« Previous Next »

• 05-08-2008, 2:06 AM

  In reply to

  greenlit_design Joined on 05-07-2008, 9:16 PM Posts 3

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact eftennis: Your idea of denying select access to the sys objects seems to make the most sense of any ideas I have read about sql injectors.   That would appear to be a foolproof way of at least stopping the current attackers.   Has this worked for you? I tried to go in and do this, but, my sql login account does not appear to have permissions (I use a share sql server database on my hosting company). If I ask my hosting company to do the DENY is it as simple as the command you included in your post?   Yes. Deny select on .... to sql_login You need to have SysAdmin privileges to do this. Your hosting company should actually do this. I don't know if they have a DBA. I assume it will work for us. I did a test login as the sql_login used for the app and try to run the command of the script and i got the "permission denied" error. Let me know if you have any questions. Thanks

• 05-08-2008, 2:26 AM

  In reply to

  alexhiggins732 Joined on 04-27-2008, 2:24 AM Posts 5

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact bjornen: Thanks a lot alexhiggins732  I added this script to the website and it seems to work very well already. Only few hours after I set it up, he tried again. This time he was not able to destroy any data in the database. I got the email with the below information. Is there at all anything that can be done to purue this guy?   No Problem, Like I said I have had this in place for months and I know that it is working.  I would also suggest you download my IIS Log File Viewer and checkout the log files in your web server.  Sql Injection hack attempts are usually easy to spot becuase the query strings are so long.   As far as some of these ideas here, such as deny access to sys tables, I am sure they will work to an extent, but in a professional environment you may be dealing with hundreds or even thousands of databases and/or users and all it really does is stops a hacker from discovering the names of database, tables and columns in your database.  If your application is vulnerable to these types of attacks, you need to intercept them before they hit the database or a hacker will still be able to gain access to sensitive data like usernames, passwords and credit card information.   As far as the post that searchs cookies, form values, and query strings, I initially went that route but saw to many false positives, especially in the form values. I would recommend filtering form values in another manner.   <%  ' Usage <!-- #include virtual="stringfilters.asp"--> ' For Each Item In Request.Form '    Request.Form(Item) = getUserInput(Request.Form(Item), -1) ' Next ' '  alternately, if you know a string should be only a certing length ' specify the length -- for a first name -- getUserInput(Request.Form("FirstName"), 50) Dim  pFilteringLevel pFilteringLevel=0 function getLoginField(input,stringLength) ' to filter login fields dim regEx Set regEx = New RegExp getLoginField = left(trim(input),stringLength) regEx.Pattern = "([^-_A-Za-z0-9@.])" regEx.IgnoreCase = True regEx.Global = True getLoginField = regEx.Replace(getLoginField, "") Set regEx = nothing end functionfunction getUserInput(input, stringLength) dim newString, regEx Set regEx = New RegExp ' only specified length if not stringLength = -1 then     newString = left(trim(input),stringLength) else     newString=Input end if if pFilteringLevel=1 then     regEx.Pattern = "([^A-Za-z0-9@=:/*|' _-]+.%)"     regEx.IgnoreCase = True     regEx.Global = True     newString = regEx.Replace(newString, "")     Set regEx = nothing     newString = replace(newString,"--","")     newString = replace(newString,";","") end if if pFilteringLevel=2 then     newString = replace(newString,"--","")     newString = replace(newString,";","&#59;")     newString = replace(newString,"=","&#61;")     newString = replace(newString,"(","&#40;")     newString = replace(newString,")","&#41;")     newString = replace(newString,"'","&#39;")     newString = replace(newString,"""","&#34;") end if if pFilteringLevel=3 then     newString = replace(newString,"'","&#39;")     newString = replace(newString,"""","&#34;") end if getUserInput = newString end functionfunction getUserInputL(input,stringLength) ' light filtering dim tempStr tempStr = left(input,stringLength) tempStr = replace(tempStr,"--","") tempStr = replace(tempStr,";","&#59;") tempStr = replace(tempStr,"=","&#61;") tempStr = replace(tempStr,"(","&#40;") tempStr = replace(tempStr,")","&#41;") tempStr = replace(tempStr,"CHAR","&#67;&#72;&#65;&#82;") tempStr = replace(tempStr,"'","&#39;") tempStr = replace(tempStr,"""","&#34;") getUserInputL = tempStr end function function formatForDb(input) dim tempStr tempStr=input if isNull(tempStr)=false then     ' replace to avoid DB errors     tempStr = replace(tempStr,"'","''")     tempStr = replace(tempStr,"''''","''")     tempStr = replace(tempStr,"''''''","''")     tempStr = replace(tempStr,"''''''''","''")     tempStr = replace(tempStr,"""","""") end if formatForDb = tempStr end function function formatNumberForDb(input)     formatNumberForDb=replace(input,",",".") end function %>

  Tags: asp code to filter sql injectioniis log file parseriis log file viewerSql injection filter

