SQL Injection

  • I have to agree with Gail and Lynn. Your network people/person should have a serious fire lit under them till then find out what that's about.

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

  • SQAPro (2/6/2009)


    What are the first two octets of of the IP address?

    Did you try running it through one of the whois links provided above?

    Only I know that from Network people , it is external IP..

    From this IP someone has try to access SQL server, but it is faild as per error got in SQL server error log.

    _____________________________________________________________________________________________________________
    Paresh Prajapati
    ➡ +919924626601
    http://paresh-sqldba.blogspot.com/[/url]
    LinkedIn | Tweet Me | FaceBook | Brijj

  • Does your company have network people responsible for the provision and security of you network yes/no.

    Yes - get them to explain how external access was possible to SQL server based on the information you have. Even if access failed, if SQL is logging the failure the network allowed it.

    No (and you are dealing with this entirely) - you need to get someone in who can help with your network problem.

    In the mean time you/your company need to consider what actions need to be taken to protect your data and network. Until someone knows what if anything has happened.

    Maybe also you could post an extract of your log which gives you the impressions of external access. To help you verify something did happen.

    Be sure to blank anything sensitive.

  • Paresh Prajapati (2/10/2009)


    Only I know that from Network people , it is external IP..

    Then tell them to do their bloody jobs and find out where the intrusion is coming from. Network security is their job.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • GilaMonster (2/10/2009)


    Paresh Prajapati (2/10/2009)


    Only I know that from Network people , it is external IP..

    Then tell them to do their bloody jobs and find out where the intrusion is coming from. Network security is their job.

    Could not agree more.

    Unless this server is specifically located in a portion of the network that is supposed to be accessable to the outside world (and if so, WHY? as in WHY isn't it in a DMZ and being accessed via a proxy of some sort such as a webservice) then seeing an outside IP* should literally be a red alert** type of event because it indicates someone has gained access to a portion of the netwok that they should be prevented from reaching.. IF that is happening, it places more than just your SQL server at risk. In that case all or many of the systems in your network could be vulnerable to someone trying to attack them.

    * if that's REALLY what it is. Given the relative lack of concern of your network folks that you've described Paresh, I'm disinclined to trust their skills and/or judgement. We might be able to give you a second opinion, but you've yet to respond to my request for the first two octets of the IP address (or the entire IP if you don't mind sharing it)

    ** brown alert for red dwarf fans..

  • Paresh Prajapati (2/10/2009)


    SQAPro (2/6/2009)


    What are the first two octets of of the IP address?

    Did you try running it through one of the whois links provided above?

    Only I know that from Network people , it is external IP..

    From this IP someone has try to access SQL server, but it is faild as per error got in SQL server error log.

    The IP is in the error log is it not? Then, what is it? (or if you don't want to share entire thing, what are first two octets.. e.g. the first two numbers as in for IP 192.168.10.42 the first two octets would be 192.168, or often expressed as 192.168.x.x)

  • GilaMonster (2/10/2009)


    Paresh Prajapati (2/10/2009)


    Only I know that from Network people , it is external IP..

    Then tell them to do their bloody jobs and find out where the intrusion is coming from. Network security is their job.

    Know that, to see you really mad, I would not! :w00t:

  • SQAPro (2/10/2009)


    Paresh Prajapati (2/10/2009)


    SQAPro (2/6/2009)


    What are the first two octets of of the IP address?

    Did you try running it through one of the whois links provided above?

    Only I know that from Network people , it is external IP..

    From this IP someone has try to access SQL server, but it is faild as per error got in SQL server error log.

