Hi Recently we moved our site from Access to MS SQL Server 2005 Express on a dedicated server. We are using Classic ASP (ASP 3.0) Guess what.... we came under some attack (may be SQL injection). Our database was manipulated and data's in some field were replaced by "<script src=http://9i5t.cn/a.js></script>" We don't know how it was done .. then i googled around to find any clue . too my surprise i found around 30,000 sites which were affected by this / have a look http://www.google.com/search?hl=en&q="http://9i5t.cn/a.js"&btnG=Search And also an interest fact popped up also sites where in ASP But unfortunately no documentation was available for it ... So i wonder if their is any flaw in coding or database permission .. 30,000 webmaster can't go wrong. May be their is security flaw either in SQL Server 2005 or ASP .. can't say As of now i have cleared my database using find and replace function. But i know we might me soon be under attack again Please help me out find out exact reason for it .. Thanks in advance Suraj jain
Sounds exactly like SQL Injection to me. A few fairly random links to find out more http://en.wikipedia.org/wiki/SQL_injection http://www.acunetix.com/websitesecurity/sql-injection.htm http://www.oreillynet.com/onlamp/blog/2008/05/mssql_injection_attack_here_we.html http://www.youtube.com/watch?v=MJNJjh4jORY The last one is interesting as its a video of someone performing SQL Injection, once you see how its done its easier to protect against it. If you've been hit once, and you have done nothing but repair the damage it is pretty certain you will be hit again. So what can you do about it If its an off the shelf package your using make sure you are using the latest version, currently older version of PHPBB2 for instance are being hammered, the latest versions of it are safe. If its your own software (or you have the source code), use the information you have learned about SQL Injection to look through the code and see where you are at risk. Once you know where you are at risk you can go about fixing the issues, once you have specific questions let us know and I'm sure we can help you. Jen
ALWAYS validate any input on the website. That's where I would start. Use stored procedures and parameterized queries, http://www.4guysfromrolla.com/webtech/111798-1.shtml
Validating input, parameterized queries are both great suggestions. You might also consider limiting the length of input strings to a reasonable length. There are some great videos on securing your database against SQL Injection here http://www.microsoft.com/hellosecureworld7