RE: After the fact: SQL Injection Scanner
Charles: Thanks for the reply. Unfortunately, they don't know when the attack happened and their current hosting company has not been very attentive to backing up files or the database. It's also built on a CMS with page content changes made daily. Thanks. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ > -Original Message- > From: Charles Sheehan-Miles [mailto:char...@sheehanmiles.net] > Sent: Wednesday, October 21, 2009 4:31 PM > To: cf-talk > Subject: Re: After the fact: SQL Injection Scanner > > > You might consider restoring a copy of a recent backup, then comparing > against known records that shouldn't have changed (for example comment > records) > > On Wed, Oct 21, 2009 at 4:04 PM, Mosh Teitelbaum > wrote: > > > > > Andy: > > > > Unfortunately, I don't have the SQL Injection code. From what I can > > gather, > > the attack resulted in a whole bunch of copies of some PHP code that > > essentially gives the user access to both the file system and the > database. > > I'm still working on getting the log files from the web host (FTP is > down > > for some reason) but with the PHP files, they could have changed the > > database without having to do so via the URL. > > > > -- > > Mosh Teitelbaum > > evoch, LLC > > Tel: (301) 942-5378 > > Fax: (301) 933-3651 > > Email: mosh.teitelb...@evoch.com > > WWW: http://www.evoch.com/ > > > > > > > -Original Message- > > > From: Andy Matthews [mailto:li...@commadelimited.com] > > > Sent: Wednesday, October 21, 2009 3:49 PM > > > To: cf-talk > > > Subject: RE: After the fact: SQL Injection Scanner > > > > > > > > > Mark's right. If you have the SQL injection code, you can > essentially > > > reverse engineer it and use it as a blueprint to fix the problems. > > > > > > > > > andy > > > > > > -Original Message- > > > From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] > > > Sent: Wednesday, October 21, 2009 2:10 PM > > > To: cf-talk > > > Subject: After the fact: SQL Injection Scanner > > > > > > > > > All: > > > > > > > > > > > > A client called today letting me know that their server had been > > > breached > > > and that some malicious code had been uploaded to the site. After > > > doing > > > some research into the particular files that were uploaded, it > turns > > > out > > > that the attack is also usually accompanied by a SQL Injection > attack. > > > Their database is huge and, instead of manually going through the > > > database > > > looking for altered records, I thought to write some code that > would > > > scan > > > the records and report any potential problems. Before doing that, > does > > > anyone know of any existing code that does that? > > > > > > > > > > > > Thanks in advance. > > > > > > > > > > > > -- > > > > > > Mosh Teitelbaum > > > > > > evoch, LLC > > > > > > Tel: (301) 942-5378 > > > > > > Fax: (301) 933-3651 > > > > > > WWW: http://www.evoch.com/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327471 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: After the fact: SQL Injection Scanner
You might consider restoring a copy of a recent backup, then comparing against known records that shouldn't have changed (for example comment records) On Wed, Oct 21, 2009 at 4:04 PM, Mosh Teitelbaum wrote: > > Andy: > > Unfortunately, I don't have the SQL Injection code. From what I can > gather, > the attack resulted in a whole bunch of copies of some PHP code that > essentially gives the user access to both the file system and the database. > I'm still working on getting the log files from the web host (FTP is down > for some reason) but with the PHP files, they could have changed the > database without having to do so via the URL. > > -- > Mosh Teitelbaum > evoch, LLC > Tel: (301) 942-5378 > Fax: (301) 933-3651 > Email: mosh.teitelb...@evoch.com > WWW: http://www.evoch.com/ > > > > -Original Message- > > From: Andy Matthews [mailto:li...@commadelimited.com] > > Sent: Wednesday, October 21, 2009 3:49 PM > > To: cf-talk > > Subject: RE: After the fact: SQL Injection Scanner > > > > > > Mark's right. If you have the SQL injection code, you can essentially > > reverse engineer it and use it as a blueprint to fix the problems. > > > > > > andy > > > > -Original Message- > > From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] > > Sent: Wednesday, October 21, 2009 2:10 PM > > To: cf-talk > > Subject: After the fact: SQL Injection Scanner > > > > > > All: > > > > > > > > A client called today letting me know that their server had been > > breached > > and that some malicious code had been uploaded to the site. After > > doing > > some research into the particular files that were uploaded, it turns > > out > > that the attack is also usually accompanied by a SQL Injection attack. > > Their database is huge and, instead of manually going through the > > database > > looking for altered records, I thought to write some code that would > > scan > > the records and report any potential problems. Before doing that, does > > anyone know of any existing code that does that? > > > > > > > > Thanks in advance. > > > > > > > > -- > > > > Mosh Teitelbaum > > > > evoch, LLC > > > > Tel: (301) 942-5378 > > > > Fax: (301) 933-3651 > > > > WWW: http://www.evoch.com/ > > > > > > > > > > > > > > > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327470 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: After the fact: SQL Injection Scanner
