help.net


Musing on .Net

News





hit counters




Open source CMS

Technorati

My blog

Irish blogs

Locations of visitors to this page Get Chitika eMiniMalls

.Net useful

Blogs I read

PocketPC

SQL

Usability

Hundreds of websites under attack and Microsoft are you doing something?

Following my last post on the subject of SQL injection, this story is far from being finished. First thanks to all your comments, I really applied most of the advices, licke checking against query string vulnerabilities,XSS, etc...

I don't use dynamic SQL queries, only stored procedures. I don't say it's perfect but all the basics are covered.

But the attacks are still going on. I know from which server it's coming on, but I still don't know how they do it. However I raise the alarm again today, because of few things I discovered:

- The number of sites attacked is growing up by the minutes, on Google 11000 results found yesterday searching for jpdog.3322, this morning 27000!!
- All the attacked pages are all .ASP or .ASPX, not a single HTML file or PHP.
- I changed many times the database username and password, and of course the same in my connection strings, and the attack continue.
It looks like the nasty code is able to read the web config file, which is a very serious security flaw if it's the case.

So far the only way I found to block the database access was to create a user with all database permissions denied except Select. I can see in my SQL logs the constant Login failed for the user xxx... (one try every two minutes)

I urgently request from Microsoft now an answer on the matter, because I don't think now this is just a simple SQL injection attack, but something more dangerous.


 

Posted: Dec 19 2008, 11:47 AM by help.net | with 10 comment(s)
Filed under: ,

Comments

Hundreds of websites under attack and Microsoft are you doing something? - help.net said:

Pingback from  Hundreds of websites under attack and Microsoft are you doing something? - help.net

# December 19, 2008 7:59 AM

Jonathan said:

I know this is an obvious statement but have you tried encrypting your connection strings ?

I hope you get to the bottom of it soon dude

# December 19, 2008 8:05 AM

andrex said:

Looks like server just scanned for specific for open MS SQL ports and brute force attack with dictionary. It's not related to any site or web.config.

I see this on few servers (for last, fresh server, attack was started in 3 hours after I am install MS SQL!!!)

I am solve this problem very easy. Block access to MS SQL ports via firewall (access allowed only for specific IP)

# December 19, 2008 8:28 AM

ca8msm said:

It's probably just a hex injection. Properly secured code and web pages shouldn't be affected by this though and it's not a new problem.

# December 19, 2008 8:29 AM

Jonathan said:

Glad you found the source of it man.   I have my DB server safely locked away behind a firewall only access is via the main web servers

# December 19, 2008 9:50 AM

gt1329a said:

I'm glad you posted this.  I checked in on our servers and found one that's been under a brute force attack for a couple days now.

All of the attempts on our server have come from 72.26.227.42.

# December 19, 2008 10:17 AM

David Taylor said:

Obvious question is do you have SQL open at the firewall to external users.

Hey - is this your dedicated server?  If so why don't you install a packet sniffer and actually see what they are doing instead of trying to guess ;-)

Dave

# December 19, 2008 10:59 AM

Darren Kopp said:

 "Darren you are entittled to your opinions, but UrlScan is setup and installed. It has works for two days, and now the attacks are comng back. Then I tested mycode and servers using all the tools I could find, nothing has changed. Now you tell me why so many websites are caught with this crap. Do you call them all stupid? -- P."

 don't b*tch about microsoft. secure your servers and your code.

and why don't you just install UrlScan. 3.0 is in beta right now.

# December 19, 2008 12:01 PM

tmorton said:

Not sure how your failure to secure your server is Microsoft's fault?  You say you have covered the basics, but that's really not good enough.  Your server security is only as good as your weakest point.

My suggestion is to open a paid support ticket with Microsoft, so that they can formally help you resolve the issue(s).

# December 19, 2008 12:30 PM

tlichty said:

"I agree with you. My SQL server is behind a second firewall. I am not using sa but a simple user with read access only See my new post about the matter, it's really new for me and apparently thousands of us, because this time it's coming through a cookie executing some SQL commands along the request stream. Prove me wrong, but it's the first time I heard that a cookie can execute itself! If it's not a flaw, what is it? Paschal" 

I agree with tmorton and everyone else. No traffic from the internet should come any where NEAR your SQL server. We have a firewall in front of our web servers. Then a second firewall in front of our SQL servers that only allow traffic from the internal network to it.

DB servers should never be accessible to the web. I'm not sure how you sleep at night if they are.

# December 19, 2008 3:04 PM