Database being changed/Hacked

Question

Database being changed/Hacked

Asked 10 years, 3 months ago

Viewed 818 times

4

I don’t know if I can ask that question here, otherwise I can ask you to suspend the question, or warn me that I delete it.

For the second time I came across a bank that had been broken into. Almost all text fields of all tables in the database were added the following code at the end of the records:

</title>
<style>
    .ao0n {
        position: absolute;
        clip: rect(470px,auto,auto,470px);
    }
</style>
<div class="ao0n">quick <a href="http://ironpaydayloans.com">payday loans</a> with small commissions</div>
</title><style>
            .ao0n {
                position: absolute;
                clip: rect(470px,auto,auto,470px);
            }
        </style><div class="ao0n">quick <a href="http://ironpaydayloans.com">payday loans</a> with small commissions</div>
</title><style>
            .alry {
                position: absolute;
                clip: rect(410px,auto,auto,410px);
            }
        </style><div class="alry">A payday to get <a href="http://paydayloansforsure.com">fast payday cash loans</a> source you into them.</div>
</title><style>
            .alry {
                position: absolute;
                clip: rect(410px,auto,auto,410px);
            }
        </style><div class="alry">A payday to get <a href="http://paydayloansforsure.com">fast payday cash loans</a> source you into them.</div>
</title><style>
            .auj {
                position: absolute;
                clip: rect(441px,auto,auto,441px);
            }
        </style><div class="auj">A much a limited <a href="http://proofpaydayloans.com">payday loans</a> of that banks payday loan.</div>
</title><style>
            .auj {
                position: absolute;
                clip: rect(441px,auto,auto,441px);
            }
        </style><div class="auj">A much a limited <a href="http://proofpaydayloans.com">payday loans</a> of that banks payday loan.</div>

I was wondering if anyone’s been through this problem, or why it is. And how can I solve this problem.

5

This is because, at some point in your application, there is an unhealthy input of data. Look for known security holes(s) of the framework(s) you are using, corresponding patches, and apply them.

– OnoSendai

2014/08/05 at 14:26
Looks like sql Injection - vcs has some GET passing parameters ?

– ederwander

2014/08/05 at 14:32
@Onosendai, When I joined the company this system already existed, and there is no Documentation, just know that it is a Website and is in VB.

– Diego Zanardo

2014/08/05 at 14:34
@ederwander, There are several pages accessed from "/categories.aspx? id=24" for example.

– Diego Zanardo

2014/08/05 at 14:35
@Diegozanardo At worst, and depending on the database, you can implement triggers that try to cancel any strange editing, or at worst clear the inserted content.

– OnoSendai

2014/08/05 at 14:36

4 answers

9

Well come on!

From the comments I have a strong hunch, you are passing variables to your aspx, and this nowadays is a malignant gateway, the "hackers" simply take your variable, in your case your variable id and begin inserting arbitrary codes of select/insert/update this is called sql-Injection, an alternative is to totally abolish the GET, the other is to simply filter any unexpected input into your variables.

You need to have a greater control of your logs, all successful attempts or will not be in your logs on the http server (ISS, Apache, etc), waste a time analyzing these logs they will tell you where, which aspx was attacked and used as bridge to insert the values improperly.

Also scan your database logs, look for different IP’s that shouldn’t be accessed.

Check your firewall and ensure your database does not have external access, if necessary close communication only to the necessary and trusted ips/domains.

I did some tests here with sql-Injection, and there really is no validation of any parameters. I could easily delete a table. As I said, this application was already developed when I joined the company. My projects are currently in MVC Asp.net with Entity Framework. It is still possible to use sql-Injection?

– Diego Zanardo

2014/08/05 at 15:13
any system may be vulnerable, everything will depend on how it was built, if your systems pass parameters by GET there will always be the possibility of some time or another hacker from the underworld find a way to go through your filter, the use of parameter validations is simply the basic and the minimum that any programmer should/should do ...

– ederwander

2014/08/05 at 15:16
2

-1. GET, by itself, is not a problem; nor is the use of tight-Coupled ID. Without data sanitization the DBMS can be compromised in any way, either via POST/JSON payload, session/operation access token or any other method to obfuscate the physical ID of the record.

– OnoSendai

2014/08/05 at 16:01
@Onosendai, that is to say the best way to avoid it is through SGDB (through Trigger), and not by the application?

– Diego Zanardo

2014/08/05 at 17:06
@Diegozanardo while SGDB is the layer where the quality of the data can be more effectively controlled, the control can also be carried out in the application layer. However, the process of mapping the entry points can be more laborious: While you have a table that stores, for example, user data, you may have N interfaces in the application where this data is manipulated.

– OnoSendai

2014/08/05 at 17:13

Browser other questions tagged database

You are not signed in. Login or sign up in order to post.

by jean • **904** points · Answer 1 · 2014-08-13T14:02:54+00:00

This really looks like SQL Injection Attack. The problem per se not get but dynamic SQL, which mounts the script on the fly. Sanitizing data helps but there are hacker techniques of quoting using ASCII code for example. then the best way to avoid this type of attack is to parameterize your queries.

If you really need to use dynamic SQL and you use MS Sql try searching for "parametrized Dynamic queries" (I believe other Dbms have something equivalent). (In the worst case scenario you will exchange your queries for stored procedures)

If you use parameters in your queries will prevent them from being hacked. Another thing I see that are trying to explore is JS script Injection but there is another Attack.

Edit

I found a reference in Stackoverflow (for PHP + Mysql ) not by chance parametrize is still the best solution

https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php

by Conrado Basso • **204** points · Answer 2 · 2014-08-05T14:43:14+00:00

2

Face this is an Injection you have to do a treatment before recording in the database if it will not always happen if you work with layers can handle in the controller if you do not change your method to post and do a validation in the request fields before inserting in the database.

Sanitizing the data helps but the problem is that many programmers insist on using nonparametric dynamic queries. If you exchange your input for parameters in a fixed query instead of mounting the query beyond potential performance gain when running it it will be practically immune to this problem

– jean

2014/08/13 at 14:09
The sql parameterization also helps the database performance because it only compiles sql once

– Conrado Basso

2014/08/13 at 15:59

by Thiago • 19 points · Answer 3 · 2014-08-13T13:37:26+00:00

Dear, Make sure there are no suspicious files in your hosting, and check the security issue of the forms. I had a similar problem with my hosting (Locaweb) and I believe that what generated this was an invasion of their servers, because there is no vulnerability found in our system.