We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 08:27 AM|DavidReabow|LINK

    Hi Flackie,

    Use an account with sysadmin or DBO access rights to change them, it should work.

    The following should do the job:

    use [YourDBName]

    DENY SELECT ON [sys].[tables] TO [YourUserName]
    DENY SELECT ON [sys].[columns] TO [YourUserName]

    A further note to those using this method to stop this particular attack, I have had a SQL 2000 database attacked as well. This implies that there may also be a variant of this getting table and column info from the INFORMATION_SCHEMA views. These views are available on SQL 2000 and 2005 and you should probably deny Select permissions on these as well. 

    And lastly, Denying access to these Views may stop this particular attack but it doesn't close the holes in your websites code. Anyone searching for this attack on google, apon spotting your site will know that you are vulnerable to a SQL Injection attack and can attack you in many other ways. You need to fix the code!!!!