From: Mike Myers on 21 Jul 2010 12:24 Hello Periodically, some of the records in one table have one field updated to the following value: <!--<1586567094>--> It is the most bizarre thing I have ever seen. We have checked all our servers and stored procedures for any occurrence of this value in scripts or ASP pages but none exist. We're fearing SQL injection or similar but in our application this field is only updated from one place and it's tight against hacking. If it was a hack we would think the value might be something else, so we're presuming some sort of corruption or similar. We're at a loss. Does anyone have any suggestions? Thanks and regards Mike
From: Dan Guzman on 21 Jul 2010 13:02 > If it was a hack we would think the value might be something else, so > we're presuming some sort of corruption or similar. We're at a loss. This could very well be a hack. For example, the value 1586567094 might be someone's SSN that the hacker was able to harvest and display on a web page. I suggest run run a server side trace (not Profiler) continuously with a filter to log the problem update when it occurs. I don't know what steps you've taken to prevent SQL injection, but here is my short list is: - perform data access exclusively from stored procedures - execute procedures from app code using command type stored procedure along with parameter objects (never build and execute SQL Statement strings with concatenation, especially form fields and URL data) - grant no permissions on tables and leverage ownership chaining security - use a minimally privileged account with only stored procedure execute permissions - no dynamic SQL in stored procedures Separately, you can mitigate other security vulnerabilities (e.g. criss-site scripting) with stringent input and output validation. -- Hope this helps. Dan Guzman SQL Server MVP http://weblogs.sqlteam.com/dang/ "Mike Myers" <bookham_measures(a)yahoo.com> wrote in message news:#QyMGFPKLHA.1996(a)TK2MSFTNGP06.phx.gbl... > Hello > > Periodically, some of the records in one table have one field updated to > the following value: > > <!--<1586567094>--> > > It is the most bizarre thing I have ever seen. We have checked all our > servers and stored procedures for any occurrence of this value in scripts > or ASP pages but none exist. We're fearing SQL injection or similar but > in our application this field is only updated from one place and it's > tight against hacking. > > If it was a hack we would think the value might be something else, so > we're presuming some sort of corruption or similar. We're at a loss. > > Does anyone have any suggestions? > > Thanks and regards > > Mike >
From: Eric Isaacs on 21 Jul 2010 13:05 It's hard to tell from here, but it has the signatures of a SQL injection attack. -Eric Isaacs
From: Bob Barrows on 21 Jul 2010 13:07 Mike Myers wrote: > Hello > > Periodically, some of the records in one table have one field updated > to the following value: > > <!--<1586567094>--> I might be wrong, but this appears to be harmless - it does not appear to be encrypted script. > > It is the most bizarre thing I have ever seen. We have checked all > our servers and stored procedures for any occurrence of this value in > scripts or ASP pages but none exist. We're fearing SQL injection or With good reason ... > similar but in our application this field is only updated from one > place and it's tight against hacking. > The evidence suggests otherwise ... :-) Where does the application get the data it puts in this field? > If it was a hack we would think the value might be something else, so > we're presuming some sort of corruption or similar. We're at a loss. > > Does anyone have any suggestions? > Conjecture A: A hacker or hacking bot has figured out that your site is vulnerable to sql injection and has been able to figure out the name of a single field in a single table and is probably trying to figure out more of your schema (probably by causing informative error messages to be returned from your application). The data inserted into your table is probably a byproduct of those attempts, rather than the actual payload, since the string seems to be harmless. If there were more to it, or it is actually encrypted script, then the hacker is counting on your application sending that string to a client browser without html-encoding it. Conjecture B: No sql injection is involved: a user of your app is purposely entering that string into an input element and submitting it -- HTH, Bob Barrows
From: Mike Myers on 22 Jul 2010 05:31 "Bob Barrows" <reb01501(a)NOyahoo.SPAMcom> wrote in message news:i279gp$gra$1(a)news.eternal-september.org... > Mike Myers wrote: >> Hello >> >> Periodically, some of the records in one table have one field updated >> to the following value: >> >> <!--<1586567094>--> > > I might be wrong, but this appears to be harmless - it does not appear > to be encrypted script. > >> >> It is the most bizarre thing I have ever seen. We have checked all >> our servers and stored procedures for any occurrence of this value in >> scripts or ASP pages but none exist. We're fearing SQL injection or > > With good reason ... > >> similar but in our application this field is only updated from one >> place and it's tight against hacking. >> > The evidence suggests otherwise ... :-) > Where does the application get the data it puts in this field? > > >> If it was a hack we would think the value might be something else, so >> we're presuming some sort of corruption or similar. We're at a loss. >> >> Does anyone have any suggestions? >> > > Conjecture A: > A hacker or hacking bot has figured out that your site is vulnerable to > sql injection and has been able to figure out the name of a single field > in a single table and is probably trying to figure out more of your > schema (probably by causing informative error messages to be returned > from your application). The data inserted into your table is probably a > byproduct of those attempts, rather than the actual payload, since the > string seems to be harmless. If there were more to it, or it is actually > encrypted script, then the hacker is counting on your application > sending that string to a client browser without html-encoding it. > > Conjecture B: > No sql injection is involved: a user of your app is purposely entering > that string into an input element and submitting it > > -- > HTH, > Bob Barrows > > Thank you for your help everyone. I shall run a trace and see what that yields. I understand the concerns of SQL injection but it is a simple HTML form that records based on their primary key and the owner User ID as well. Everything is escaped properly and all numbers/IDs converted/checked to be numbers before they hit the database. I was going to create a trigger to audit the setting of these values but as the field is text (it's an old app, else we'd be using varChar(max)), they can't be used. Regards Mike
|
Next
|
Last
Pages: 1 2 3 Prev: Setting Excel Column Width in ASP Next: Integrate Paypal with my application |