Re: Help We Got Hacked with a SQL Injector
- From: Erland Sommarskog <esquel@xxxxxxxxxxxxx>
- Date: Tue, 24 Jun 2008 15:33:19 -0700
razor (razor@xxxxxxxxxxxxxxxxxxxxxxxxx) writes:
Over the weekend our IIS server that we host our website on started
serving up Trojans to everyone that visited our website. We traced it
back to the below (see link).
http://s3cwatch.wordpress.com/2008/06/22/wwwj8j8heicnkjs/
We have a solid firewall and don't have any services enabled that we
don't need, and just wondered if anyone knows some way we can prevent
this in the future? I will pass along any info to our SQL DB manager.
Review how you access SQL Server from your web site. Make sure that
you never get input parameters directly into SQL string, but always
use parameterised commands. For a quick introduction on SQL injection,
see here: http://www.sommarskog.se/dynamic_sql.html#SQL_injection
--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
.
- Prev by Date: Re: Server roles
- Next by Date: Re: Help We Got Hacked with a SQL Injector
- Previous by thread: Server roles
- Next by thread: Re: Help We Got Hacked with a SQL Injector
- Index(es):
Relevant Pages
|
