2

I have a ASP.NET website, which is hosted on a shared server, by GoDaddy.

Every week, someone changes values in my database and add advertisement text to my items description. I once changed the password to the database, and it helped for about a month. My connection string is stored in the web.config file.

Is there any way to improve the security on my database? If I keep the connection string hard coded in the code, will it help? Is there any other better way?

Dharman
  • 30,962
  • 25
  • 85
  • 135
Itay.B
  • 3,991
  • 14
  • 61
  • 96
  • 9
    You need to find out how it is being hacked. Might be SQL injection. If they can actually access the web.config then maybe they have your FTP credentials (or credentials for whatever go daddy uses to allow you to upload files) or maybe they are exploiting an unpatched vulnerability in the server. – Martin Smith Jul 19 '15 at 12:22
  • 1
    Tell us what advertising text are the hackers putting in you dB? This could lead to others who have experienced the same who have more info on the hack. I've personally had links embedded in aspx files on my hosted server, NHL Jersey urls that were only visible to webcrawlers. Telling my host seemed to fix the issue pretty dam fast... – Jeremy Thompson Jul 19 '15 at 12:47

2 Answers2

2

First of all you need to ask the hosting guys,how this things happen? Sometimes your FTP details hacked and then access web.config file.First you try to change your Control Panel & FTP Passwords.(Then use very strong passwords).

Or the other thing you can Encrypt connectionstring.Check this link and you can get a idea about how you can encrypt & decraypt it.

Most probably it maybe a SQL Injection.

TechGuy
  • 4,298
  • 15
  • 56
  • 87
  • I use stored procedures. I thought this is the way to prevent SQL injection. I was wrong? – Itay.B Jul 19 '15 at 13:14
  • @Itay.B - If you are *exclusively* using stored procedures - and those stored procedures don't use any dynamic SQL then there is no way it can be SQL injection. – Martin Smith Jul 19 '15 at 16:35
  • @MartinSmith, then I guess TechGuy is right and someone took my ftp password and used it to get the db password. – Itay.B Jul 20 '15 at 11:18
2

If you know when the attack took place you should dig into DB server logs. For example SQL Server provides audit logging and transaction logging. Look there for any clues.

Anyway, as you said that changing the password stopped the attacks for a while, it seems to me that someone might have access to your configuration files. You might want on encrypt it. There is one example : Encrypting Web.Config

For the possible SQL Injection attack you could also grep your HTTP logs. This blog post illustrates the idea how to do it.

Community
  • 1
  • 1
Erki M.
  • 5,022
  • 1
  • 48
  • 74