They do not believe the information was downloaded or modified in anyway at this point. This time two servers were compromised resulting in the exposure of personal data for 45, employees and retirees. The second server contained encrypted medical records which are believed to be safe. Almost , web sites hosted with Internet Information Services are infected with a new malicious malware according to PandaLabs.
The malicious page scans the visitors machine to find ways to compromise the visitors machine. Exploits are then downloaded and used to infected the redirected visitor based on the information found on the scan.
If your site is hosted with Internet Information Services it is highly recommended you check to see if your site is compromised. So what should you do? First of all, search your website logs for the code above and see if you've been hit. If so, clean up your database to prevent your website visitors from becoming infected. Second, make sure that all the data you pass to your database is sanitized and that no code elements can be stored there.
When clicked on, the link serves up a virus that infects the viewer of the web page. Note that the original victim -- the web site -- has become the attacker. Whilst the new victim is the website visitor who trusts the site. This attack will be adapted and will cause real chaos. And, as the Romans say, caveat emptor internettus. You will indeed need to strengthen your code the sooner the better, but in this particular case consider the following for a temporary solution:.
This will not permit some of the key words required to execute this command to take place and therefore the malicious Exec will not be allowed. Ofcourse you have to discover which pages are being used to inject this code.
Most likely it is not a page that requires a member session to be viewed since the spiders are attacking pages that are cached in Google. Is there a tool or a mechanism to find it? The best way to discover when and where the attack is taking place is by running, forexample, SQL Server Profiler.
Set it to record only Exec commands and when the injection happens it will show up and should reflect something like this:. Artistas, Musicas. Titles, Musicas. Formatos, Musicas. MemIDs, Musicas. Enlsae, Mem. Statesa, Mem. Cities, Mem.
Paises, Mem. Fealogs DESC. This shows how the nihaorr1. You can also see from the above command that the Exec will try to inject every table in your database which can contain varchar type. This is a very annoying attack since the spiders appear to be running in a circle on constant autopilot.
However, don't go about thinking that this is as bad as it gets because the Exec command could easily have been programmed to delete your tables and even drop tables if the external users are configured to have such rights. I'm saying this to put a rush on everyone affected by these attacks and to get their sites fixed up as soon as possible. These attacks may just be a pre-warning, and if the attackers alter the code to make it delete and drop instead, then we'll be facing much bigger problems.
Forget about wasting time and money on expensive antivirus and firewall solutions. They cannot do anything against SQL injection attacks and it is a common practice around forums to try and give people a false sense of security by pasting links to different software companies.
These attacks are happening where there's vulnerable ASP code and no expensive software can prevent or "clean" this. Hi, Having had a couple customer's impacted who did not have database back-ups going, thought folks might want a way to clean-up the damage caused by these injections. It will hit ntext fields if the legnth of data is not over bytes.
We appear to have been hit by this through our website that did have a customer entry form connected to an ASP page inserting records. Will this patch my SQL server to prevent this from hitting us again? Thanks for the update everybody. Looking like it is spreading quickly atm judging by how many views this topic has.. I still don't think any of my servers have be hit yet but going to have a more details search later.
You could use some of the techniques there to test the security of your site and gives a clever insight about some of teh techniques used in SQL injections. I have been targeted by this SQL injection exploit. My ASP programmer is not available for a few days. I do not need anyone to be able to modify this database for the time being, and this would be a simple workaround I guess for now.
Find out what the user connecting to the DB in the connection string is and make that user read only. For more deatils direct your question over to a SQL forum like www. This threat is the second type my company has been attacked by, After the first attack 2 weeks ago by a different virus we have managed to fend off attacks, but this www.
I have only recently started as the web developer for a new company, and ive never really used asp as my main language so this is a difficult time for me.
If anyone has any further input other than what is already here please post so people like myself stand a chance. Has anyone who's been affected by this seen any other ways that the attacker could have possibly gotten through besides probing for vulnerabilities in the querystring?
I had the same experience as misterzimbu - only 6 or 7 tables were hit, out of some 50 or so possible tables, in an attack on April I'm guessing maybe they used a "TOP 6" in the query? By only hitting a few tables, it achieved a more subtle effect that was not noticed for a full day, whereas attacking all tables would have been apparent immediately. As in nature, a successful parasite does not kill its host right away. Thanks nhertz for the "validator" script suggestion above - a good first line of defense, in addition to all the other usual SQL Injection precautions.
I've learned a painful lesson this past weekend. I was able to come up with an explanation for both issues. They did in the end came through with a SQL injection attack, I was just looking at the wrong versions of the log files. As for the tables that were touched, my explanation was that the largest tables were hit first.
The SQL command will eventually hit its timeout doing all the updates on the rows in those tables and not run on the rest. Well my website has been hit twice with this and it has caused serious damage and outage time each time I've come up with a possible quick fix.
On my site i have an include file which is included in each asp file. This include file has all the presentation etc In the top of this file i now have a check of the query string being passed, if an illegal value is found then it fowards the page directly to google without doing any database stuff :. Both query string and form data is filtered. Even then, somehow, one administartor with an infected computer opened the security breach. The infection probably adds the instruction in the form data.
Now, this is where the fun begins I'm having trouble trying to restore the backups made 2 weeks ago, even when my backup file states that the available data extends up to 4 months ago I still keep geting yesterday's corrupted data. SQL documentation is not helping me.
CAn you shed some light as to what you searched for to determine how you were compromised. What logs did you search and what did you search for? I'm wondering if the system tables were affected too, this issue with my backup kept me stick to my desk the whole weekend. The sevrer was restored but i cant recommend it go back on line until we identify the attack vector and vulnerability.
If it is just a poorly coded form or two, that is an easy fix. If it's in a querystring variable, this would be logged into your IISLogs. I didn't change any other defaults. This is a site that is reached when a user clicks on an attachment lately Tibetan rights stuff that downlaods an infected JavaScript file. It is malicious and you really need to block it incoming and outgoing. That helped me. If your website then becomes infected again you can quickly scroll through the profiler output and find the "suspicious" command where the injection has entered.
This should also give you a hint of the exact page that had the vulnerability. Countries, States. Titles, Houses. That is where I added the quick fix:. Have you ever been a web hosting admin? I expect not. You might be one of the few devs that can actually code properly hence can fix the problem.
Admin don't we just have bad devs that cannot code properly and we try and minimise the damage. What can we do shut down the database? Prepared statements generally are stored procedures, at least that is my understanding. Dynamic SQL type pages can be exposed to sql injection attacks. Of course if the stored procedure takes input without being validated, it can be also. But is one layer deeper. Only good error coding can prevent it.
You can Google it - it's open source and can give you some. For those who want to use Log parser to detect in your IISLogs if you've been hit, here are a few log parser examples. I chose CAST because that seemed to be a common term. I see. CAST is a common term and is used in this attack. Also for those of you that want a more detailed explaination the deeper goings on of this attack.
The use of this script at pointing to nihaorr1. This guy has been hacking at a clients web site for a long time and usually does so through various proxy servers.
The code will check the request for a sql injection attack, and if it finds one it sends you an email and redirects the request to an error page. Message" myMail. Heres the details. Note if your site uses includes you can include it in a single include that is shared by all of your pages.
From a security perspective, lock down your databases. Perhaps allow only select permissions for anonymous viewers and have a different sql login and connection string for the backend where database updates are required. My issue with monitoring for EXEC commands is by that point the damage is already done. Further, if the hacker is skilled enough they can comprimise your entire server before you even realize they have attacked using the write sql code.
Here is the email I received when this attack happened, with certain information replaced of course. Content-Length: 0. Host: www. I do, however, have experience with MySQL. This post is not meant as flamebait.
Unless you are dealing with a database where you know what every single value is going to be, won't this result in false positives? For example, if a user enters a value of "b0x", this will match the "0x" in the list of bad words. Additionally, aren't there many ways to bypass a blacklist such as this CAST, etc.
By escaping certain characters backslash, quote, double quote, linefeed, carriage return, tab, etc. Just a quick question,apologies if it sounds a bit stupid. Are there any microsoft patches available to prevent this happening either on SQL or IIS or should any protective measures be taken at the application level. Additionally, once a request is filtered, I recieve an email so I can review and check for a false positive and adjust my code accordingly. The Problem is that most old school asp programming uses free text queries which the hackers are taking advantage of here.
If the code where to use stored procedures this wouldn't be an issue. On the subject of stored procs, I'm not sure that they will automatically solve the problem.
I have one simple stored proc called from a form that could still provide a vehicle for executing the malicious code, validating the query or the individual parameters would still appear to be the best thing to do. How would stored procedures be vulnerable?
The paramaters are converted to a string and are not executed as t-sql. Try it out, I think you are confused. I added this script to the website and it seems to work very well already. Only few hours after I set it up, he tried again. This time he was not able to destroy any data in the database. I got the email with the below information. Is there at all anything that can be done to purue this guy?
Connection: keep-alive. Thanks for posting this. It did help. I just wanted to contribute also to the group. We got SQL injected last night by this and this is how i fixed it.
0コメント