Support
- Advanced Backup
- Client Side
- Cloud Enterprise
- ColdFusion
- Control Panel
- cPanel
- Customer Portal
- DNS Information
- Dedicated Servers
- DirectAdmin
- Domain Name
- dotDefender
- Dreamweaver
- FileCatalyst
- Front Page
- FTP
- General Information
- Hosted Exchange & SharePoint
- IIS6
- IIS7
- Juniper Netscreen Firewalls
- Linux
- List Server
- MIVA Merchant
- MySQL
- Patching / Server Updates
- phpMyAdmin
- Plesk
- Policies and Procedures
- Premium Spam Filtering
- Programming
- Ruby on Rails
- Search Engine Submission
- SharePoint 3
- SharePoint 2010
- SiteDesigner
- SmarterMail 3
- SmarterMail 4
- SmarterMail 5
- SmarterMail 6
- SmarterMail 7
- SmarterStats
- SmarterTrack
- SQL Server
- Accesstosql
- Addsqldatabase
- Addsqlpremium
- Aspenterprisemanager
- Backup2000
- Backup2005
- Enterprise Manager
- Expressdb
- Logfull
- Long Load
- Managementstudio
- Tcp Ip
- Userpermissions
- Whatsnew
- Sql
- Connect to a remote SQL Express server using SQL Management Studio Express
- Set up SQL 2005 Reporting Services
- Identifying SQL Injection
- SQL Server Tuning
- Back up all MS SQL databases at once
- Install SQL Reporting Services
- Restore a SQL 2005 database
- What is SQL Injection
- Server Principle Error when using SQL Management Studio 2008 to connect to your database
- Migrate Databases from SQL 2005 to SQL 2008 between Virtual or Dedicated Servers
- Configure Query Timeout Period in SQL Management Studio
- Automated SQL2005 Backups
- Automated SQL2008 Backups
- Large MSSQL Transaction Log
- How To Validate A SQL 2008 Cluster
- Microsoft SQL Cluster 2008 Private Heartbeat Connection
- Determining when SQL Server 2008 was Last Restarted
- Secure Socket Layer (SSL)
- Uploading Your Website
- Video Tutorials
- Windows Server 2003
- Windows Server 2008
- Web Design
- WordPress
- Advanced Monitoring
- MediaWiki
- Enkompass
- Microsoft Outlook 2010
- Android
- Outlook Web Access
- Critical Availability Service
- NAS Data Transfer
- Customer Portal Demos
- Joomla
- Moodle
- Cloud Dedicated
- Gallery CMS
- phpBB
- Standard Monitoring
- Righteous Restore
- NAS (Network Attached Storage)
- Networking
- SmarterMail 8
- PCI Security Scan
- LinkTiger
- Windows Cloud VPS
- Linux Cloud VPS
- Linux VPS
- Windows VPS
- Hyper V
- ENSIM
- Alert Logic
- Webmin
- e107
- Vbulletin
- VPN
- Visual Vault
- Mozilla Thunderbird
- PyroCMS
- Active Directory
- Vmware Related
- Drupal
Identifying SQL Injection
This article covers the most recent wave of SQL Injection attacks. These attacks, mostly targeted towards sites scripted with Classic ASP, utilize a Hex encoded SQL query which injects javascript tags into the database's fields that use the text, ntext, varchar, or nvarchar data types.
How to Identify SQL Injection
Identifying SQL Injection is fairly easy. Commonly you may have received complaints of the site attempting to load malware on visitors' computers. This is because the injection attack has inserted tags into the database fields that load externally linked javascript. Typically the site will not have any obvious visual clues of attack, however the performance of the site may be degraded. If you view the source of the site and search for ".js" you will quickly find the injected scripts.
You have now identified that the site has indeed been SQL injected. The database may need to be restored. You will need to investigate further to find out when the attack started to you can restore the appropriate backup (a clean one).
