May 5, 2008 at 12:15 pm
My company found out there was hacker trying to hack into our system, luckily it was not successful.
However the web pages did not check the value if it was valid and actually did not check anything. The hacker put in something liked
..../search.asp?search_text=product;DECLARE @a AS NVARCHAR(4000); SET @a = CAST(.....AS NVARCHAR(4000)) ; EXEC(@a);-
The CAST statement is a whole bunch of number 0x44004500430043......
Now my boss wanted me to check if the database was alright. How am I going to check? What if the statement is a 'DELETE' statement?
Please help! Urgent!
May 5, 2008 at 12:37 pm
Google 'SQL injection' then fix the web front end so that it checks input and uses parameters properly.
Forget delete statement. What if it had been a drop table or drop database? What permissions does the web user have on the database?
As for seeing what he did, unless you have some form of logging either on the web front end or on SQL, you're probably out of luck.
p.s. If you take part of that statement (as follows) and run it, what does it return? Looks like he was encoding some commands in hex to avoid keyword detection
SELECT CAST(0x44004500430043...... AS NVARCHAR(4000))
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
May 5, 2008 at 12:40 pm
All the web page connected to the database as 'sa'. Scaryyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy!
May 5, 2008 at 12:41 pm
Check the default trace during that time. See if something schema-related registered...
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
May 5, 2008 at 12:47 pm
The consider yourself lucky you still have a database.
If you want recommendations for your boss -
Change the web user to have the minimum required privileges
Go through the web pages, carefully, and fix all the places where SQL injection is possible.
Change from ad-hoc SQL to stored procedures
Make sure error pages are not displayed to the user.
Perhaps also, take that site offline until you get it fixed. He might come back again and do something worse.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
May 5, 2008 at 12:55 pm
and...disable SA for now....perhaps for good. Sounds like that is power that has been abused in the past.
Just because nothing looks "busted" doesn't mean he didn't do something nefarious. Putting something in place to "call home" with data is 100 times worse that simply dropping the DB.
I would also be checking the outbound firewall logs, e-mail server logs.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
May 5, 2008 at 1:09 pm
The other thing to do is cast the binary data as nvarchar and then you'll be able to see what he did, at least at first. Just don't execute it.
declare @a nvarchar(max), @b-2 varbinary(max)
select @a = 'abc'
select @b-2 = cast(@a as varbinary(max))
select @a, @b-2, cast(@b as nvarchar(max))
If you have the "...whole bunch of number 0x44004500430043...." part, put those numbers into something like:
declare @a varbinary(max)
select @a = '0x44004500430043'
select cast(@a as varchar(max))
(Edit: Just noticed Gail suggested this earlier, but I couldn't tell if you had tried it or not.)
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
May 5, 2008 at 1:13 pm
From what I've read, most SQL injection attacks these days are attempts to get sensitive information. If, for example, you have credit card data in your database, and it's not encrypted, you should probably report that to law enforcement at this point.
(Edit: I'm not a lawyer. Don't take that as legal advice, even though it reads like it. My point is simply that, if your credit card were in a database that you found out allows SQL injection, you'd want to know about it.)
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
May 5, 2008 at 1:17 pm
Good point. What kind of data is in this database?
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
May 5, 2008 at 2:50 pm
The main tables are the customer and product table. I am not worried about the product table. The customer table does not have any SSN or credit card info, but it has customer home address and email address.
May 5, 2008 at 2:54 pm
BTW, I found out the hacker has already hacked into a lot of websites.
http://blog.washingtonpost.com/securityfix/2008/04/hundreds_of_thousands_of_micro_1.html
May 5, 2008 at 2:55 pm
Just hope that data doesn't end up in the hands of a competitor.
I don't know if that kind of thing matters much. Check out what the query does (as per prior posts), and advise your boss that a lawyer might be a good idea, on the subject of any possibility of stolen data having any liability to you guys.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
May 5, 2008 at 3:14 pm
I am very upset because my boss kept yelling to me the whole day to make sure the database correct. I told him if the company did not put in more security in the web server and changed the way it connected to the database, the hackers would come back again and again and eventually the hackers would ruin the whole database. It did not seem to get through to him. :crazy::angry:
May 5, 2008 at 3:24 pm
Just remember, your boss is probably having a bad day too.
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
Viewing 14 posts - 1 through 13 (of 13 total)
You must be logged in to reply to this topic. Login to reply