To help combat SQL Injection attempts, you might want to take a look at the
WebKnight open-source ISAPI filter.
http://www.aqtronix.com/?PageID=99
I haven't used it personally (yet) but it looks useful with many features.
David Gregg
dgSoft Internet Services
--
mxGuard for Mail Servers
The no-nonsense anti-spam and anti-virus solution.
http://www.mxguard.com <http://www.mxguard.com/>
--
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gary Jorgenson
Sent: Monday, June 30, 2008 11:29 AM
To: [email protected]
Subject: RE: [IMail Forum] New Virus?
Unfortunately, I have a good deal of experience with this as a few of my
websites got nailed by this injection. Here are some links:
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-c
lassic-asp.aspx
http://forums.iis.net/t/1148917.aspx
Three thinks I learned from the attack:
1. I tightened up my classic asp and .net code to filter for this specific
attack. This injection is encoded so filtering for words like INSERT,
UPDATE, DROP didn't work. It also uses Querystrings rather than form posts
so just filtering form posts wasn't enough.
2. A simple SQL server update foils the attack.
deny select on sysobjects to sql_login_of_your_app
deny select on syscomments to ql_login_of_your_app
deny select on syscolumns to ql_login_of_your_app
deny select on systypes to ql_login_of_your_app
Look up what user account is being used for web access, then execute the
above update with that username. This particular attack gets table and
field names from system tables. Denying select on those tables stops the
attack.
3. Some really smart guy on one of the above listed forums essentially
reverse-engineered the injection and posted a stored procedure that removes
the "<script." text from all the effected tables. If you have a corrupted
db and restoring from backup is not an option, email me privately and I'll
share the stored procedure. I'd also be happy to share my classic asp and
asp.net filtering code if anyone needs it.
-Gary
Gary Jorgenson, RN President/CEO - Robin Technologies, Inc.
670 Lakeview Plaza Blvd., Suites I & J | Worthington, OH 43085
Phone: 614.888.3001 | Fax: 614.888.3002 | Cell: 614.961.0670
[EMAIL PROTECTED] | www.robintek.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Travis Rabe
Sent: Monday, June 30, 2008 10:59 AM
To: [email protected]
Subject: [IMail Forum] New Virus?
All,
I am seeing a lot - thousands of SQL injection attacks geared towards one
of my servers for the past few days. Seems to be coming from hundreds of
different servers. All the SQL ports are closed and my firewall is dropping
the IPS, but I was curious if anyone else is seeing this as of late Friday
night?
Travis
