Welcome to WebmasterWorld Guest from 18.206.168.65

Forum Moderators: ocean10000

Message Too Old, No Replies

Under Attack!

Hacker attacked DB with link to virus

     
12:57 pm on May 5, 2008 (gmt 0)

New User

10+ Year Member

joined:May 2, 2008
posts: 11
votes: 0


It looks fine now since we pulled a backup of the DB. But I'm sure they'll attack again. The host said that it was a SQL injection. The programmer fixed all of the fields in the contact page to keep them out. This is one of the listings pages that it screws up with putting a strike through on all the text and a link through to the contact page which adds a link to a web site with a virus. This same thing happened 2 weeks ago. Is there any other way the hacker could get into the DB? Does the form have to be connected to the DB in order to get in? What else would we look for to do to keep out hackers?

[edited by: jatar_k at 4:44 pm (utc) on May 5, 2008]
[edit reason] no specifics thnks [/edit]

11:35 am on May 6, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:July 25, 2006
posts: 460
votes: 0


It's not the form itself that allows SQL injection.

What you need to be fixing is the "forms handler" script/program to which the form data is sent. That is what is allowing the malicious SQL commands to slip through.

All other ASP scripts should be checked, too.
At every location where input is received from a user, that input has to be "sanitized" before it is used for any purpose.

12:39 am on May 7, 2008 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


I am not sure if your using Asp.net or Asp Classic.

If you are using Asp.Net the following link may be of use to you.
How To: Protect From SQL Injection in ASP.NET [msdn.microsoft.com]

1:50 am on May 7, 2008 (gmt 0)

New User

10+ Year Member

joined:May 2, 2008
posts: 11
votes: 0


The site is in ASP classic. Thanks for the input. Shouldn't my host be helping me out? Is there any other way they could get in? We have a search function on the homepage. Can they get in through ANY form on the site even though it's not connected to the DB?
3:51 am on May 7, 2008 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


As long as you have the page that is vulnerable and still accessible from the public web they can continue hacking you. As long as that page is public, they do not need any other page referencing it anymore now that they know about it. They have it coded to find it and abuse it now. Only way is to remove or fix the page which has the vulnerability.
4:02 am on May 7, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:July 25, 2006
posts: 460
votes: 0


Unless this is a case where the server software itself has been compromised (which it doesn't sound like), this isn't the host's responsibility.

If someone can get code injected into your site that gives them the needed permissions for "write access" (i.e. modify, add, or delete files), they basically can do anything to the site they want.

Any form could potentially allow malicious code to be injected, but remember it's not the form. It's whatever program the data is sent to when the user clicks the Submit button.

Pages that don't contain forms can be vulnerable, too. I expect that ASP must have the same potential for "Remote File Inclusion" vulnerabilities that PHP has.

The basic rule is: ALL data provided by the user (including the HTTP request itself, such as in a query string) is potentially malicious, and your application must never use that untrusted data without first sanitizing/cleaning/scrubbing it (all of those being terms used for the process).

So, for example, your search function could indeed be vulnerable (assuming it's not a standard Google/Yahoo-provided Search This Site box). The user enters a search string. Depending on how your search script handles the string and performs the search, they could theoretically enter a search string that tricks the program into giving them access to your site.

You or your programmer should read carefully the article Ocean10000 linked to. If you don't understand it or the techniques it describes, the safest course would be to remove the forms from your pages, delete or rename the forms handler scripts that you're using, and read about SQL injection. Don't allow any user input until you fully understand the hazards and how to protect the site.

