondary sql injection",
that involves causing malicious code to be inserted into a database
table. The developer, not considering values he retrieves from the
database to be user input, fails to validate them before using them in a
dynamic sql statement, and ... the hacker is in.
Read through all the articles I posted in my previous reply, and take to
heart my advice to stop using dynamic sql.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Thank you
Fortunately, this is not a huge database, or site, and so changing the
queries and inspecting the values should be easily implemented as a short
term fix. Going forward, we are looking to rewrite it all, but that is not
an option in the short term. I am going to setup a much more restricted
user for most of the site, but there is still a backend where users can add
their own content that could pose some issues.
I read through Bob's links and got a ton of great information there, so I'll
see if I can't implement these changes today and see how it does.
Lance
--
Support Fairtax Legislation www.fairtax.org
"A government big enough to give you everything you want, is strong enough
to take everything you have."
-Thomas Jefferson
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraawrote in message
news:uM******** ******@TK2MSFTN GP03.phx.gbl...
>[1] There are no quotes in this querystring: id=1234;DECLAR E%20@S%20NVARCH AR(4000);SET%20 @S=CAST(0x4400. ..7200%20AS%20N VARCHAR(4000)); EXEC(@S);
I agree with your other points (less privileges, use parameters, etc.).
But if the "id" value is passed into a statement like:
sql = "SELECT * FROM table WHERE id = '" &
REPLACE(Request .QueryString("i d"), "'", "''") & "';"
I don't see how the querystring above could be executed, since you don't
have a way of terminating the SELECT and starting a new statement. Now,
if the expected value was numeric, I agree, this exploit is possible...
unless you first try to convert the querystring value to a numeric.
So, in the case of strings/dates, preventing string termination is a good
first step (since it is not easy to change large web apps to stored
procedures / parameterized statements at the snap of your fingers). And
likewise, ensuring that you can convert an incoming value to the expected
type before blindly passing it to statements.
But in the long run, definitely, stop using sa / dbo, use parameterized
statements, and validate input.
Can I remove access to the SysObjects table for the restricted user, or does
there need to be access to that table to run queries?
--
Support Fairtax Legislation www.fairtax.org
"A government big enough to give you everything you want, is strong enough
to take everything you have."
-Thomas Jefferson
"Bob Barrows [MVP]" <re******@NOyah oo.SPAMcomwrote in message
news:%2******** *******@TK2MSFT NGP05.phx.gbl.. .
Lance Wynn wrote:
>Thanks all, I typically do use parameterized queries, especially in.NET, but This is a pretty old asp app (over 10 years) I think or close to it. I have found a couple queries that look something like this:
"Select Fieldlist from table where id=" & ID
I am almost positive these are the holes. As a short term fix, will the following work?
Select FieldList from table where id='" & replace(ID,"'", "''") & "'"
This seems pretty straight foward as it will escape any single quotes in the variable, and place two outside to catch the rest, or is there still a hole in there?
This will stop most ordinary hackers, but more complicated explots are
available to determined, experienced hackers, especially if you fail to
trap errors or continue to return over-informative error messages.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Bob Barrows [MVP] wrote on 15 mei 2008 in
microsoft.publi c.inetserver.as p.general:
This will stop most ordinary hackers, but more complicated explots are
available to determined, experienced hackers, especially if you fail to
trap errors or continue to return over-informative error messages.
How would you trap such execute errors in asp-vbs, Bob?
I suppose you keep the error messages appearing using your own ip?
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Lance Wynn wrote:
Can I remove access to the SysObjects table for the restricted user,
or does there need to be access to that table to run queries?
There should be no need for access to that table. You should restrict
access to only the tables, procedures and views required by the
application.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Evertjan. wrote:
Bob Barrows [MVP] wrote on 15 mei 2008 in
microsoft.publi c.inetserver.as p.general:
>This will stop most ordinary hackers, but more complicated explots are available to determined, experienced hackers, especially if you fail to trap errors or continue to return over-informative error messages.
How would you trap such execute errors in asp-vbs, Bob?
I suppose you keep the error messages appearing using your own ip?
For expected errors, I either discard or log the actual error message,
depending on what it is and return a friendly message to the user
explaining that an error occurred, what probably caused it, and how to
avoid it.
For unexpected errors, I will typically log vbscript error messages in a
text file*, redirecting the user to an error page displaying a generic
message such as:
An error I did not plan for occurred and has been logged on the server.
In the textbox below, would you mind providing some details regarding
the steps that led to the error to help me figure out what went wrong?
Thank you.
Of course, a hacker will probably type in some rude message, but
legitimate users should have some interest in helping discover the cause
of the error.
* in a rare case, I used CDO to email them to myself - definitely
overkill for most applications
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
"Aaron Bertrand [SQL Server MVP]"
I don't see how the querystring above could be executed, since
you don't have a way of terminating the SELECT and starting a
new statement. Now, if the expected value was numeric, I agree,
this exploit is possible...
That is precisely the condition this exploit targeted -- unquoted INT
parameters.
...unless you first try to convert the querystring value to a
numeric.
Yes. A parameter would have done it implicitly, but in the act of string
concatenation, this seems not to happen often enough.
