Select Page

I’ve been getting a lot of requests for information about how to patch this attack.  I’ve got to back up a minute and tell you that the attack is a pure sql injection attack.  Previously, I reported that it was a windows vulnerability, however, upon further investigation, the server logs I looked at where only “attempts” to find a vulnerability.

So I did some more research, and had a talk with Jess Coburn with Windows Hosting company  Although the attack seems like a Window vulnerability, because of the attempts to gain entry through typical Windows Vulnerabilities, it’s not.  The media file attempts where only PART of the attempts made.  Apparently this attack is either preempted or followed up by various attempts to gain entry.  On our site, it was not a sql injection in the url, but a search form where we had created that uses what’s called an “Enter Event.”  Quickly, most search forms eschew keyboard events in favor of click events that call javascript postbacks.  Meaning that if you have an search control on your website, a person has to click the search button instead of just hitting Enter.

Here lies the problem.  User’s hate hitting search buttons, but love hitting their enter key.  Enter events are easy to create programmatically, thus so many forums and blogs get spammed and hacked all of the time.  However, javascript postback’s, not so much.   So far, from the little I do know, it’s very difficult to program into a hack scan a postback because it does not do a post or get the way most sites do.

But back to the problem and some solutions.

  1. Disallow all sql parameters in your form text fields.  There are plenty of tutorials on how to do this.
  2. Read Jess’s blog, he has a TON of links to great source and a neat rollback sql function to fix these type of sql injections
  3. Remove “Enter Events” from your asp and forms.  Your users are going to have to click on the button for now.
  4. Did I mention go to Jess’s blog?
  5. Check for your most recent database backup.  If the offending script does not appear, you’ll have clean code and timestamp as to when the last time your code was clean.
  6. If you don’t do regular backups, start to get into the habit right NOW.  If you have to do a backup every 2 hours, then do it.  Keep copies online and off.  A reputable hosting company will allow you to make as many backups as you need.
  7. Check your hosting company’s backup policy. backups data at least twice in a 24 hour period.
  8. If you’re on a dedicated box, assign some space and memory to run sql backup jobs automatically.  I’m doing some research on best practices.
  9. During the hack attempt, or event, have a BIG GLASS OF SCOTCH, RUM, OR LIQUOR OF YOUR OWN CHOOSING.  These things are not easy to get through, but you need to relax or you’ll never get through it.
  10. Be better prepared.  Just like a hurricane or earthquake, have a disaster plan.

Hope this helps.