• 05-09-2008, 5:53 AM

  In reply to

  Simontasker Joined on 04-21-2008, 11:40 AM Posts 2

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Morning everyone, Has any one managed to replicate the way this virus attacks the system?I’m curious because i've now set up a test server and i’m working on testing different software packages to determine if the are viable to help protect our servers. I know that simply copy and pasting the virus code into the address bar wont work due to the string being far too long so if anyone has found a way of replicating the attack would you please Private Message me or post here.Also anyone tried to block the HTTP_USER_AGENT=Mozilla/3.0 (compatible; Indy Library) as this seems to be the major distributor of the virus...    Thanks Simon

  Tags: asp code to filter sql injectioniis log file parseriis log file viewerSql injection filter

• 05-10-2008, 6:34 AM

  In reply to

  neilredfern Joined on 09-10-2002, 10:53 AM Posts 20

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact  Hello,  We were also hit by this attack although I am puzzled to here there were able to inject the SQL into our stored procedure.  Now I know how SQL injection works and I have been able to verify that the page was venerable to this sort of attack. The puzzler for me is that there managed to injected arround 2000 charactors into a stored procedure via a parameter that is declared as a varchar(10).  Now in all my tests any content of the parameter over 10 characters is truncated, so how is it there are able to run the code???   Thanks   Neil

• 05-10-2008, 5:03 PM

  In reply to

  alexhiggins732 Joined on 04-27-2008, 2:24 AM Posts 5	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Please post your  code.  To my knowledge, this can be done in a stored procedure.   You must have an issue in the code that calls your stored procedure.

• 05-10-2008, 7:02 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,966

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Here is a link on detecting a site being exposed.  http://www.securityfocus.com/infocus/1768 I'm checking to see if Nessus (http://www.nessus.org/nessus/) can detect an exposed site.  This is the ultimate tool for detecting security exploits. If they support it, I'll post instructions. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 05-12-2008, 9:15 AM

  In reply to

  DavidReabow Joined on 05-12-2008, 12:36 PM Oxford, UK Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Hi Neil Stored procedures can help but in this case you have to worry about how the stored procedure and parameters are "passed" to SQL server. Lets say you had the following URL on your site:  HTTP://www.yoursite.com/ShowProduct.ASP?ProductID=1 You may not check the ProductID for "corrupt" data and simply build a string that includes the SP name and parameters; e.g.: strCommand = 'EXEC usp_GetProductDetail ' & ProductID If you were expecting a value of say "1" to be passed but as in the case of this injection attack the attacker calls this URL:   HTTP://www.yoursite.com/ShowProduct.ASP?ProductID=1%20DROP%20TABLE%tblProducts Your strCommand variable would now look something like this: 'EXEC usp_GetProductDetail 1 DROP TABLE tblProducts' This is a simplified example but if you happened to have a table called tblProducts and if the user account executing this code had sufficient rights, then your table could be deleted. You can do all the checks previously mentioned on this thread and many will help improve your security. Another thing you should do is use Parameter objects when executing SQL statements. I'm not going to go into detail as there should be lots online for whichever development language you're using. A good place to start looking at this could be here: http://msdn.microsoft.com/en-us/library/ms681010(VS.85).aspx   I hope this helps  David

• 05-12-2008, 12:14 PM

  In reply to

  neilredfern Joined on 09-10-2002, 10:53 AM Posts 20

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact David, Thanks for this its a long time since I've done asp I'm used to asp.net where we always use parameters.  You are correct you do just build up a string like: strCommand = 'EXEC usp_GetProductDetail ' & ProductID And it make sense that there are using the fact that we are not parsing out ' etc but as the actually parameter of the sp is a varchar(10) I would expect an data been passed to though this parameter to be trimmed down to this size.  At least thats how it happens though SQL Managment Studio although maybe asp is different. I will look at the parameters and I have implement the script to check for SQL injection values in the querystring and form collection earlier in the thread which should keep them out.   Thanks   Neil

• 05-12-2008, 12:32 PM

  In reply to

  DavidReabow Joined on 05-12-2008, 12:36 PM Oxford, UK Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Hi Neil, I'm not sure if I am reading your last post correctly. Are you saying that you are using Parameter Objects and it is still getting through? If you are just appending your parameters to the string as in my example it doesn't matter what the SP parameter is declared as. In my example:  'EXEC usp_GetProductDetail 1 Drop Table tblProducts'  only the "1" is actually passed to the stored procedure. The "Drop Table tblProducts" part is not passed to the SP but executed as a seperate statement. The fact that it is on the same line does not mean that it is all part of the same statement. Even if the SP was created as follows: CREATE PROCEDURE usp_GetProductDetail         @ProductID nvarchar(1000) AS ....... "Drop Table tblProducts" will not be passed to the SP.   I hope this helps. David

• 05-12-2008, 1:09 PM

  In reply to

  neilredfern Joined on 09-10-2002, 10:53 AM Posts 20	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact David, Thanks for the update that makes sense now. What I was trying to say rather badly is I spend 95% of my time developing in ASP.Net where we always use parameters and tell ADO.Net that we are calling a stored procedure, so I'm not used to having to deal with this sort of code. Thanks   Neil

• 05-12-2008, 1:18 PM

  In reply to

  pb_aldea Joined on 04-21-2008, 9:06 PM Posts 3

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Greetings members, Since saturday May 10, 2008 there is another version/attempt to inject code into databases through malformed query strings. New destination for the javascript call is wowgm1.cn/m.js (include www. before) The infection they try to spread is a version of Vundo/N 60.169.3.130 is the source of the attack. Of course, is a China assigned IP Best regards, good luck!

