[thelist] Website Hacked?

[Todd Richards]

Thanks Anthony.  No, I'm not using the SA user - I have a separate user for each of the databases with strong passwords.  I just happened to see that and wasn't sure if there was any particular exploit using the SA (besides if the password was never changed).

I will also look over Ken's email again (saved them all!) and see what I can change and how.

Thanks again!

Todd


-----Original Message-----
From: Anthony Baratta [mailto:anthony at baratta.com] 
Sent: Wednesday, May 28, 2008 10:57 AM
To: todd at promisingsites.com; thelist at lists.evolt.org
Subject: Re: [thelist] Website Hacked?

Todd...

If you are using in-line SQL you should be moving to stored procedures. See Ken's previous message in this thread about parameters and proper use of DB Connection Objects.

Also, if you are using the SA user for your Web Connection - stop. Setup a limited rights user and use that instead.

I don't think you want to disable the SA user, there maybe dependencies within SQL Server that needs the account active. I've always setup a strong password and left it alone.

-----Original message-----
From: "Todd Richards" todd at promisingsites.com
Date: Wed, 28 May 2008 08:17:57 -0700
To: thelist at lists.evolt.org
Subject: Re: [thelist] Website Hacked?

> OK, so I did sit down with the server logs this morning (IISLogViewer is a
> nice free utility for IIS, btw), and as Anthony mentions that was the
> problem.  I'm seeing several places where they hit my search.asp file with a
> query of "letter=n" (normal query) followed by
> ";DECLARE%20 at S%20NVARCHAR(4000);SET%20S=CAST(0X..."
> 
> So it looks as though I need to go through and see where the ball was
> dropped.
> 
> As a follow up question, while the discussion turned to DB permissions, I
> see that the SA user has access to a lot of stuff.  I know that I changed
> the password for it, but couldn't I just disable it?
> 
> Thanks again for all of your help and input.  
> 
> Todd