    The IP is in the error log is it not? Then, what is it? (or if you don't want to share entire thing, what are first two octets.. e.g. the first two numbers as in for IP 192.168.10.42 the first two octets would be 192.168, or often expressed as 192.168.x.x)

    It is 223.1.1.128

    _____________________________________________________________________________________________________________
    Paresh Prajapati
    ➡ +919924626601
    http://paresh-sqldba.blogspot.com/[/url]
    LinkedIn | Tweet Me | FaceBook | Brijj

  • That's not a 'valid' IP, it's one of the ones that is reserved for special or future uses..

    http://www.iana.org/assignments/ipv4-address-space/

    You sometimes see that IP used by trojans or botnets as a basis for communications. but it's ALSO used by some firewalls and such as their address for things like vpn adaptors..

    One thing is for sure, that is NOT an address handed out any ANY ISP. So it's either being used by some device inside your network (intentionally) or it's being spoofed in some way.

    You don't happen to have a sonicwall firewall or VPN appliance do you?

  • SQAPro (2/11/2009)


    That's not a 'valid' IP, it's one of the ones that is reserved for special or future uses..

    http://www.iana.org/assignments/ipv4-address-space/

    You sometimes see that IP used by trojans or botnets as a basis for communications. but it's ALSO used by some firewalls and such as their address for things like vpn adaptors..

    One thing is for sure, that is NOT an address handed out any ANY ISP. So it's either being used by some device inside your network (intentionally) or it's being spoofed in some way.

    You don't happen to have a sonicwall firewall or VPN appliance do you?

    This IP i have given to Network Admin anf he had checked from site and told me that it is External IP Address.

    _____________________________________________________________________________________________________________
    Paresh Prajapati
    ➡ +919924626601
    http://paresh-sqldba.blogspot.com/[/url]
    LinkedIn | Tweet Me | FaceBook | Brijj

  • Paresh Prajapati (2/11/2009)


    SQAPro (2/11/2009)


    That's not a 'valid' IP, it's one of the ones that is reserved for special or future uses..

    http://www.iana.org/assignments/ipv4-address-space/

    You sometimes see that IP used by trojans or botnets as a basis for communications. but it's ALSO used by some firewalls and such as their address for things like vpn adaptors..

    One thing is for sure, that is NOT an address handed out any ANY ISP. So it's either being used by some device inside your network (intentionally) or it's being spoofed in some way.

    You don't happen to have a sonicwall firewall or VPN appliance do you?

    This IP i have given to Network Admin anf he had checked from site and told me that it is External IP Address.

    Tell your admin to check the list at the link I gave above.

    I don't know how to make this any clearer, but I'll try let me quote from that source

    IPv4 Global Unicast Address Assignments

    (last updated 2009-01-28)

    The allocation of Internet Protocol version 4 (IPv4) address space to various registries is listed

    here. Originally, all the IPv4 address spaces was managed directly by the IANA. Later parts of the

    address space were allocated to various other registries to manage for particular purposes or

    regional areas of the world. RFC 1466 [RFC1466] documents most of these allocations.

    This registry is also available in XML and XHTML formats:

    http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

    http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

    Prefix Designation Date Whois Status [1] Note

    ----- ------ ---- ----- ---------- ----

    223/8 IANA UNALLOCATED

    That's straight from the source "The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources" They are run by ICANN, The Internet Corporation for Assigned Names and Numbers.. These are THE folks who hand out IP address range, and manage who is allowed to hand out domain names etc.. if anyone can be said to 'run the internet' it's these folks.

    So I say again, that number you gave CANNOT have been assigned by an ISP.. that leaves two situations, it is either self assigned by some device INSIDE your network (Sonicwall in particular is known to use that specific address you gave) in which case it can likely be ignored, OR it is a spoofed IP address coming from outside, and if that's the case it's about 100% certain that the person using that IP is malicious, and if they are managing to access your protected internal network it is a 'very bad thing' and needs to be taken very seriously.

    No network admin worthy of being employed would just blow this off without investigating and discovering which of the two scenarios above is the case..

    I don't know how to be any more clear about that.