• 05-13-2008, 3:59 AM

  In reply to

  Flackie Joined on 05-13-2008, 7:39 AM Posts 5

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact greenlit_design: 1) First to prevent script from executing or any further issues: deny select on sysobjects to sql_login_of_your_app deny select on syscomments  to ql_login_of_your_app deny select on syscolumns  to ql_login_of_your_app deny select on systypes  to ql_login_of_your_app The script won't even get access to the sys tables anymore (you can add more but these are the minimum) I found this thread as we've also experienced the problem. But I cannot seem to get these permissions to change. I connect to the SQL db with windows authentication on the server itself, logged in as an admin. But when I try to change the permissions I get:  Msg 15151, Level 16, State 1, Line 2 Cannot find the user 'username', because it does not exist or you do not have permission.  The username in question does exist, I have tried this on several of the dbs and same error each time. So it seems my admin account does not have permission to deny select permissions for some users. Is that possible?  I also tried changing the public role to deny access as all the I_USR accounts are set as public (I was clutching at straws here, so maybe this is not even valid sql commands): deny select on sysobjects to public deny select on syscomments  to public deny select on syscolumns  to public deny select on systypes  to public This does not give an error. But it apparently does nothing since when I try running a query to list sysobjects in my web back end on the site in question, i can still get a full list of all the tables etc. I am not a database pro, I am a vb coder, so apologies if I come across as not really knowledgeable about the intricacies of MS SQL. I am well aware of what SQL injection is, our own sites have not been breached yet, but I don't want to take our coding resistance to injection for granted and so desperately want to tighten up the db too. This forum is the closest I have come to a practical solution to patching this problem at the database and I suspect I am probably not the only lurker who found this thread and is anxious to get the db locked down a bit. I was rather hoping MS might produce some simple security guidance as it seems yet again it is their platform in the crosshairs (i.e. a quick bit of SQL code as above maybe). I have trawled their site but as usual find their MSDN articles impenetrable in the extreme and have ended up googling in the hope I can find something that is simple to understand, run and verify that it is working.  Any advice appreciated.

• 05-13-2008, 8:22 AM

  In reply to

  eftennis Joined on 04-18-2008, 7:12 PM Posts 4

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact I had the same problem with denying select permission to my sys tables.   I ended up going to my hosting provider and their sql admin gave me this script.   This worked and allowed me to deny my asp login account from selecting the sys objects table. use [my_admin_sql_login] GO DENY SELECT ON [sys].[sysobjects] TO [my_asp_sql_login] GO As you can see, I set up a separate login account for my asp connection.  Hope this helps.

• 05-13-2008, 8:27 AM

  In reply to

  DavidReabow Joined on 05-12-2008, 12:36 PM Oxford, UK Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Hi Flackie, Use an account with sysadmin or DBO access rights to change them, it should work. The following should do the job: use [YourDBName] GO DENY SELECT ON [sys].[tables] TO [YourUserName] GO DENY SELECT ON [sys].[columns] TO [YourUserName] GO A further note to those using this method to stop this particular attack, I have had a SQL 2000 database attacked as well. This implies that there may also be a variant of this getting table and column info from the INFORMATION_SCHEMA views. These views are available on SQL 2000 and 2005 and you should probably deny Select permissions on these as well.  And lastly, Denying access to these Views may stop this particular attack but it doesn't close the holes in your websites code. Anyone searching for this attack on google, apon spotting your site will know that you are vulnerable to a SQL Injection attack and can attack you in many other ways. You need to fix the code!!!! David

• 05-13-2008, 9:02 AM

  In reply to

  Flackie Joined on 05-13-2008, 7:39 AM Posts 5

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact  Thanks for the feedback and suggestions. I have tried these, but still with the same error. I am logged into the remote server on Remote Access, and then open up the SQL Management interface with windows authentication. I am logged into the server as a server admin, and assumed I have admin access therefore to the MS SQL server. IS there a way to check this, like some SQL i can run to say "yes, you do have admin rights"? Otherwise i might be barking up the wrong tree with this one. On a brighter note, our application it seems was not the entry point for the client in question. We analysed his logs of the site running our app and found nothing but he looked at some others and found it was another script he had written about 2 years ago on another domain. Our application was written quite carefully, we paid a lot of attention to closing SQL injection holes, but I'd like to lock down the SQL anyway as an extra precaution.