tags:

views:

552

answers:

6
+5  Q: 

XSS Attack on the ASP.NET Website

Hi All,

I am in a very big trouble. Please help!!!!!!!!!!

My website has been attacked by some malicious script < / title> < script src = http : // google-stats50.info/ur.php >. This script is appended to any column(s) of some table automatically. I have removed this script. But after a few hours, it re-appeared in some tables. But this time it is < / title> < script src = http : // google-stats49.info/ur.php >.

My client is complaining about the script. Technology used is ASP.NET 1.1, SQL SERVER 2005.

Please help.

Thanks in advance!!!!!!

+2  A: 

Shut down the site. Your server may or may not be screwed now.

You have to find out where the changes are coming from - Database or File system

If it's the DB then you may be ok, someone is probably using sql injection. Set permissions so that the DB cannot be updated by the site for now until you find the SQL INJECTION point.

If it's your file system then you probably need to clear and reset the site. They are in and you won't get rid of them. Find your entry point, but it will be hard.

burnt_hand  2010-09-23 06:48:27
Also, try to sanitize(not allowing html/js) your users inputs.
sheeks06  2010-09-23 06:52:17
we load content on 3rd party website through scripting technology...that's the purpose of my Website....is there a way to resolve it a.s.a.p
 2010-09-23 07:10:29
Probably way too late now, but if things like this happen and it's asap, you usually need to hire an expert. A very expensive expert.
burnt_hand  2010-10-06 12:30:28
+4  A: 

When you render the text from the database you can use two ways to avoid this script.

  1. User Server.HtmlEncode(DataFromDatabase);
  2. Use the Microsoft Anti-Cross dll library that have a similar function with more options.

Last MS Anti-XSS library now is 3.1.
How to using video

How they pass this script.

  1. On the contact or other forms.
  2. On the browser reference on the statistics and when they browse your site, you keep a log about this and when you go to see this log the script is running.

Hope this help.

Aristos  2010-09-23 07:36:17
Ok..thanks.....I will implement these preventions into my application. But is there any quick solution to remove the script?
 2010-09-23 07:49:51
I dont' know how they are passing this script and injecting it into the database.
 2010-09-23 07:53:08
@user423719 I have type on my answer 2 possible ways how this is injecting, from the contact forms, or from the browser data that you log. Do not remove the script, just make it to not run, then locate how is entered and if you like you can make more measures.
Aristos  2010-09-23 08:05:58
Allright....thanks.....could IIS log file help me in this context i.e. to identify the script entry point? If yes, then which IIS logging tool will help? Please help.....
 2010-09-23 08:18:29
@user423719 The IIS log can help you only if the data is comming from the browser info. Search it to see if you find the above script. If the enter is from forms then you need to keep the ip log on every entry of data, or just create a way to locate them and not enter them at all but open an alert flag, what ever...
Aristos  2010-09-23 08:34:59
A: 

There was a Question on this the other day.

http://stackoverflow.com/questions/3761064/google-stats50-injection-attack

Tim B James  2010-09-23 08:19:08
but there is no instant resolution..do u have any?
 2010-09-23 10:06:03
There isn't an instant resolution. You will need to temporarily take your website off-line in order to clean out the XSS Script. Then try to identify where your XSS Vulnerability is. Most likely a form on the site, or worse they have hacked your web server/ftp server and running something which is inserting code into your physical files.
Tim B James  2010-09-23 10:34:07
A: 

I would recommend that you remove all extern hostheader binding in the IIS. That allows you to locate the problem locally without any client of yours might be infected/be stolen from

citronas  2010-09-23 10:10:36
A: 

A Quick remedy

Following is not a solution, but with this you can remove the script from the database in a single query. Thats what i do for now :).

UPDATE Table_Name SET Column_Name = REPLACE(CAST(Column_Name AS nvarchar(MAX)), '', ' ')

This one works like the find and replace stuff in word. If you find any ware abouts about the virus script, do post it here.

Regards, Masood

Muhammed Masood  2010-09-23 10:18:15
Hi guys, got another injection link. It seems this one being injected by the same bot. Cant post the link here. </title><a style=display:none; href=http:// worid - of - books . com >book</a>
Muhammed Masood  2010-09-25 07:19:41
 2010-09-29 07:14:04
A: 

same problem here... it started about 15.30 and infect 4 tables... here is solution for full database search: http://justgeeks.blogspot.com/2006/10/search-ms-sql-server-for-any-text.html just edit it to return distinct table names.

and this will work as Masood mention

UPDATE Table_Name SET Column_Name = REPLACE(CAST(Column_Name AS nvarchar(MAX)), 'stupid script', '')
Davor  2010-09-23 18:29:12

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?