So, in the case of strings/dates, preventing string termination
is a good first step (since it is not easy to change large web
apps to stored procedures / parameterized statements at the snap
of your fingers). And likewise, ensuring that you can convert an
incoming value to the expected type before blindly passing it to
statements.
We are in agreement.
But in the long run, definitely, stop using sa / dbo, use
parameterized statements, and validate input.
Allow me to make a couple of points. I believe you mean to say that people
should stop using logins with sysadmin or db_owner roles (I assume you don't
argue against the use of the dbo schema). To which I add: "Don't use
db_datawriter unless you absolutely must."
Personally, I almost always grant the login *no* roles, preferring to assign
permissions on an object-by-object basis.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Thanks to all for the help with this. I implemented most of the advice, and
it seems to have worked a treat. I can see attempts being made in the logs,
but none have been successful. I also implemented data type checks on all
fields in any of the dynamic queries, so non-numeric values in a numeric
field get rejected.
Additionally, the error messages are now generic, and give no clue as to the
root cause.
Thanks much to all who participated in this thread, I really appreciate your
assistance.
Lance
--
Support Fairtax Legislation www.fairtax.org
"A government big enough to give you everything you want, is strong enough
to take everything you have."
-Thomas Jefferson
"Lance Wynn" <La********@com munity.nospamwr ote in message
news:%2******** ********@TK2MSF TNGP05.phx.gbl. ..
One of my server has been compromised from this virus, and I can't seem to
block it out! I have shut down the infected server, but I need to figure
out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer 2000
Can anyone point me to some good resources for this? This is urgent!
Thanks alot
Lance
--
Support Fairtax Legislation www.fairtax.org
"A government big enough to give you everything you want, is strong enough
to take everything you have."
-Thomas Jefferson
Allow me to make a couple of points. I believe you mean to say that people
should stop using logins with sysadmin or db_owner roles (I assume you
don't argue against the use of the dbo schema).
Yes, I hope that is broadly understood as what I meant.
A This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Bob Bedford |
last post by:
My database suddently dissapeared from my ISP. I've logged in and the
database doesn't exist anymore.
I don't know anything about website hacking, so my code is possibly open for
hackers.
I've my local code and would like to know if my code is open for hackers.
I'd like to see if it's possible to drop a database by simply insert mysql
statement in any field (text box or anything). Does anybody know how to
check ?
|
by: Gabriel Mejía |
last post by:
Services or applications using ActiveX Data Objects (ADO) 2.0 or greater may
intermittently return empty recordsets on queries that should be returning
valid results. At the time the problem occurs, the same queries successfully
return the expected data when run from non-ADO sources, such as from ISQL in
Microsoft SQL Server. This problem predominantly occurs on multi-processor
computers but has also been known to occur on single-processor...
|
by: Doc |
last post by:
I keep reading about various websites being hacked into and wonder, how is
this done? Not for any nefarious reasons, but to take measures to protect
mine. Apparently this has been done to some high profile sites that you
would think would have good security in place. In fact, if memory serves,
wasn't one of Microsoft's site hacked?
Since you have to put in a password to get into the server, obviously
there's some other way to do it. How...
|
by: Jack |
last post by:
Hi, I have a asp page where part of the code is as follows. This builds up
the sql statement partially.
sql01 = "UPDATE EquipmentTbl SET "
sql01 = sql01 & "SerialNumber = '" & request.form(strSerialNum) & "', "
sql01 = sql01 & "Description = '" & request.form(strDesc) & "', "
sql01 = sql01 & "Location = '" & request.form(strLoc) & "', "
|
by: auron |
last post by:
Hi there,
I have a really stupid and banal problem with showing the results of a
MySQL query in PHP, preciselly with MySQL count() function that gives
to a variable in PHP the result.
NOTE:
The problem here is PHP not MySQL, in MySQL everything works just
fine.
Here is the query that I wrote for getting the number of how much
| |
by: wizofaus |
last post by:
I previously posted about a problem where it seemed that changing the
case of the word "BY" in a SELECT query was causing it to run much much
faster.
Now I've hit the same thing again, where basically almost any change I
make to how the query is executed (so that it still performs the same
function) causes the performance to jump from a dismal 7 or 8 seconds
to instantaneous. It's a very simple query of the form:
SELECT Min(MyValue)...
|
by: .Net Sports |
last post by:
I get an incorrect syntax error pointing to the semicolon when I run
this sql statement with a dynamic querystring (geid is primary key
integer datatype):
sql="SELECT firstname,lastname from general where geid = " &
request.QueryString("id") & ";"
...i've tried every possible combination, obviously breaking syntax
rules, and keep getting the error pointing to either the ; or the =
|
by: Keith G Hicks |
last post by:
I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.
Here's an example from the readme.html...
|
by: raviviswanathan.81 |
last post by:
Hello,
So we have a webmaster who sets document.domain to some domain. After
that, we try to create and inject text inside an iframe by getting the
iframeID.contentDocument (or iframeID.contentWindow.document for
MSIE). This results in an 'access denied' issue in MSIE (No problem in
Mozilla). Note that if there is document.domain initialization before
this iframe creation/content injection, there is no problem and all
works well.
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |