You could use some of the techniques there to test the security of your site and gives a clever insight about some of teh techniques used in SQL injections. Basically if you can get some/any information or error message back then you are at risk.
The attack used here is a combination of many on that site.
I have been targeted by this SQL injection exploit. My ASP programmer is not available for a few days. Can anyone tell me how to make my MSSQL database read only for the time being? I do not need anyone to be able to modify this database for the time
being, and this would be a simple workaround I guess for now.
I have been targeted by this SQL injection exploit. My ASP programmer is not available for a few days. Can anyone tell me how to make my MSSQL database read only for the time being? I do not need anyone to be able to modify this database for the time
being, and this would be a simple workaround I guess for now.
Thanks
Ben Cashdan
You are going to allow your ASP programmer back after allowing your site to be hacked. ;)
Find out what the user connecting to the DB in the connection string is and make that user read only. For more deatils direct your question over to a SQL forum like
www.sqlteam.com
This threat is the second type my company has been attacked by, After the first attack 2 weeks ago by a different virus we have managed to fend off attacks, but this
www.nihaorr1.com/1.js? has caused alot of trouble. I have only recently started as the web developer for a new company, and ive never really used asp as my main language so this is a difficult time for me. If anyone
has any further input other than what is already here please post so people like myself stand a chance.
One of my clients has been affected by this exploit, but with some notable differences:
Only a few tables in the database were touched, and I can't seem to find a commonality between them (which goes against what the script that was posted earlier was showing).
I can't find any evidence of attempts at an injection attack or a successful one in the IIS logs.
Has anyone who's been affected by this seen any other ways that the attacker could have possibly gotten through besides probing for vulnerabilities in the querystring?
I had the same experience as misterzimbu - only 6 or 7 tables were hit, out of some 50 or so possible tables, in an attack on April 19. I'm guessing maybe they used a "TOP 6" in the query? By only hitting a few tables, it achieved a more subtle effect
that was not noticed for a full day, whereas attacking all tables would have been apparent immediately. As in nature, a successful parasite does not kill its host right away.
Thanks nhertz for the "validator" script suggestion above - a good first line of defense, in addition to all the other usual SQL Injection precautions. I've learned a painful lesson this past weekend.
I was able to come up with an explanation for both issues. They did in the end came through with a SQL injection attack, I was just looking at the wrong versions of the log files.
As for the tables that were touched, my explanation was that the largest tables were hit first. The SQL command will eventually hit its timeout doing all the updates on the rows in those tables and not run on the rest.
Are we sure that this is an attack through the URL and not through a form ??
Well my website has been hit twice with this and it has caused serious damage and outage time each time...
I've come up with a possible quick fix. On my site i have an include file which is included in each asp file. This include file has all the presentation etc....
In the top of this file i now have a check of the query string being passed, if an illegal value is found then it fowards the page directly to google without doing any database stuff :
exe
create
declare
script
insert
update
drop
delete
insert
go
Both query string and form data is filtered. Even then, somehow, one administartor with an infected computer opened the security breach. The infection probably adds the instruction in the form data.
Lesson learned: Trust no one.
Now, this is where the fun begins... I'm having trouble trying to restore the backups made 2 weeks ago, even when my backup file states that the available data extends up to 4 months ago I still keep geting yesterday's corrupted data. SQL documentation is
not helping me.
Rovastar
3321 Posts
MVP
Moderator
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 21, 2008 10:16 AM|LINK
Also here is a useful cheatsheet for SQL injection
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
You could use some of the techniques there to test the security of your site and gives a clever insight about some of teh techniques used in SQL injections. Basically if you can get some/any information or error message back then you are at risk.
The attack used here is a combination of many on that site.
bencash
1 Post
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 21, 2008 12:55 PM|LINK
I have been targeted by this SQL injection exploit. My ASP programmer is not available for a few days. Can anyone tell me how to make my MSSQL database read only for the time being? I do not need anyone to be able to modify this database for the time being, and this would be a simple workaround I guess for now.
Thanks
Ben Cashdan
Rovastar
3321 Posts
MVP
Moderator
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 21, 2008 01:51 PM|LINK
You are going to allow your ASP programmer back after allowing your site to be hacked. ;)
Find out what the user connecting to the DB in the connection string is and make that user read only. For more deatils direct your question over to a SQL forum like www.sqlteam.com
Simontasker
2 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 21, 2008 03:31 PM|LINK
This threat is the second type my company has been attacked by, After the first attack 2 weeks ago by a different virus we have managed to fend off attacks, but this www.nihaorr1.com/1.js? has caused alot of trouble. I have only recently started as the web developer for a new company, and ive never really used asp as my main language so this is a difficult time for me. If anyone has any further input other than what is already here please post so people like myself stand a chance.
Thanks
Simon
MisterZimbu
7 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 21, 2008 06:07 PM|LINK
One of my clients has been affected by this exploit, but with some notable differences:
Has anyone who's been affected by this seen any other ways that the attacker could have possibly gotten through besides probing for vulnerabilities in the querystring?
sirach3
1 Post
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 21, 2008 08:16 PM|LINK
I had the same experience as misterzimbu - only 6 or 7 tables were hit, out of some 50 or so possible tables, in an attack on April 19. I'm guessing maybe they used a "TOP 6" in the query? By only hitting a few tables, it achieved a more subtle effect that was not noticed for a full day, whereas attacking all tables would have been apparent immediately. As in nature, a successful parasite does not kill its host right away.
Thanks nhertz for the "validator" script suggestion above - a good first line of defense, in addition to all the other usual SQL Injection precautions. I've learned a painful lesson this past weekend.
MisterZimbu
7 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 21, 2008 08:41 PM|LINK
I was able to come up with an explanation for both issues. They did in the end came through with a SQL injection attack, I was just looking at the wrong versions of the log files.
As for the tables that were touched, my explanation was that the largest tables were hit first. The SQL command will eventually hit its timeout doing all the updates on the rows in those tables and not run on the rest.
racekites
2 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 21, 2008 08:53 PM|LINK
how to fix ??
Are we sure that this is an attack through the URL and not through a form ??
Well my website has been hit twice with this and it has caused serious damage and outage time each time...
I've come up with a possible quick fix. On my site i have an include file which is included in each asp file. This include file has all the presentation etc....
In the top of this file i now have a check of the query string being passed, if an illegal value is found then it fowards the page directly to google without doing any database stuff :
<%
PATH_INFO = Request.ServerVariables("PATH_INFO")
QUERY_STRING = Request.ServerVariables("QUERY_STRING")
SCRIPT_NAME = Request.ServerVariables("SCRIPT_NAME")
dim passedString(15)
passedString(0) = "DECLARE"
passedString(1) = "NVARCHAR"
passedString(2) = "SET"
passedString(3) = "CAST"
passedString(4) = "0x"
passedString(5) = "("
passedString(6) = ")"
passedString(7) = "--"
passedString(8) = "@"
passedString(9) = ";"
passedString(10) = "-"
passedString(11) = "SELECT"
passedString(12) = "declare"
passedString(13) = "set"
passedString(14) = "cast"
passedString(15) = "nvarchar"
For each x in passedString
stringOkay = InStr(QUERY_STRING, x)
'response.write (stringOkay)
If stringOkay <> 0 Then response.redirect ("http://www.google.com")
'response.write ("<br/>Found." & x)
Next
%>
Only time will tell if this will work though !!
Are there any other suggestions on how to deflect these attacks ??
Cheers
A
pb_aldea
3 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 21, 2008 09:16 PM|LINK
Greetings,
My SQL instructions blacklist includes:
exe
create
declare
script
insert
update
drop
delete
insert
go
Both query string and form data is filtered. Even then, somehow, one administartor with an infected computer opened the security breach. The infection probably adds the instruction in the form data.
Lesson learned: Trust no one.
Now, this is where the fun begins... I'm having trouble trying to restore the backups made 2 weeks ago, even when my backup file states that the available data extends up to 4 months ago I still keep geting yesterday's corrupted data. SQL documentation is not helping me.
Any clue?
Thanks, best regards.
Sleuth23
8 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 21, 2008 09:51 PM|LINK
MZ,
CAn you shed some light as to what you searched for to determine how you were compromised. What logs did you search and what did you search for?