We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 04:53 PM|racekites|LINK

    how to fix ??

    Are we sure that this is an attack through the URL and not through a form ??

    Well my website has been hit twice with this and it has caused serious damage and outage time each time...

    I've come up with a possible quick fix. On my site i have an include file which is included in each asp file. This include file has all the presentation etc....

    In the top of this file i now have a check of the query string being passed, if an illegal value is found then it fowards the page directly to google without doing any database stuff :


    PATH_INFO = Request.ServerVariables("PATH_INFO")
    QUERY_STRING = Request.ServerVariables("QUERY_STRING")
    SCRIPT_NAME = Request.ServerVariables("SCRIPT_NAME")

    dim passedString(15)

    passedString(0) = "DECLARE"
    passedString(1) = "NVARCHAR"
    passedString(2) = "SET"
    passedString(3) = "CAST"
    passedString(4) = "0x"
    passedString(5) = "("
    passedString(6) = ")"
    passedString(7) = "--"
    passedString(8) = "@"
    passedString(9) = ";"
    passedString(10) = "-"
    passedString(11) = "SELECT"
    passedString(12) = "declare"
    passedString(13) = "set"
    passedString(14) = "cast"
    passedString(15) = "nvarchar"

    For each x in passedString

        stringOkay = InStr(QUERY_STRING, x)
        'response.write (stringOkay)
        If stringOkay <> 0 Then response.redirect ("http://www.google.com")
        'response.write ("<br/>Found." & x)

    Only time will tell if this will work though !!

    Are there any other suggestions on how to deflect these attacks ??