1

Recently found out that unknown html codes were inserted into my SQL Server database without my knowledge, it's something like this in every cell

[my original database data]</title><style>.a2vf{position:absolute;clip:rect(475px,auto,auto,475px);}</style><div class=a2vf>These rules are bound <a href=http://paydayloansforsure.com >fast payday loans</a> unscrupulous len...

I initially thought my database password was compromised. So I changed my password to a more difficult one, but after a couple of days, it appeared again. Anyone knows how it got into the database like that and how to prevent it?

UPDATE: After some investigation, I suspect this might be caused by a software which I downloaded to schedule backup SQL databases. I've reformatted my local machine and start all over again, it did not happened anymore.

Eva
  • 113
  • 2
  • 9
  • 5
    [SQL Injection](http://en.wikipedia.org/wiki/SQL_injection)? – Nick Aug 01 '14 at 01:37
  • 3
    It would be helpful to know how data gets into your database. – DeanOC Aug 01 '14 at 01:38
  • Hi @Nicholas V., thanks for pointing that out. I'll try to change user permission and observe whether it helps – Eva Aug 01 '14 at 02:09
  • Hi @DeanOC, that's what I'd like to know myself. Sigh. – Eva Aug 01 '14 at 02:10
  • 2
    Surely you know what applications interact with the database, and how they insert the data (direct SQL/Stored Procs/SSIS packages etc)? – DeanOC Aug 01 '14 at 02:17
  • @DeanOC - Ah, you're referring to that. The db was set to store content to serve a few websites using SqlConnection in their ASP.NET C#'s code behind and webconfigs; and for a webservice application for one of the websites. The same connectionstring is used for websites to insert data when users provide their contact details for registering their interest in our product. Sorry I couldn't be more technically specific as I'm not quite familiar with managing databases. – Eva Aug 01 '14 at 02:57
  • Try putting some trace on the table. Also worth informing you security team and cycle through your access codes for safe measure. – Gouri Shankar Aechoor Aug 01 '14 at 02:58
  • Hi @GouriShankarAechoor Unfortunately I'm in a 1-man team, so there's no other people can help me on this in my organization. I'll notify my web & db host and see what they can do. At the mean time if you don't mind, can you elaborate more on 'cycling through access codes'? – Eva Aug 01 '14 at 03:19
  • Just reset you application/user passwords for now as the rest will be taken care by the hosting. Also, if you have access to profiler, please add trace and see if you find something strange. All these are worst case scenarios. What could possible be happening is that the app is sending HTML as an input parameter. You will get clues from trace. Is this behavior being experienced in all table? Are you sure its a fault? Check with the FE team would be the first thing I would do – Gouri Shankar Aechoor Aug 01 '14 at 03:53
  • Change all queries to use [SQL Parameters](http://stackoverflow.com/a/542542/2654498). – Nick Aug 01 '14 at 12:14

1 Answers1

1

After some investigation, I suspect this might be caused by a software which I downloaded to my local machine to schedule SQL databases backup. I've reformatted my local machine it did not happen anymore.

Eva
  • 113
  • 2
  • 9