-3

I have found that all data of my 5 YEARS old site tables was suddenly mixed up some data that cannot be updated via any existing sp is updated.

After long search of sp i came to conclusion that somebody messing with my site. I assume that its done via sql injections.

I have huge amount of trafic on my site 24/7 ,site has more than 100 pages, and the logs are now just showing what user entered what page...more logs will slow down the site even more. so now i need to act efficiently.

1.What is the best way to find where someone injecting 2.how to log his ip and time of injection never done this before, read lots of mixed opinions on google. please advice your best practise.

Alexxx
  • 299
  • 1
  • 2
  • 9
  • 1
    Just log the queries going to the database. Then at the end of the day scroll through it to see if there are any strange queries. – Luud van Keulen Feb 24 '17 at 13:04
  • there are more than 20000 queries each day, and the injection is not happening every day – Alexxx Feb 24 '17 at 13:05
  • Collect all queries in logs as Luud says, then add an update trigger to at least one table that has been tampered with, inserting timestamp line into a logging table. That way you know where in the logs to search. – Cyrus Feb 24 '17 at 13:12

2 Answers2

0

Instead of tracking down the "bad guys" you should focus on restoring your database and making your code resistant or invulnerable to injections, not sure whats the best way for asp.net but in java it is well known that prepared statements make it impossible to have somebody peform a sql injection on your data.

Check out this link for how to improve your code in asp.net: Classic ASP SQL Injection Protection

Tarnation has come
  • 36
  • 4
  • 2
    I don't agree. It is a good idea to make sure where it's coming from before you fix it to see how the attacker is behaving and how he is injecting it. – Luud van Keulen Feb 24 '17 at 13:15
  • @LuudvanKeulen And leave your system wide open to additional attacks in the meantime? Agreed, logging suspicious queries makes sense, but fixing the SQL injection bug should be top priority IMHO. – Frank Schmitt Feb 26 '17 at 16:33
0

This is some code I use on my page as a "catch all" attempt for injection attempts via query strings (ie, data sent through a URL):

trap = 0
ref = lcase(request.querystring)

if ref <> "" then
badChars = array("OR 1=1", "select", "drop", "shutdown", "--", "insert", "delete", "waitfor", "union", "0x31", "convert", "truncate", "sysobjects") 
cn = 0
for i = 0 to uBound(badChars) 
if instr(ref,badchars(i)) > 1 then cn=cn+1
next
if cn >=2 then trap = 1
end if

if trap = 1 then .... ban user ip code here

You could simply put "if trap = 1 then response.end" which would stop any further action on the page. I prefer to ban the IP for an hour.

This should also work with request.form for form input.

You may also want to sanitize your variables that take form input.

data=request.form("emailaddress")
data = replace(data,"'","")
data = replace(data,"union","")

etc.

  • Using blacklists to protect against SQL injection is never enough - MS themselves have recommended against this at least since 2005: "The potential risk associated with using a list of unacceptable characters is that it is always possible to overlook an unacceptable character when defining the list; also, an unacceptable character can be represented in an alternate format to pass validation.", see https://msdn.microsoft.com/en-us/library/ff648339.aspx – Frank Schmitt Feb 26 '17 at 16:30
  • It can easily be include into the array. Also the function can work for both forms and querystrings. It still allows someone to use the word (eg. "Union Jack" or "Mind Merge" in a form data, but a combination of two of the keywords would trigger the alert. –  Feb 26 '17 at 16:47
  • Sorry, but that falls way too short IMHO. This will prevent users from adding perfectly valid input data (e.g. `Use MERGE to combine INSERT and UPDATE` in an input field for an article title) without adding substantial security to your application. – Frank Schmitt Feb 26 '17 at 17:06
  • Well you critique and I'll provide workable solutions for the guy and let him decide if he wants to implement them or not. One is productive the other is not. :) –  Feb 26 '17 at 17:09
  • I didn't post an answer because the correct answer has already been given (use prepared statements). Anyway, YMMV. – Frank Schmitt Feb 26 '17 at 18:37