RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

Mon, 21 Jul 2008 12:30:58 -0700 

For those of you who have been hit by this attack and who need to try
something short of restoring your DB, this script will generate a series of
update statements in reverse of the hack that's been going around:

-----------------------------------------------------------
DECLARE @T varchar(255), @C varchar(255)
DECLARE @sql varchar(4000)
DECLARE @script varchar(255)
/*fill in the value of the malicious script. */
select @script = '<script src="*scriptsrc"></script><!---'

DECLARE Table_Cursor CURSOR FOR 
  SELECT a.name, b.name 
  FROM sysobjects a, syscolumns b 
  WHERE a.id = b.id AND a.xtype = 'u' 
  AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167) 

    OPEN Table_Cursor 
      FETCH NEXT FROM Table_Cursor INTO @T, @C 
        WHILE (@@FETCH_STATUS = 0) 
          BEGIN
            SELECT @sql = 'update [' + @T +'] set ['+ @C +'] = Replace(['  +
@C + '],''' + @script + ''','''')'
            PRINT @sql

            /*uncomment this after checking the output using print */
            --EXEC(@sql)

                FETCH NEXT FROM Table_Cursor INTO @T, @C
         END 
CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

-------------------------------------------------------

1) Replace the value of @script (the select at the top) with the value of
the string that's been inserted into your DB
2) Run the script AS IS - you should see a list of  "update" statements that
look like this:

update [**tablename] set [**columnName] = Replace([**ColumnName],'<script
src="*scriptsrc"></script><!---','')

Where **tablename and **columname represent actual tables/columns from your
DB.

You can then run the updates individually to strip out the malicious code...
I also converted the update to a select to compare the values and see what
the result would be on update.

3) If you are brave you can comment out the "EXEC(@sql)" line and rerun the
script. Doing so will hit every table and every char column with these
updates so be sure you know what you are doing. 


-Mark



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309372
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Reply via email to