Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror

Comment For anyone affected, one easy fix (Score 1) 202

by Otus (#24576425) Attached to: New SQL Injection Attack Fuses Malware, Phishing

Ran into this recently on an old website on one of our servers, and there's an easy fix if your site doesn't have code requiring the use of system tables itself.

Simply deny access to syscolumns & sysobjects for whatever SQL account the website is using, as the attack uses those to do the table updates. This script can do it quickly:

declare @name varchar(200), @sql varchar(500), @type char(2), @tablelist varchar(800)
        DECLARE sSysFiles CURSOR FOR
            SELECT name, xtype FROM sysobjects where xtype IN ('s') FOR READ ONLY
        OPEN sSysFiles
        FETCH NEXT FROM sSysFiles INTO @name, @type
        WHILE @@FETCH_STATUS = 0
        BEGIN
                IF @type = 'S'
                        BEGIN
                                select @sql = 'DENY SELECT, INSERT, UPDATE, DELETE ON [' + @name + '] TO [DatabaseUserName]'
                                EXEC (@sql)
                        END
                FETCH NEXT FROM sSysFiles INTO @name, @type
        END
        CLOSE sSysFiles
        DEALLOCATE sSysFiles

You should still of course do a code review for possible future modified attacks, but it's a quick & dirty to buy time.

Also, here's a script that's reversed from the attack code which basically reverses the attack - either shows all infections, or deletes their code back out (depending on what you un-comment). Warning: it does trim TEXT fields down to 8000 characters (although if you were infected, their code already trimmed them down to 4000), so use with caution.

USE [MyDatabaseName]
GO
DECLARE @CodeToReplace varchar(500)
SELECT @CodeToReplace = '' --If fixing code, put the offending script here

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
        SELECT a.name,b.name
        FROM sysobjects a,syscolumns b
        WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

        OPEN Table_Cursor
        FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
        BEGIN
                --Uncomment next line to just show possible infections:
                --EXEC('IF EXISTS (SELECT TOP 1 * FROM ['+@T+'] (NOLOCK) WHERE ['+@C+'] LIKE ''%.js>'') SELECT '''+@T+''' [Table Name],'''+@C+''' [Column Name],['+@C+'] FROM ['+@T+'] (NOLOCK) WHERE ['+@C+'] LIKE ''%script %''')

                --Uncomment next line to fix them:
                --EXEC('IF EXISTS (SELECT TOP 1 * FROM ['+@T+'] WHERE ['+@C+'] LIKE ''%script src%'') UPDATE ['+@T+'] SET ['+@C+']=REPLACE(RTRIM(CONVERT(VARCHAR(8000),['+@C+'])),''' + @CodeToReplace + ''','''') WHERE ['+@C+'] LIKE ''%script src%'' AND LEN(CONVERT(VARCHAR(8000),['+@C+'])) 8000')

                FETCH NEXT FROM Table_Cursor INTO @T,@C
        END
        CLOSE Table_Cursor
DEALLOCATE Table_Cursor

Slashdot Top Deals

Nature always sides with the hidden flaw.

Close