Hello,
Our db has been compromised. A column in the table has been changed to
something unwarranted for. I need suggestions on how to track this or at
least give me some clues on how these bastard made into our database.
Besides looking at the event logs on windows (security & system) and sql
logs in SQL Enterprise Manager, what/where else can I look at? At this point
what can i do to prevent this from happening again?
We are on sql 2000 sp4.
Also, one of our collegues went ahead and remove that column so it won't
display it in the website.
Besides restoring the whole database, can I restore the database from backup
to a different name. Then from the current database import that column in?
I remember doing this a while ago.
Thanks in advance.
tntSounds like SQL injection. Look through the web server logs and you might be
able to see the attacks. Google it and you will get alot of info. Yes, you
can restore to a diferrent name and then update.
Jason Massie
www: http://statisticsio.com
rss: http://statisticsio.com/Home/tabid/36/rssid/1/Default.aspx
"tnt" <tnt@.discussions.microsoft.com> wrote in message
news:0624B538-B0D5-47AA-BF4F-55F13E290031@.microsoft.com...
> Hello,
> Our db has been compromised. A column in the table has been changed to
> something unwarranted for. I need suggestions on how to track this or at
> least give me some clues on how these bastard made into our database.
> Besides looking at the event logs on windows (security & system) and sql
> logs in SQL Enterprise Manager, what/where else can I look at? At this
> point
> what can i do to prevent this from happening again?
> We are on sql 2000 sp4.
> Also, one of our collegues went ahead and remove that column so it won't
> display it in the website.
> Besides restoring the whole database, can I restore the database from
> backup
> to a different name. Then from the current database import that column
> in?
> I remember doing this a while ago.
> Thanks in advance.
> tnt|||Hi,
As you are having a web application you are most likely been hit by
SQL injection.
This is very common attack technique. If you are running your web
application with a high privileged windows or sql server account (like
sa). Always use a low privileged sql-account for your web
applications. Remember that 'sa' can run commands from dos-prompt
through your web application.
In addition to windows and SQL server logs, go also through your IIS-
logs. If you have an IDS/IPS/Firewall see if you can find anything in
their logs as well. If you have some kind of logging in your web
application see if there is anything there. My experience is that
trying to track down the attacker can be very very difficult. Use your
logs to understand the how the attacker attacked your application.
If your application has poor input validation routines on input from
users you are most probably vulnerable.
The absolute best way (and probably the only way which really works)
is to use prepared statements (or parameterized statements in .net).
Remember that SQL-injection, although very dangerous, is only one of
many attack-vectors to web applications.
Hope this helps.
Best regards,
Eirik
tnt skrev:
> Hello,
> Our db has been compromised. A column in the table has been changed to
> something unwarranted for. I need suggestions on how to track this or at
> least give me some clues on how these bastard made into our database.
> Besides looking at the event logs on windows (security & system) and sql
> logs in SQL Enterprise Manager, what/where else can I look at? At this point
> what can i do to prevent this from happening again?
> We are on sql 2000 sp4.
> Also, one of our collegues went ahead and remove that column so it won't
> display it in the website.
> Besides restoring the whole database, can I restore the database from backup
> to a different name. Then from the current database import that column in?
> I remember doing this a while ago.
> Thanks in advance.
> tnt|||Thanks guys. I talked to the programmer over the phone and he had modified
the program codes.
Any inputs or instructions on how to restore a column to a database without
restoring the whole database?
Tony
"Eiriken" wrote:
> Hi,
> As you are having a web application you are most likely been hit by
> SQL injection.
> This is very common attack technique. If you are running your web
> application with a high privileged windows or sql server account (like
> sa). Always use a low privileged sql-account for your web
> applications. Remember that 'sa' can run commands from dos-prompt
> through your web application.
> In addition to windows and SQL server logs, go also through your IIS-
> logs. If you have an IDS/IPS/Firewall see if you can find anything in
> their logs as well. If you have some kind of logging in your web
> application see if there is anything there. My experience is that
> trying to track down the attacker can be very very difficult. Use your
> logs to understand the how the attacker attacked your application.
>
> If your application has poor input validation routines on input from
> users you are most probably vulnerable.
> The absolute best way (and probably the only way which really works)
> is to use prepared statements (or parameterized statements in .net).
> Remember that SQL-injection, although very dangerous, is only one of
> many attack-vectors to web applications.
> Hope this helps.
> Best regards,
> Eirik
>
> tnt skrev:
> > Hello,
> >
> > Our db has been compromised. A column in the table has been changed to
> > something unwarranted for. I need suggestions on how to track this or at
> > least give me some clues on how these bastard made into our database.
> >
> > Besides looking at the event logs on windows (security & system) and sql
> > logs in SQL Enterprise Manager, what/where else can I look at? At this point
> > what can i do to prevent this from happening again?
> >
> > We are on sql 2000 sp4.
> >
> > Also, one of our collegues went ahead and remove that column so it won't
> > display it in the website.
> >
> > Besides restoring the whole database, can I restore the database from backup
> > to a different name. Then from the current database import that column in?
> > I remember doing this a while ago.
> >
> > Thanks in advance.
> > tnt
>