Comments on: Mass Attack FAQ http://hackademix.net/2008/04/26/mass-attack-faq/ Giorgio Maone's answers to the Web, the Universe, and Everything Sun, 06 Jul 2008 19:49:30 +0000 http://wordpress.org/?v=2.2.3 By: Jean-Luc http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8497 Jean-Luc Fri, 04 Jul 2008 16:10:37 +0000 http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8497 I like the idea of denying select on sysobjects and other. Anybody who tried it ? Any reason for this not working on a shared SQL Server 2000 ? I like the idea of denying select on sysobjects and other. Anybody who tried it ? Any reason for this not working on a shared SQL Server 2000 ?

]]> By: jonathan http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8475 jonathan Thu, 03 Jul 2008 04:02:16 +0000 http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8475 This is the script that worked of me It handles multiple instances of the This is the script that worked of me It handles multiple instances of the

]]> By: Alecos http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8467 Alecos Wed, 02 Jul 2008 08:42:18 +0000 http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8467 Final Solution ckeched (no code redesign is needed) Crisis management steps: 1) Stop the web site (IIS) that is affected from the attack 2)Run the procedure mentioned above from Georgio (included below): ------------------------------------------------------------- DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN EXEC( 'update [' + @T + '] set [' + @C + '] = rtrim(convert(varchar,[' + @C + ']))+ ''''' ); FETCH NEXT FROM Table_Cursor INTO @T, @C; END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor; ---------------------------------------------------------------- I'm not sure if it cleans ntext or text fields so take a look at the end of these fields to check if the script is there 4) Make sure you have applied deny to these tables (as mentioned by Marie): deny select on sysobjects to sql_login_of_your_app deny select on syscomments to ql_login_of_your_app deny select on syscolumns to ql_login_of_your_app deny select on systypes to ql_login_of_your_app 5) As these have been applied the script cannot affect anymore your application database 6) Get URLScan 2.5 or Port 80 ServerDefender (http://www.port80software.com/products/serverdefender/) that blocks URL injections specified by the length of the query string you allow in the preferences (the attack script has a length of 1180 characters I think) and additionally it blocks the IP of the attacker for a period of time you specify. Good tool but very expensive. The same functionality but the blocking of IP does the Microsoft URLScan 2.5 that restricts the length of the Query string but cannot block automatically the IP of the attacker. I put 450 characters as the maximum length. You have to decide on this depending on the query strings that run on your server. That's it I think that the literature on bad coding practices is not well documented. Final Solution ckeched (no code redesign is needed)
Crisis management steps:
1) Stop the web site (IIS) that is affected from the attack
2)Run the procedure mentioned above from Georgio (included below):
————————————————————-
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = ‘u’ AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
‘update [’ + @T + ‘] set [’ + @C + ‘] =
rtrim(convert(varchar,[’ + @C + ‘]))+
””’
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
—————————————————————-
I’m not sure if it cleans ntext or text fields so take a look at the end of these fields to check if the script is there
4) Make sure you have applied deny to these tables (as mentioned by Marie):

deny select on sysobjects to sql_login_of_your_app
deny select on syscomments to ql_login_of_your_app
deny select on syscolumns to ql_login_of_your_app
deny select on systypes to ql_login_of_your_app
5) As these have been applied the script cannot affect anymore your application database
6) Get URLScan 2.5 or Port 80 ServerDefender (http://www.port80software.com/products/serverdefender/) that blocks URL injections specified by the length of the query string you allow in the preferences (the attack script has a length of 1180 characters I think) and additionally it blocks the IP of the attacker for a period of time you specify. Good tool but very expensive. The same functionality but the blocking of IP does the Microsoft URLScan 2.5 that restricts the length of the Query string but cannot block automatically the IP of the attacker.
I put 450 characters as the maximum length. You have to decide on this depending on the query strings that run on your server.
That’s it
I think that the literature on bad coding practices is not well documented.

]]> By: twd76 http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8429 twd76 Mon, 30 Jun 2008 16:06:31 +0000 http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8429 With this latest round of injections that have occurred, are you seeing the code being run as a stored proc or is it being injected via form fields? With this latest round of injections that have occurred, are you seeing the code being run as a stored proc or is it being injected via form fields?

]]> By: tenmoku http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8385 tenmoku Thu, 26 Jun 2008 08:10:16 +0000 http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8385 yup.. www.tenmokupottery.com.my also get hacked with those Sql injection, thank you for all your comment, i learn alot from this blog yup.. www.tenmokupottery.com.my also get hacked with those Sql injection, thank you for all your comment, i learn alot from this blog

]]> By: Zero in a bit » Scrawlr: Are We Being Too Greedy? http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8379 Zero in a bit » Scrawlr: Are We Being Too Greedy? Wed, 25 Jun 2008 16:19:50 +0000 http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8379 [...] vulnerabilities in a website. It was a joint effort with Microsoft and a direct response to the mass SQL Injection attacks of [...] […] vulnerabilities in a website. It was a joint effort with Microsoft and a direct response to the mass SQL Injection attacks of […]

]]> By: hackademix.net » Got SQL Injections? Free HP Tool Tells You. http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8367 hackademix.net » Got SQL Injections? Free HP Tool Tells You. Tue, 24 Jun 2008 22:42:37 +0000 http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8367 [...] mass SQL injection attacks we talked about in in several posts, being mainly targeted to ASP sites running on Microsoft IIS [...] […] mass SQL injection attacks we talked about in in several posts, being mainly targeted to ASP sites running on Microsoft IIS […]

]]> By: Shiggity http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8321 Shiggity Fri, 20 Jun 2008 22:54:42 +0000 http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8321 That's not clever. It's a mundane use of the cursor object affecting anyone careless enough to allow raw SQL injection across their querystrings. That’s not clever. It’s a mundane use of the cursor object affecting anyone careless enough to allow raw SQL injection across their querystrings.

]]> By: Mass SQL Injection attack is still out there » Musings on Database Security http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8318 Mass SQL Injection attack is still out there » Musings on Database Security Fri, 20 Jun 2008 13:22:48 +0000 http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8318 [...] an interesting day today for us in Sentrigo. One of our customers was being attacked by this mass SQL injection and since our software identified the attack he came to us to help him cope with the situation. As [...] […] an interesting day today for us in Sentrigo. One of our customers was being attacked by this mass SQL injection and since our software identified the attack he came to us to help him cope with the situation. As […]

]]> By: Marie http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8288 Marie Wed, 18 Jun 2008 23:42:13 +0000 http://hackademix.net/2008/04/26/mass-attack-faq/#comment-8288 1- You can prevent the script from executing or any further issues: deny select on sysobjects to sql_login_of_your_app deny select on syscomments to ql_login_of_your_app deny select on syscolumns to ql_login_of_your_app deny select on systypes to ql_login_of_your_app The script won't even get access to the sys tables anymore (you can add more but these are the minimum). 2- You canuse what the Hacker used (query below) and know what is/was infected. select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 1- You can prevent the script from executing or any further issues:

deny select on sysobjects to sql_login_of_your_app
deny select on syscomments to ql_login_of_your_app
deny select on syscolumns to ql_login_of_your_app
deny select on systypes to ql_login_of_your_app

The script won’t even get access to the sys tables anymore (you can add more but these are the minimum).

2- You canuse what the Hacker used (query below) and know what is/was infected.

select a.name’b.name from sysobjects a’syscolumns b where a.id=b.id and a.xtype=’u’
and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)

]]>