[edited by: SteveWh at 4:10 am (utc) on May 7, 2008]

11:52 am on May 7, 2008 (gmt 0)

New User

10+ Year Member

joined:May 2, 2008
posts: 11
votes: 0


Thanks Steve, I'll pass this on to the programmer.
3:34 pm on May 12, 2008 (gmt 0)

New User

10+ Year Member

joined:May 2, 2008
posts: 11
votes: 0


Update: We feel we've been spinning our wheels try to clean up this site. We've dropped back and punted. We've got so much on the site that is not being used...there is too many files on the server to work through. *Does anyone know of software that will pull a site and it's linked contents? We are going to pull all the files that are linked and leave the rest behind...this will help us see only the pages we need to work on. (FYI: we also believe that the present host has not kept up with the updates on their server software and such.)
We stabilized the site. Now, we need to move the site to a new host. We are doing that this week. *Does anyone know of a web site security company we can consult?
2:46 pm on May 13, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 31, 2008
posts:114
votes: 0


I have used programs in the past if you type in the main url, it will follow and download anything that links from that. I just checked and couldnt find it on my system, but its around. I just got it off of google I remember and it was freeware.
4:52 pm on May 13, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:July 25, 2006
posts: 460
votes: 0


Two programs you can use to crawl your own site are Wget and cURL.
2:36 am on May 14, 2008 (gmt 0)

New User

10+ Year Member

joined:May 2, 2008
posts:11
votes: 0


Well, I purchased software my developer suggested which is "orfind".
2:40 am on May 14, 2008 (gmt 0)

New User

10+ Year Member

joined:May 2, 2008
posts: 11
votes: 0


Still looking for a security company to consult.
3:43 am on May 15, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 14, 2003
posts: 70
votes: 0


My site was hacked with sql injection. Does it affect the asp code or just the database?
9:54 am on May 15, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 19, 2002
posts:3447
votes: 71


>>Does it affect the asp code or just the database?

if you have been sql injected, then it only affects the database table fields that have been written to/overwritten, updated etc.

however of course if you are writing your pages dynamically with data drawn from the database of course your pages could easily be affected (this is the point for most hackers as well as trying to steal sensitive information)

12:34 am on May 17, 2008 (gmt 0)

New User

10+ Year Member

joined:May 2, 2008
posts: 11
votes: 0


OK...here we are an update: We can't seem to get to the next step because of our crappy host. We're putting out fires but meanwhile trying to move to another host.
We're trying to prevent hacks on our site. We've been down several times and the idea came up that we could prevent the SQL Injections by making an account for just the public-facing side of the site that has Read Only set for it. This is a Microsoft SQL 2000 server BTW.

Our hosting company configured such an account and it couldn't select tables (or so the error said) and after a day of checking things they said we needed to change our SELECT statements to specify the database and owner account directly in order to access this.

Example:

Old query string:

oRs.Source = "SELECT DISTINCT [slu].[state], [slu].[stateLong] FROM [tblStateLookup] [slu]...

New query string:

oRs.Source = "SELECT DISTINCT [slu].[state], [slu].[stateLong] FROM [dbdeckard].[acct567x].[tblStateLookup] [slu], ...

Question - is this really the easiest way to do this? We have HUNDREDS of lines of code that would have to be updated.

Any better ideas?

3:59 pm on May 17, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:May 22, 2005
posts:657
votes: 20


um bit odd - assuming the host has set up a new login and added that login name as a user for the database you are using all should be well.

Have you checked to see if the connection string specifies the new user name and database name correctly ?

2:01 am on May 18, 2008 (gmt 0)

Full Member

10+ Year Member

joined:May 14, 2001
posts:262
votes: 0


Why don't you just escape the portions of your query that are using the dynamic input? Use a tool like GREP to scour your code for all the places that need it.

Then, the next step would be to get a developer who doesn't leave the site vulnerable to SQL injection.

Finally, why wouldn't you use stored procedures in ms sql? It will make your code far more maintainable and likely reduce a lot of redundant code.

As far as blaming the host for not keeping up on patches, no patch is going to stop the SQL injection. This was a result of the poorly written ASP code by your developer.

12:42 pm on May 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:May 22, 2005
posts:657
votes: 20


The problem slgdceo has is time - the easiest way is to change the table permissions for the user_name.

That gives a "breathing space" in which the stored procedures can be written , and , I suggest, called usng parameters not variables.

Note that the SQL injections I have seen are actually in binary...

1:22 pm on May 18, 2008 (gmt 0)

New User

10+ Year Member

joined:May 2, 2008
posts: 11
votes: 0


Thanks Guys, I'm forwarding these over to my developer. I'll have some input for you later. Thanks again.