[thelist] Website Hacked?

Todd Richards todd at promisingsites.com
Wed May 28 10:17:57 CDT 2008


OK, so I did sit down with the server logs this morning (IISLogViewer is a
nice free utility for IIS, btw), and as Anthony mentions that was the
problem.  I'm seeing several places where they hit my search.asp file with a
query of "letter=n" (normal query) followed by
";DECLARE%20 at S%20NVARCHAR(4000);SET%20S=CAST(0X..."

So it looks as though I need to go through and see where the ball was
dropped.

As a follow up question, while the discussion turned to DB permissions, I
see that the SA user has access to a lot of stuff.  I know that I changed
the password for it, but couldn't I just disable it?

Thanks again for all of your help and input.  

Todd


"The things that break you hopefully make you stronger - eventually?"




-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Anthony Baratta
Sent: Sunday, May 25, 2008 12:51 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Website Hacked?

Joel D Canfield wrote:
> I just checked, and the account I'm using to access the database doesn't
> have 'write' permission to the table that was damaged. Seems like a
> pretty fundamental break in the chain, so I must be missing something.
> 
> I'm confused again.

Check the Web Server Logs in the time just before the DB was 
compromised. You should find the extended URL strings and the name of 
the file they used to inject the data.


--
Anthony Baratta

"Unfortunately, because so many Americans buy into the politics of envy, 
politicians have a leg up in enacting measures that cripple economic 
growth." ---Walter Williams
-- 

* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester 
and archives of thelist go to: http://lists.evolt.org 
Workers of the Web, evolt ! 




More information about the thelist mailing list