1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

ASP / SQL Server under attack

Discussion in 'C#' started by suraj_ajax, May 15, 2008.

  1. #1
    Hi

    Recently we moved our site from Access to MS SQL Server 2005 Express on a dedicated server. We are using Classic ASP (ASP 3.0)

    Guess what.... we came under some attack (may be SQL injection).

    Our database was manipulated and data's in some field were replaced by "<script src=http://9i5t.cn/a.js></script>"

    We don't know how it was done .. then i googled around to find any clue . too my surprise i found around 30,000 sites which were affected by this / have a look
    http://www.google.com/search?hl=en&q="http://9i5t.cn/a.js"&btnG=Search

    And also an interest fact popped up also sites where in ASP
    SEMrush
    But unfortunately no documentation was available for it ...

    So i wonder if their is any flaw in coding or database permission .. 30,000 webmaster can't go wrong. May be their is security flaw either in SQL Server 2005 or ASP .. can't say

    As of now i have cleared my database using find and replace function. But i know we might me soon be under attack again

    Please help me out find out exact reason for it ..

    Thanks in advance
    Suraj jain
     
    suraj_ajax, May 15, 2008 IP
    SEMrush
  2. JenniP

    JenniP Peon

    Messages:
    250
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Sounds exactly like SQL Injection to me.

    A few fairly random links to find out more

    http://en.wikipedia.org/wiki/SQL_injection
    http://www.acunetix.com/websitesecurity/sql-injection.htm
    http://www.oreillynet.com/onlamp/blog/2008/05/mssql_injection_attack_here_we.html
    http://www.youtube.com/watch?v=MJNJjh4jORY

    The last one is interesting as its a video of someone performing SQL Injection, once you see how its done its easier to protect against it.

    If you've been hit once, and you have done nothing but repair the damage it is pretty certain you will be hit again.

    So what can you do about it

    If its an off the shelf package your using make sure you are using the latest version, currently older version of PHPBB2 for instance are being hammered, the latest versions of it are safe.

    If its your own software (or you have the source code), use the information you have learned about SQL Injection to look through the code and see where you are at risk.

    Once you know where you are at risk you can go about fixing the issues, once you have specific questions let us know and I'm sure we can help you.

    Jen
     
    JenniP, May 15, 2008 IP
  3. fhirzall

    fhirzall Guest

    Messages:
    124
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #3
    ALWAYS validate any input on the website. That's where I would start.

    Use stored procedures and parameterized queries, http://www.4guysfromrolla.com/webtech/111798-1.shtml
     
    fhirzall, May 16, 2008 IP
  4. FredMS

    FredMS Guest

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Validating input, parameterized queries are both great suggestions. You might also consider limiting the length of input strings to a reasonable length. There are some great videos on securing your database against SQL Injection here http://www.microsoft.com/hellosecureworld7
     
    FredMS, May 19, 2008 IP