Site was Hacked / Attacked need some advice on where to look for way to improve a page on the site
We began getting support calls that our site looked out of wack.. formatting
was off and pages wouldnt load..
then we started getting calls from customers outside our company that our
site had infected there pc..
after the network admin ran thru some logs and such.. found the page that
was exploited.
The page is only displaying records from our sql7 database based on what the
visitor clicks on..
so the URL looks like this..
( i have removed alot of the number inbetween, so that it doesnt affect
anyone, but below is just a few lines of what was appended to our link..
while infected or comprimised anyone visting certain pages on the site were
downloading malware / trojans.. when i visted one of the pages, my norton
start blocking attempts...
so my question is where can i start or begin to look for ways to improve the
ASP code on this and many other pages on the site so we dont get hit again
soon... I didnt create this site, but have to maintain it.. is there
something i can do within the SQL procedures? is there something i can check
or change on the page code? just looking for suggestions on where to
start...
--
ASP, SQL2005, DW8 VBScript
Re: Site was Hacked / Attacked need some advice on where to look for way to improve a page on the site
You should review all code and find any dynamic SQL generated on web pages.
Then translate to stored procedures and parameterize all user input.
Additional checks can be done on the user input on both web pages and SQL
Server side to validate it is correct.
Re: Site was Hacked / Attacked need some advice on where to look for way to improve a page on the site
The most common source of problem for ASP pages is probably sql-injection
attack and your exemple looks like exactly like that. Personally, I would
start looking for that. Search Google on this.
In your case, replace the %20 with a blank space, make sure that the
constant long binary value is all on a single line and run this code by
replacing the EXEC(@S) at the end with a Select (@S) in Query Analyser; you
will see what this code was doing.
--
Sylvain Lafontaine, ing.
MVP - Technologies Virtual-PC
E-mail: sylvain aei ca (fill the blanks, no spam please)
"Daniel" wrote in message
news:eOmIPsptIHA.4528@TK2MSFTNGP03.phx.gbl...
> We began getting support calls that our site looked out of wack..
> formatting was off and pages wouldnt load..
> then we started getting calls from customers outside our company that our
> site had infected there pc..
>
> after the network admin ran thru some logs and such.. found the page that
> was exploited.
>
> The page is only displaying records from our sql7 database based on what
> the visitor clicks on..
> so the URL looks like this..
>
>
> www.oursite.com/info.asp?id=434
>
> ( i have removed alot of the number inbetween, so that it doesnt affect
> anyone, but below is just a few lines of what was appended to our link..
> while infected or comprimised anyone visting certain pages on the site
> were downloading malware / trojans.. when i visted one of the pages, my
> norton start blocking attempts...
>
> ;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C004100520045002000400054002000760061007
> 2006300680061007200280032003500350029002C0040004300200076
> 006100720063006800610072002800320035003500290020004400450
> 045004E004400200043004C004F005300450020005400610062006C00650
> 05F0043007500720073006F00720020004400450041004C004C004F0043%20AS%20NVARCHAR(4000));EXEC(@S);--
>
> so my question is where can i start or begin to look for ways to improve
> the ASP code on this and many other pages on the site so we dont get hit
> again soon... I didnt create this site, but have to maintain it.. is there
> something i can do within the SQL procedures? is there something i can
> check or change on the page code? just looking for suggestions on where to
> start...
>
>
> --
> ASP, SQL2005, DW8 VBScript
>
Re: Site was Hacked / Attacked need some advice on where to look for way to improve a page on the site
this way of coding cannot be to secure right?
<%
set rsJobs=dat.Execute("SELECT * FROM tbl_Employment WHERE PositionType
LIKE 'Career' AND Status = 1")
set rsJobsDesc=dat.Execute("SELECT * FROM tbl_CareerEmployment_Desc")
%>
"http://www.w3.org/TR/html4/loose.dtd">
media="screen">
this is how its coded on the page...
--
ASP, SQL2005, DW8 VBScript
"Daniel" wrote in message
news:eOmIPsptIHA.4528@TK2MSFTNGP03.phx.gbl...
> We began getting support calls that our site looked out of wack..
> formatting was off and pages wouldnt load..
> then we started getting calls from customers outside our company that our
> site had infected there pc..
>
> after the network admin ran thru some logs and such.. found the page that
> was exploited.
>
> The page is only displaying records from our sql7 database based on what
> the visitor clicks on..
> so the URL looks like this..
>
>
> www.oursite.com/info.asp?id=434
>
> ( i have removed alot of the number inbetween, so that it doesnt affect
> anyone, but below is just a few lines of what was appended to our link..
> while infected or comprimised anyone visting certain pages on the site
> were downloading malware / trojans.. when i visted one of the pages, my
> norton start blocking attempts...
>
> ;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C004100520045002000400054002000760061007
> 2006300680061007200280032003500350029002C0040004300200076
> 006100720063006800610072002800320035003500290020004400450
> 045004E004400200043004C004F005300450020005400610062006C00650
> 05F0043007500720073006F00720020004400450041004C004C004F0043%20AS%20NVARCHAR(4000));EXEC(@S);--
>
> so my question is where can i start or begin to look for ways to improve
> the ASP code on this and many other pages on the site so we dont get hit
> again soon... I didnt create this site, but have to maintain it.. is there
> something i can do within the SQL procedures? is there something i can
> check or change on the page code? just looking for suggestions on where to
> start...
>
>
> --
> ASP, SQL2005, DW8 VBScript
>
Re: Site was Hacked / Attacked need some advice on where to look for way to improve a page on the site
Those queries by themselves will not have security risk as they do not take
any user input. You should look for queries that concatenate user input
values to the query string.
In term of best practice, you should not use SELECT * and rather list all
column names that are necessary. Also, moving the queries to stored
procedures and calling the stored procedures from your code will provide
plan caching and reuse.
