Attack on website

di11on

Hi folks,

I was looking at the access log for my site and I saw an attempt at an sql injection attack, originating from China.

How can I tell if my site or database has been compromised or corrupted?

Stab*City

di11on wrote: »

Hi folks,

I was looking at the access log for my site and I saw an attempt at an sql injection attack, originating from China.

How can I tell if my site or database has been compromised or corrupted?

log into your sql database and check recent entries try this

select * from (here enter the name of the table your querying but leave out the brackets) order by change_dt desc

that should give you any recent changes..
.. is your site hosted by yourself or a hosting company?

Bob the Builder

you're not having much luck with websites these days di11on.

as stab city said, a query on the database should tell you what happened.

comer_97

I've been getting a lot of attention on 1 particular site I host lately. It's some nvarchar sql injection, clever stuff but a right pain.

I've got it covered but it happened 3 or 4 times before I got it sorted.

and the attacks were from China aswell.

forbairt

di11on wrote: »

Hi folks,

I was looking at the access log for my site and I saw an attempt at an sql injection attack, originating from China.

How can I tell if my site or database has been compromised or corrupted?

A good idea would be to make sure you're running the latest version of oscommerce on the site ...

Each version fixes way too many bugs and exploits I've found and can become a bit of a nightmare to keep updated.

(that said maybe you're not talking about oscommerce)

DJB

We've being getting attacked every day for the past 3 months or so on a number of sites we run. We needed to clean up some legacy code but seems they are all withstanding the attacks for the last while now.

We actually created a stored procedure based on their injection script that reversed the injection action.

If you get hacked, you'll know by looking at your site straight away.

Rgds, Dave

di11on

nevf wrote: »

you're not having much luck with websites these days di11on.

as stab city said, a query on the database should tell you what happened.

LOL :-)

Forbairt wrote:

A good idea would be to make sure you're running the latest version of oscommerce on the site ...

Each version fixes way too many bugs and exploits I've found and can become a bit of a nightmare to keep updated.

(that said maybe you're not talking about oscommerce)

Yeah, it's Osc alright. My version is heavily customised and I can't remember which version I downloaded originally... but of a nightmare tracking the various realeases to see which files were updated.

Unfortunately, not every table has an updated_date, or equivalent column and there are almost 100 tables in osc.

What should I look out for... what do these attacks typically hope to accomplish? Defacement? Data corruption/stealing... all of the above?

forbairt

di11on wrote: »

What should I look out for... what do these attacks typically hope to accomplish? Defacement? Data corruption/stealing... all of the above?

In an ideal world they'd be trying to gain root access to your system

What they are really after ... could be anything

You'll find some people who just want to be able to say hey look I destroyed that ... others who want to find the credit card numbers if any are stored or peoples personal details

petergfiffin

If you have the IP of the attacker you could try updating your .htaccess file to try and deny them access to your site by blocking a range of IP addresses e.g. 233.*.*.* I know the actual IP will change each time but chances are they're using the same ISP which will tend to have a range of addresses

DJB

The sql injection can put a reference to a JS script file on their server so when you load content from the database, it loads the JS file, which could do a number of things.