Faster SQL Injection identification
- Open the site up in Firefox
- Open up FireBug
- First screen in firebug shows the load times of all files and requests made due to the current page load. Look in the second column for a domain name that is suspicious.
- View the source of the page and find that domain name. If it is in a <script src="URL HERE"></script> format, then it is likely SQL injection.
-
Open up the database and run the stored procedure below. If it returns the number of corrections, you have just cleaned there database of one string. Be sure to refresh the page in Firefox and double check that there aren't other strings that have been injected.
CREATE PROC SearchAndReplace
(
@SearchStr nvarchar(1000),
@ReplaceStr nvarchar(1000)
)
AS
BEGIN
SET NOCOUNT ON
DECLARE @TableName nvarchar(256), @ColumnName nvarchar(128), @tColumnName nvarchar(128), @SearchStr2 nvarchar(110), @SQL nvarchar(4000), @RCTR int
SET @TableName = ''
SET @SearchStr2 = QUOTENAME('%' + @SearchStr + '%','''')
SET @RCTR = 0
WHILE @TableName IS NOT NULL
BEGIN
SET @ColumnName = ''
SET @tColumnName = ''
SET @TableName =
(
SELECT MIN(QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME))
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_TYPE = 'BASE TABLE'
AND QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME) > @TableName
AND OBJECTPROPERTY(
OBJECT_ID(
QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME)
), 'IsMSShipped'
) = 0
)
WHILE (@TableName IS NOT NULL) AND (@ColumnName IS NOT NULL)
BEGIN
SET @ColumnName =
(
SELECT MIN(QUOTENAME(COLUMN_NAME))
FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA = PARSENAME(@TableName, 2)
AND TABLE_NAME = PARSENAME(@TableName, 1)
AND DATA_TYPE IN ('char', 'varchar', 'nchar', 'nvarchar')
AND QUOTENAME(COLUMN_NAME) > @ColumnName
)
IF @ColumnName IS NOT NULL
BEGIN
SET @SQL= 'UPDATE ' + @TableName +
' SET ' + @ColumnName
+ ' = REPLACE(' + @ColumnName + ', '
+ QUOTENAME(@SearchStr, '''') + ', ' + QUOTENAME(@ReplaceStr, '''') +
') WHERE ' + @ColumnName + ' LIKE ' + @SearchStr2
EXEC (@SQL)
SET @RCTR = @RCTR + @@ROWCOUNT
END
END
WHILE (@TableName IS NOT NULL) AND (@tColumnName IS NOT NULL)
BEGIN
SET @tColumnName =
(
SELECT MIN(QUOTENAME(COLUMN_NAME))
FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA = PARSENAME(@TableName, 2)
AND TABLE_NAME = PARSENAME(@TableName, 1)
AND DATA_TYPE IN ('ntext', 'text')
AND QUOTENAME(COLUMN_NAME) > @tColumnName
)
IF @tColumnName IS NOT NULL
BEGIN
SET @SQL= 'UPDATE ' + @TableName +
' SET ' + @tColumnName
+ ' = REPLACE(cast(' + @tColumnName + ' AS NVARCHAR(Max)), '
+ QUOTENAME(@SearchStr, '''') + ', ' + QUOTENAME(@ReplaceStr, '''') +
') WHERE ' + @tColumnName + ' LIKE ' + @SearchStr2
EXEC (@SQL)
SET @RCTR = @RCTR + @@ROWCOUNT
END
END
END
SELECT 'Replaced ' + CAST(@RCTR AS varchar) + ' occurrence(s)' AS 'Outcome'
END
What do I do next?
Once you have confirmed that the site has been attacked, it is important to take ALL of the following steps to ensure that the issue is properly handled.
- Find out when the attack started. It is common for an attack to go unnoticed for several days. This is because, as stated earlier, the site may not have any obvious visual indications of attack.
- Secure a clean backup of the database.
Although the above may seem like a lot of work it can be accomplish in very little time with the right tools. Once you are familiar with the process, it may only take you 15-20 minutes to complete the entire process.