New SQL Injection Attack

  • One of our databases got hit hard by the nihaor mass-injection attack. Understaffed as we are, we restored backups, did a cursory investigation, and back-burnered it. What do you know, same database starting to fill up with

    (for gods sake dont go to the url if you dont know what you are doing. last one filled with all sorts of exploits)

    Just a heads up, and maybe a thread starter. Still seems like nobody knows 100% how the last one can be prevented. Binary encoding be damned, and we have so many legacy sites and applications, funny its the newest asp.net application that turned out to be susceptible.

  • hmmm, didnt know the urls were in the same class as "those of whom we do not speak"

    probably smart, but it keeps googlers from answers. speaking of which, id love to hear any insights yall mayve made into these attacks.

  • To prevent SQL injection completely:

    - Use only stored procedures or properly parameterised queries from your web app

    - Do not concatenate SQL statements and execute them. either in the web page or in stored procedures.

    - Use the built-in ADO/ADO.net parameter objects to pass parameters to the stored procedures

    - Ensure that the user that the web site connects as ONLY has exec permissions on the stored procs and nothing else.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Hey, I really appreciate the info from you guys. I have spent a couple weeks thoroughly researching sql injection, and i understand what needs to be done to protect from it. Unfortunately, the situation i am in is working at a company with 4 other engineers. we have probably 50 different legacy apps running, with as many as 10 versions of each in production for clients. only one of our dbs keeps getting hit, a db with over 300 tables. its for a .net app that uses nhibernate for orm, something no one here has any experience with. there are also webservices involved, reporting services, com components, vbscripts that hit the db, etc. not one person who actually created any of these apps is still with the company. just looking for any hints that will point me in the right direction. thanks.

  • There's no quick-fix silver bullet for SQL injection.

    I would recommend you implement some logging, either from the app or from SQL to see exactly what commands come from the app to SQL. (you can use SQL profiler, but that wn't show you from what page the query came)

    Ultimatly, someone's going to have to dig into the app and fix it though.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • I just had a SQL Injection attack last week. All the recommendations are good but the SQL statements are embedded in all the web pages in my company. It is not possible to replace all of them with stored procedures overnight.

    The worst of all the connection sign in between the web and the database is using 'SA'.

    I think I need to update my resume and start to look for another job. I am afraid one day I wake up to find out the hackers delete all the databases. :doze:

  • Loner (5/14/2008)


    I just had a SQL Injection attack last week. All the recommendations are good but the SQL statements are embedded in all the web pages in my company. It is not possible to replace all of them with stored procedures overnight.

    No it's not, and no one ever said it was. Any fixing of security holes takes time. Which is worse, the expenditure of time, or the loss of all your data, either dropped or stolen?

    As the person there who know the most about this, it's your responsibility to at least try and explain it to the people in charge.

    Include the worst case possibilities, an estimate of how much damage would be done in that worst case and how long it will take to fix (Aside: Is the SQL service account there local admin on the server or domain admin?), as well as an estimate of how long it would take to fix the app (the web devs can probably help with that)

    The worst case is not a dropped database. That, providing the backups are intact, is easy to fix. Intentionally modified data may be harder to find. Prices changed, client info changed, etc. Also consider the possibility of data being stolen and that story getting into the press. How much will bad press cause you? Also consider the possibility of legal requirements, if you have any financial or personal identity data stored.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Loner (5/14/2008)


    I just had a SQL Injection attack last week. All the recommendations are good but the SQL statements are embedded in all the web pages in my company. It is not possible to replace all of them with stored procedures overnight.

    The worst of all the connection sign in between the web and the database is using 'SA'.

    I think I need to update my resume and start to look for another job. I am afraid one day I wake up to find out the hackers delete all the databases. :doze:

    As a DBA why are you fleeing away knowing there will be huge loss to your company. If any company comes to know the actual reason for your fleeing then they will also back out from you. Better talk to your manager and talk about the loopholes in the programs. You still have time to save your data...................act fast

  • I am a contractor not the company's DBA. It is a small company helping customer to build ecommerce website. They use SQL Server to store customers' information. The company has been operated for 9 years and they never have a DBA. The web developers write all the SQL statements and some of them are horrible!!!!!!! It is just recently they think they need help in cleaning up the databases and help to optimize the sql statements. I try to talk to the manager about the SQL injection and suggest many ideas, the manager focus on the web development more than the database development.

    I don't think they figure what my role is. I still don't know what my role is. I cannot implement something without their approval but they are dragging their feet in fixing up the databases.

  • Loner (5/15/2008)


    I am a contractor not the company's DBA. It is a small company helping customer to build ecommerce website. They use SQL Server to store customers' information. The company has been operated for 9 years and they never have a DBA. The web developers write all the SQL statements and some of them are horrible!!!!!!! It is just recently they think they need help in cleaning up the databases and help to optimize the sql statements. I try to talk to the manager about the SQL injection and suggest many ideas, the manager focus on the web development more than the database development.

    I don't think they figure what my role is. I still don't know what my role is. I cannot implement something without their approval but they are dragging their feet in fixing up the databases.

    Your primary responsibility here is to point out what can and will happen. Document the problem, document the cure, and point to possible fallout (financial/legal/public discredit, etc...). Don't sugarcoat it, but also don't inject emotion into it or go overboard: cold analytical approach tends to work best. He/she seems resistant to this - so make it unimpeachable. The bottom line is that if they've been hacked once, and the hacker got something they wanted - they'll be back for a second round. It's just a matter of *when*.

    Once you have all of that - put it on the mgr's desk, ask him/her if you can go over some of the findings with him, with the team, etc.... What he/she does with that info at that point is out of your control, and if he/she refuses to fix it - that's on their head.

    And by the way - since you're a contractor - copy your firm on your findings. It's important for them to know this.

    Your job is not to go around pulling that manager's head out of....well - wherever he's get it shoved most of the time (I'll let you draw your own mental picture).

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

Viewing 11 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic. Login to reply