I’ve been getting a lot of requests for information about how to patch this attack. I’ve got to back up a minute and tell you that the attack is a pure sql injection attack. Previously, I reported that it was a windows vulnerability, however, upon further investigation, the server logs I looked at where only “attempts” to find a vulnerability.
So I did some more research, and had a talk with Jess Coburn with Windows Hosting company Appliedi.net. Although the attack seems like a Window vulnerability, because of the attempts to gain entry through typical Windows Vulnerabilities, it’s not. The media file attempts where only PART of the attempts made. Apparently this attack is either preempted or followed up by various attempts to gain entry. On our site, it was not a sql injection in the url, but a search form where we had created that uses what’s called an “Enter Event.” Quickly, most asp.net search forms eschew keyboard events in favor of click events that call javascript postbacks. Meaning that if you have an asp.net search control on your website, a person has to click the search button instead of just hitting Enter.
Here lies the problem. User’s hate hitting search buttons, but love hitting their enter key. Enter events are easy to create programmatically, thus so many forums and blogs get spammed and hacked all of the time. However, javascript postback’s, not so much. So far, from the little I do know, it’s very difficult to program into a hack scan a postback because it does not do a post or get the way most sites do.
But back to the problem and some solutions.
- Disallow all sql parameters in your form text fields. There are plenty of tutorials on how to do this.
- Read Jess’s blog, he has a TON of links to great source and a neat rollback sql function to fix these type of sql injections
- Remove “Enter Events” from your asp and asp.net forms. Your users are going to have to click on the button for now.
- Did I mention go to Jess’s blog?
- Check for your most recent database backup. If the offending script does not appear, you’ll have clean code and timestamp as to when the last time your code was clean.
- If you don’t do regular backups, start to get into the habit right NOW. If you have to do a backup every 2 hours, then do it. Keep copies online and off. A reputable hosting company will allow you to make as many backups as you need.
- Check your hosting company’s backup policy. Appliedi.net backups data at least twice in a 24 hour period.
- If you’re on a dedicated box, assign some space and memory to run sql backup jobs automatically. I’m doing some research on best practices.
- During the hack attempt, or event, have a BIG GLASS OF SCOTCH, RUM, OR LIQUOR OF YOUR OWN CHOOSING. These things are not easy to get through, but you need to relax or you’ll never get through it.
- Be better prepared. Just like a hurricane or earthquake, have a disaster plan.
Hope this helps.
“If the offending script does not appear, you’ll have clean code and timestamp as to when the last time your code was clean.”
Sounds like your saying that this hack can alter your code. I would think that it can only use weakly written code to alter your database.
Thanks for the info, this is the first time this has happened to one of my site. Visual studio be default block SQL injection, you have to turn this off if you want to be able to pass html and scripts.
I was caught on some old legacy asp code.
We got attacked on a clients website, and the DECLARE statement had an @ symbol in it, and for some reason when I was parsing the input, that charactor made it seem like the variable was empty, so the parsing for the offending code was useless.
I fixed the problem by parsing the length of the total input not just the individaul variable and we survived MANY MANY subsequent attacks. If your reading this, good luck with your battle!