Andy: Unfortunately, I don't have the SQL Injection code. From what I can gather, the attack resulted in a whole bunch of copies of some PHP code that essentially gives the user access to both the file system and the database. I'm still working on getting the log files from the web host (FTP is down for some reason) but with the PHP files, they could have changed the database without having to do so via the URL. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 Email: mosh.teitelb...@evoch.com WWW: http://www.evoch.com/ > -Original Message- > From: Andy Matthews [mailto:li...@commadelimited.com] > Sent: Wednesday, October 21, 2009 3:49 PM > To: cf-talk > Subject: RE: After the fact: SQL Injection Scanner > > > Mark's right. If you have the SQL injection code, you can essentially > reverse engineer it and use it as a blueprint to fix the problems. > > > andy > > -Original Message- > From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] > Sent: Wednesday, October 21, 2009 2:10 PM > To: cf-talk > Subject: After the fact: SQL Injection Scanner > > > All: > > > > A client called today letting me know that their server had been > breached > and that some malicious code had been uploaded to the site. After > doing > some research into the particular files that were uploaded, it turns > out > that the attack is also usually accompanied by a SQL Injection attack. > Their database is huge and, instead of manually going through the > database > looking for altered records, I thought to write some code that would > scan > the records and report any potential problems. Before doing that, does > anyone know of any existing code that does that? > > > > Thanks in advance. > > > > -- > > Mosh Teitelbaum > > evoch, LLC > > Tel: (301) 942-5378 > > Fax: (301) 933-3651 > > WWW: http://www.evoch.com/ > > > > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327469 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: After the fact: SQL Injection Scanner
Mark: Thanks for the reply. I think the title of my email may have been misleading in that I'm not positive it was a SQL Injection attack. Because of some malicious code I've found on the file system, code that would allow an attacker to make sweeping changes to the database, I'm concerned that they may have appended additional code to varchar fields a la a SQL Injection attack. While the reverse code is great, I can't use it here because I haven't yet found any (nor do I know for sure that there is any) SQL Injection code to reverse. I'm hoping to find a scanner that can tell me if any of those fields appear suspicious. Something that would report on any varchar fields contain "script", etc. Thanks. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 Email: mosh.teitelb...@evoch.com WWW: http://www.evoch.com/ > -Original Message- > From: Mark Kruger [mailto:mkru...@cfwebtools.com] > Sent: Wednesday, October 21, 2009 3:30 PM > To: cf-talk > Subject: RE: After the fact: SQL Injection Scanner > > > If the injection was the one that went around a few months ago - check > out > this post > > http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST- > And-A > SCII > > There is a "reverse" stored procedure that can undo the damage down in > the > comments. Be sure and read the post and comments (and related posts) - > otherwise you will fight this over again until you get it right :) > > -Mark > > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -Original Message- > From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] > Sent: Wednesday, October 21, 2009 2:10 PM > To: cf-talk > Subject: After the fact: SQL Injection Scanner > > > All: > > > > A client called today letting me know that their server had been > breached > and that some malicious code had been uploaded to the site. After > doing > some research into the particular files that were uploaded, it turns > out > that the attack is also usually accompanied by a SQL Injection attack. > Their database is huge and, instead of manually going through the > database > looking for altered records, I thought to write some code that would > scan > the records and report any potential problems. Before doing that, does > anyone know of any existing code that does that? > > > > Thanks in advance. > > > > -- > > Mosh Teitelbaum > > evoch, LLC > > Tel: (301) 942-5378 > > Fax: (301) 933-3651 > > WWW: http://www.evoch.com/ > > > > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327468 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: After the fact: SQL Injection Scanner
Mark's right. If you have the SQL injection code, you can essentially reverse engineer it and use it as a blueprint to fix the problems. andy -Original Message- From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] Sent: Wednesday, October 21, 2009 2:10 PM To: cf-talk Subject: After the fact: SQL Injection Scanner All: A client called today letting me know that their server had been breached and that some malicious code had been uploaded to the site. After doing some research into the particular files that were uploaded, it turns out that the attack is also usually accompanied by a SQL Injection attack. Their database is huge and, instead of manually going through the database looking for altered records, I thought to write some code that would scan the records and report any potential problems. Before doing that, does anyone know of any existing code that does that? Thanks in advance. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327465 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: After the fact: SQL Injection Scanner
If the injection was the one that went around a few months ago - check out this post http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A SCII There is a "reverse" stored procedure that can undo the damage down in the comments. Be sure and read the post and comments (and related posts) - otherwise you will fight this over again until you get it right :) -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] Sent: Wednesday, October 21, 2009 2:10 PM To: cf-talk Subject: After the fact: SQL Injection Scanner All: A client called today letting me know that their server had been breached and that some malicious code had been uploaded to the site. After doing some research into the particular files that were uploaded, it turns out that the attack is also usually accompanied by a SQL Injection attack. Their database is huge and, instead of manually going through the database looking for altered records, I thought to write some code that would scan the records and report any potential problems. Before doing that, does anyone know of any existing code that does that? Thanks in advance. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327461 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4