-3

We seem to be a victim of a SQL injection either via our website or web service. All the aspnet_xxxx tables get html appended to certain columns such as UserName, Email, Passwords, etc... along with other tables we have.

I don't know much about how to track this down as to where it's coming from and how to stop it.

We're using IIS 7 and SQL Server 2008.

I'm not sure what other info you'll need to help me figure this out.

EDIT** This is the html being appended to every text column that has room >

</title><style>.apjv{position:absolute;clip:rect(390px,auto,auto,452px);}</style><div class=apjv>Potential borrowers must adhere <a href=http://paydayloansforlivei.com >same day payday loans</a> solve this to applyin
John Saunders
  • 160,644
  • 26
  • 247
  • 397
jbassking
  • 525
  • 1
  • 5
  • 20
  • If the `aspnet_xxxx` tables have HTML in them, then you have to look at the code that references those tables. – John Saunders Dec 31 '14 at 03:44
  • 1
    Just a reminder that, until you clean this up, your first course of action is actually to temporarily _close your site_. This is because you're probably serving up more than just unwanted ads, but likely malware as well, and as you are _aware_ that you're serving malware, you may have some legal **liability** from any infected users with regards to knowingly serving malware to them. – Joel Coehoorn Dec 31 '14 at 03:47

4 Answers4

2

Somewhere in your application you have code that looks something like this:

string sql = "SELECT <columns> FROM <table> WHERE someColumn = '" + someVariable + "'";

That is the source of your injection. You will have to scour through your the application source code for your site until you find this. There is no shortcut.

Once you find it, you need to correct it to look like this instead:

string sql = "SELECT <columns> FROM <table> WHERE someColumn = @Parameter";

And then, possibly in a different place, you'll need to handle the parameter like this:

SqlCommand cmd = new SqlCommand(sql);
cmd.Parameters.Add("@Parameter", SqlDbType.NVarChar, 50).Value = someVariable;
Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
  • Yeah I'm going through the code and changing all queries to use parameters. There good part is they're all in one class so I don't need to search an entire solution for select statements. – jbassking Dec 31 '14 at 04:30
0

Is all the html the same or similar? If so there could be something wrong with how you are getting the data from the web form. Second thing I would look at would be be input sanitization to make sure certain characters etc are not inserted. I also recommand using prepared statements as they can protect against SQL injection. Reference for prepared statements in protecting against SQL injection here

Community
  • 1
  • 1
JD Schmidt
  • 19
  • 3
  • All the html is the same. It starts with and is usually for an advertisement. This is appended to almost all our nvarchar columns. – jbassking Dec 31 '14 at 01:20
0

One thing I would suggest is trying to correlate your web server logs with the creation of the tables. Can you see the date/time the fields/values that look like the result of SQL injection were created? If so, find that time in your web server logs and see what HTTP request was made. That would tell you where to start looking. If the request was a GET then the query params should tell you a lot about what was done, but even if it's a POST and you don't know the input, you at least know which file/path to start from in reviewing the code.

It will likely require an experienced developer (ideally who is familiar with the code) to review that to find where the injection is occurring.

Brad Peabody
  • 10,917
  • 9
  • 44
  • 63
0
  • in case of inquiring and see from where they came, if your database recovery mode is not simple and it's FULL then you can inquiry it from the transactional log file (db_name.ldf) here is a useful link: how to read log from ldf file
  • in case of injection you need to review your application source code and take a look at the way of how application is modifying data, here is a useful link for it:SQL Injection
Community
  • 1
  • 1
void
  • 7,760
  • 3
  • 25
  • 43