  • SQAPro (2/11/2009)


    Paresh Prajapati (2/11/2009)


    SQAPro (2/11/2009)


    That's not a 'valid' IP, it's one of the ones that is reserved for special or future uses..

    http://www.iana.org/assignments/ipv4-address-space/

    You sometimes see that IP used by trojans or botnets as a basis for communications. but it's ALSO used by some firewalls and such as their address for things like vpn adaptors..

    One thing is for sure, that is NOT an address handed out any ANY ISP. So it's either being used by some device inside your network (intentionally) or it's being spoofed in some way.

    You don't happen to have a sonicwall firewall or VPN appliance do you?

    This IP i have given to Network Admin anf he had checked from site and told me that it is External IP Address.

    Yes, they have checked from this sites and it is reserverd for external.

    I think they are not able to analysis how this IP capture here even with high security.

    Tell your admin to check the list at the link I gave above.

    I don't know how to make this any clearer, but I'll try let me quote from that source

    IPv4 Global Unicast Address Assignments

    (last updated 2009-01-28)

    The allocation of Internet Protocol version 4 (IPv4) address space to various registries is listed

    here. Originally, all the IPv4 address spaces was managed directly by the IANA. Later parts of the

    address space were allocated to various other registries to manage for particular purposes or

    regional areas of the world. RFC 1466 [RFC1466] documents most of these allocations.

    This registry is also available in XML and XHTML formats:

    http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

    http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

    Prefix Designation Date Whois Status [1] Note

    ----- ------ ---- ----- ---------- ----

    223/8 IANA UNALLOCATED

    That's straight from the source "The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources" They are run by ICANN, The Internet Corporation for Assigned Names and Numbers.. These are THE folks who hand out IP address range, and manage who is allowed to hand out domain names etc.. if anyone can be said to 'run the internet' it's these folks.

    So I say again, that number you gave CANNOT have been assigned by an ISP.. that leaves two situations, it is either self assigned by some device INSIDE your network (Sonicwall in particular is known to use that specific address you gave) in which case it can likely be ignored, OR it is a spoofed IP address coming from outside, and if that's the case it's about 100% certain that the person using that IP is malicious, and if they are managing to access your protected internal network it is a 'very bad thing' and needs to be taken very seriously.

    No network admin worthy of being employed would just blow this off without investigating and discovering which of the two scenarios above is the case..

    I don't know how to be any more clear about that.

    _____________________________________________________________________________________________________________
    Paresh Prajapati
    ➡ +919924626601
    http://paresh-sqldba.blogspot.com/[/url]
    LinkedIn | Tweet Me | FaceBook | Brijj

  • Paresh Prajapati (2/11/2009)


    [Yes, they have checked from this sites and it is reserverd for external.

    I think they are not able to analysis how this IP capture here even with high security.

    we must have some kind of failure to communicate here, are you passing any of this on to your network folks? :crazy:

    Yes, eventually, one of these days addresses starting with 223.x.x.x may become 'external' but at the moment that address range is UNALLOCATED.. that means nobody has the rights to use that range on the internet.. So no Legit ISP will hand out that address to any customer. it's supposed to be un-used.

    So review the scenarios I described above for how that IP could be hitting your server.. and ask the network guys point blank if they have any piece of hardware from a company named SONICWALL because near as I can tell that's the most likely legitimate source for that IP to crop up inside your network. (and pray to your favorite local diety that's what it is)

    If your network guys are not interested in getting to the bottom of this, then IMHO it's time to polish up the resume and start looking for a new place to work.. because if that's NOT coming from inside, and some hacker or botnet has infested your network, , you can pretty much bet those same network guys will try to blame YOU for the security breach if the attacker hacks the sql server somehow.

    That or just pick up a large rock and start hitting your other hand with it, because well at least that way, YOU'LL be in control of the pain..

  • :crazy: horse lead to water have I.

    Drink will it not.

    More I can do not, giving up I am. 😎

  • Many colleges run English 101 courses.

    Peter Edmunds ex-Geek

Viewing 15 posts - 106 through 120 (of 121 total)

You must be logged in to reply to this topic. Login to reply