SQL Server Performance

Invalid scripts got entered into my website database

Discussion in 'General Developer Questions' started by jmp, Jul 11, 2008.

  1. jmp New Member

    In my websites database, I could find that some script (virus) also got entered with the actual data in some of the fields. It has occurred in many tables and I could not locate exactly where all these scripts got entered. These scripts are appended with the actual required value (say if I entered the value ‘name’ to one of the field, then my database looks like ‘name <some script code>’ to this field. All these fields are entered with exactly the same scripts. These scripts are redirecting my pages to other websites.
    Please help me with a query so as to find the tables and the fields which got affected by this script. Please help me with a query which could traverse all the fields in the database to match the script string.
  2. satya Moderator

    Welcome to the forums.
    Are you sure they are not actual data, have you been using any XML input of data?
    Are you using DYNAMIC SQL?
    Have you restricted all users to have DBO or SA access on the server?
    Is this exposed to internet?
    If you can answer the above questions it will be easy to reduce the probabilities or guess on real issue.
  3. jmp New Member

    It is not actual data. It is a cross site scripting to download a trojan from another site when some one acces my website.
    It is on internet and users have no sa access.
    What I need is a query or sp to scan the entire database (all tables and all fields) to find the existance of that script and delete it
    Is it possible?
  4. FrankKalis Moderator

    Yes, there are scripts available that search every column in every table for a string. Visit Vyas Kondreddi's site. for one quite popular
  5. Madhivanan Moderator

  6. jmp New Member

    Great!
    I can now see all the problem fields/columns. Thanks for the quick support.
    Now I need to clean the script from my tables.
    Can you get me the SP to do this?. That is I want to just remove that Trojan script from my database without affecting the data.
    Please help.
  7. MartinSmithh New Member

    Do you have a clean backup you can restore from and then use something like Redgate compare to examine the differences?
    If not you will need to make a backup - then adjust the script you already have to loop through all string columns to loop through all columns and perform a replace operation on them.
    Also have you got to the bottom of how it happened? I would assume an automated SQL injection attack and if you don't find it and fix it any clean up operation will likely be overwritten within a day.

  8. MartinSmithh New Member

    Assuming that your site is ASP 3.0 VBScript and that you need to get it back up and running ASAP whilst making some short term fixes I would suggest the following.

    Ensure you are using a custom error page that will email you all error details along with details of the Request data sent so you are aware of any vulnerabilities (e.g. any "Incorrect syntax near '" errors should ring alarm bells) and ensure the custom error page does not return detailed error info to the user that will help them craft a SQL injection attack that works.

    Where ever you are using Request.Form, Request.QueryString etc. to build a query string dynamically to execute ensure the following.

    If the parameter is intended to be numeric ensure that you use CInt, CDbl etc. so an error is raised if it contains something less benign.

    For strings ensure all ' characters are escaped by doubling them up.

    Ensure that the SQL account used by your web application does not have any permissions at all on tables unless it is absolutely necessary for the short term (even SELECT permissions can be exploited to reveal admin passwords or other confidential information). UPDATE permissions are likely to be the most important to lock down in the short term though.

    As soon as possible ensure all direct table permissions are removed and that all database access is made through stored procedures.

    When this is done ensure the procedure parameters are passed using ADO parameters rather than concatenating a string to execute.
  9. moh_hassan20 New Member

    Did you test your site against sql injection?
    did you protect your site against sql injection?
    check: http://sql-server-performance.com/Community/blogs/satya/archive/2008/06/01/146567.aspx

Share This Page