Re: Tools For Scanning Data?

Corey,

It's quite unlikely, even virtually impossible (but impossible only means that I haven't yet discovered a way...) to get anything into varchar fields that can then be retrieved and used against the SQL Server. In this case, Cross Site Scripting (CSS) would be limited to embedded html that could be used to 'deface' a web site.

Since you are concerned that a hacker may have had access to the sa account, you are wise to inspect, even replace from source control, the code objects. I would especially search for stored procedures with sp_addlogin, sp_addsrvrolemember, and sp_addrolemember -in fact, I would look for, and examine, any use of '%sp_%' or '%xp_%' in the DEFINITION column of INFORMATION_SCHEMA.ROUTINES.

I would also thoroughly verify each and every login transferred to the new server, even changing all passwords if possible.

--
Arnie Rowland, Ph.D.
Westwood Consulting, Inc

Most good judgment comes from experience.
Most experience comes from bad judgment.
- Anonymous


<corey.burnett@xxxxxxxxx> wrote in message news:1157993853.405198.320680@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Michael Hotek wrote:
No, you can not "infect" data within a database. Nothing within a table is
executable and therefore is unaffected. However, you can have your data
damaged which is a completely different issue.

--
Mike Hotek
MHS Enterprises, Inc
http://www.mssqlserver.com


The main thing that we are concerned about is that somehow the hacker
has put something in to the database so that when we move all of the
data to our new, "clean" servers, then the hacker will be able to
re-open a back door or something on the new servers. I understand that
there is nothing you can do to "infect" the data. However there could
be HTML in the data that could lead to a Cross Site Scripting attack -
is that correct? Also, since the hackers seem to have had the SA
password during the attack, we should probably make sure that they
didn't alter any stored procedures. I am guessing that they could
alter a stored procedure that they know will run so that it reopens a
back door on the new servers. Are these the only things we should be
worried about? Are there other things a hacker could do that could put
our new, "clean" servers in danger if we move the old databases over to
the new servers? Also, are there any automated tools out there that
can help you if feel that your SQL Server may have been compromised? I
have searched and searched and found nothing. I can only find tools
that will help you back up, restore, recover, and lock down databases.
Nothing to help you try and clean them up after the fact.

Thanks,
Corey

Relevant Pages

  • Re: Solaris 2.6
    ... any patches for at least 4 years because the servers have been totally ... in.telnet and in.ftp has died sort ... forums are a great idea...I'll keep looking both forums:) ... It depends on the hacker -- when I go over my httpd logs, ...
    (comp.unix.solaris)
  • Re: Tools For Scanning Data?
    ... Michael Hotek wrote: ... The main thing that we are concerned about is that somehow the hacker ... re-open a back door or something on the new servers. ... "clean" servers in danger if we move the old databases over to ...
    (microsoft.public.sqlserver.security)
  • Re: Please help ! need to check IIS volunrabilities.
    ... I'm running IIS, Apache, whatever, and Nessus reports problem XXXXX. ... Are my servers running any kind of web application that can be prone to ... Is the configuration of the DMZ "watertight"? ... start to learn and practice to BE a hacker. ...
    (Security-Basics)
  • Re: Firewall/server question
    ... articles of how to put the firewall and servers all in one box, which would be ideal for me, but also found opinions saying it's a definite 'no-no' to combine the functions. ... It's up to you to decide whether the increased risk is acceptable. ... My personal view is that a hacker with the ability to exploit a properly patched modern Linux/BSD distro would be able to find more profitable targets. ...
    (uk.comp.os.linux)
  • Re: Hacking Attempts ?
    ... I see this from time to time on client's servers, but I've never seen it when it's just a few attempts, usually we'll see it happen hundreds of times. ... Logon Failure: ... Caller User Name: SERVER1$ ... The user trying to logon was 'webmaster', quite a commom hacker logon. ...
    (microsoft.public.windows.server.sbs)