Unfortunately, I have a good deal of experience with this as a few of my websites got nailed by this injection. Here are some links:
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-c lassic-asp.aspx http://forums.iis.net/t/1148917.aspx Three thinks I learned from the attack: 1. I tightened up my classic asp and .net code to filter for this specific attack. This injection is encoded so filtering for words like INSERT, UPDATE, DROP didn't work. It also uses Querystrings rather than form posts so just filtering form posts wasn't enough. 2. A simple SQL server update foils the attack. deny select on sysobjects to sql_login_of_your_app deny select on syscomments to ql_login_of_your_app deny select on syscolumns to ql_login_of_your_app deny select on systypes to ql_login_of_your_app Look up what user account is being used for web access, then execute the above update with that username. This particular attack gets table and field names from system tables. Denying select on those tables stops the attack. 3. Some really smart guy on one of the above listed forums essentially reverse-engineered the injection and posted a stored procedure that removes the "<script." text from all the effected tables. If you have a corrupted db and restoring from backup is not an option, email me privately and I'll share the stored procedure. I'd also be happy to share my classic asp and asp.net filtering code if anyone needs it. -Gary Gary Jorgenson, RN President/CEO - Robin Technologies, Inc. 670 Lakeview Plaza Blvd., Suites I & J | Worthington, OH 43085 Phone: 614.888.3001 | Fax: 614.888.3002 | Cell: 614.961.0670 [EMAIL PROTECTED] | www.robintek.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Travis Rabe Sent: Monday, June 30, 2008 10:59 AM To: [email protected] Subject: [IMail Forum] New Virus? All, I am seeing a lot - thousands of SQL injection attacks geared towards one of my servers for the past few days. Seems to be coming from hundreds of different servers. All the SQL ports are closed and my firewall is dropping the IPS, but I was curious if anyone else is seeing this as of late Friday night? Travis
