• The Forums are now open to new registrations, adverts are also being de-tuned.

Web site infected with SQL injection script

M

mapleleaf

MB Enthusiast
Joined
Dec 4, 2002
Messages
1,719
Location
Hinckley, Leicestershire
Car
2022 GLC 300 estate- replaced 2018 Gle 43 AMG Night - replaced previous 2015 E63 AMG
My company web site has been recently infected with a virus which thankfully our workstations Sophos protection flagged up when opening the admin section of our site to perform regular database maintainance of registered users. Its an interactive site where users can register and upload CV's.

Our web designers who Host the site on their servers ( but who are not our ISP ) have decided that they need to charge me 7 hours development time @ £85/hr to eradicated the virus and set in place measures to prevent a similar occurance. I think they have me by the short & curly's and I have no choice but to stump up just to get my site functional again. And with no guarantees that it will end there.

Has anyone else come across this type of virus? and is it reasonable to be charged to have it fixed even though its hosted on what ought to be secure servers?

I of course questioned their thinking as to why I should be charged - here is their explaination to me - I have removed their company name>

"SQL injection is prevalent in many forms and each case, like a new virus, has to be assessed and a corrective course of actioned defined. The best analogy to use is that of a virus, a virus is a breach of security but no ISP can or will ever agree to protect any mail recipient of a virus as every day the range, number and techniques deployed can change dramatically.

Certain mainstream anti-virus suppliers such as Symantec provide fixes and patches to such attacks and the end user simply pays an annual fee for that protection.

To date XXXXXX does not offer any guarantee against virus, Trojan, or hacking on a site by site basis. What is does protect against is security for its systems and infrastructure which are protected by firewalls, anti-virus, and intrusion detection systems. Any violation of these systems is immediately identified and corrective action taken for the good of all its clients.

When an individual site is hacked or violated it is the responsibility of the site owner, unless the site is hacked or violated by attacking the ISP's infrastructure i.e. they discover a hole in the firewall or manage to hack a terminal services client that gives them administrative rights on to a web server.

Tomorrow or the day after could potentially see other attacks on your site and as technology and techniques improve XXXXX does not have a crystal ball to see what threats might be coming.

Summarising to date we know the type of attack your website suffered and we have identified modifications to your site that will prevent this attack happening again. It might not prevent any other future type of attack, in a form that as of yet is not being deployed by activists. We can only react on a case by case basis.

Had the virus been introduced by someone breaching our security systems then as you suggest we would have reacted immediately and at our cost. Because this attack was at site level and introduced through your website we have offered to help you to fix the database and then prevent this particular type of attack from happening again but it must be at your cost. It is not commercially viable and we would never guarantee for XXXX to go around fixing everyone's site every time a new hacking technique is deployed or discovered anywhere in the world, as the arena is too fluid for us to understand all the threats and the solutions.

At the time of your site being developed we had deployed a number of techniques to prevent certain types of SQL injection but, since then, activists have deployed new techniques that need additional and more complex protection. As mentioned above even this solution deployed to date might not stop future attacks as new techniques are designed.

I trust this answers your query."
 
SQL injection is not a virus, it's a direct attack on your system via your webpages. The company who designed your site should have put in place preventative measures .

Quite simply SQL injection targets poorly implemented code, code that your webdesigners wrote!
 
Indiepath said:
SQL injection is not a virus, it's a direct attack on your system via your webpages. The company who designed your site should have put in place preventative measures .

Quite simply SQL injection targets poorly implemented code, code that your webdesigners wrote!
Click to expand...

This is how I understood it(albeit at a simple level). It is something that you should be able to find out plenty about via Google.

My basic understanding is that to interrogate a database there are several methods, but certainly one uses the URL string itself to form the query(via the GET or POST, can never remember which is which), so by hijacking this string and inserting your own code you can do all sorts of damage. One of the simplest ways to get around this is to make sure the connection string through which your web app accesses the DB uses a limited access account. Also make sure that the DB you are using has a strong password on the Admin account, not just the default one.
 
You got ripped off by your web designer at £85 an hour. The most at the moment is £50ph or less.:devil:
 
As usual, wikipedia has a nice explanation of an SQl injection attack...
http://en.wikipedia.org/wiki/SQL_injection

I'm sorry to say, but any developer who made form-submission system that does not filter escape characters (parametrizes statements) is a moron.

It is like saying you have a password form that doesn't actually check if the password is correct.

While I agree that they cannot predict nor protect you from future attacks, SQL injection is a VERY old attack that the smallest of script-kiddies can run. If the website/form processing script was not designed/patched to handle this then there are some pretty clueless developers... It's like saying, we can't protect you against new threats, but we can't protect you against old threats either.

If you do fork out, ask them what they plan on doing.
- Are they planning to correct corrupt/incorrect data?
- Do they have a contingency plan for any data that was leaked to the attackers?
- Will they change user's passwords and other confidential data?
- Will they actually fix the scripts to do some escape character checking?
- I can't remember if the DP act requires you to contact the people of whom you lost the confidentiality of the data, if so, will they do this?
- Will they analyse logs to trace where the attack came from (it's possible the attacker was stupid enough not to use a proxy...)

Michele

P.S. Have you involved the Police?
 
Last edited:
Indiepath - I agree with you there about the design etc. They say its a new method of SQL injection that they have not been able to protect against when the site was designed in 2006.

Ratz, cheers for the input,
We have several admin users with limited capability - we use the website to post & maintain job listings as well as to pull off details of registered users & their CV's . Only myself, my co director and the web design team have full admin access but thats only to the admin user interface. We dont have acess directly to the backend database held on the web hosting company's servers.

What is the repair process? do they have to write some new code on every single web page?
 
steve_bcs said:
What is the repair process? do they have to write some new code on every single web page?
Click to expand...
It's twofold:
- Damage containment (i.e. remove any 'fake'/corrupt data that has been added, and verify all data that is in your system - including scripts as these can have been modified depending on what access the attackers gained. You may also need to inform the people who posted their cv's as their personal data may have been accessed by unauthorised third parties. I can't remember the specifics of the DP act; maybe someone can do so better than me)

- Patching the scripts; (depending on how many form-processing scripts you have, each of these will need to be modified. The changes aren't major, usually one or two lines of code per input, but this can be time-consuming if the code isn't documented)

Michele

EDIT: Off another site, not sure if it applies:
If you discover that data has been lost or if you believe there has a breach of the data protection principles in the way data is handled, then you must immediately inform the relevant Information Asset Owner who must follow the Department’s policy on breach reporting. The first priority must always be to close or contain the breach and then to mitigate the risks to those individuals that may be affected by it. The Agency or Departmental Data Protection Officer should be informed as soon as possible
 
Last edited:
The web tech people have informed me that the sql injection attack has changed our URL such that users acessing the site are directed to another url that then dowloads a virus to the users PC, and they believe there has been no unauthorised accesing of our users' data. If this is the case then we dont apppear to have a DP issue .

The site is now shut down pending completion of maintenence work

thanks for the input everyone. I'll use the info to try to get my bill reduced / cancelled
 
Steve, this is a SQL injection attack, attempted on a site I developed:

[FONT=&quot]a=11115&sr=1%20and%201=convert(int,(select%20system_user))--sp_password[/FONT][FONT=&quot]

This is part of a URL; everything after 'sr=1' was inserted by the attacker[/FONT] .

As *every* URL variable is checked before being actioned on, this and every other attempt, failed.

If your web developers haven't been verifying input, then they are clearly at fault and should fix without charge.

Do you know what server-side technologies your site uses, i.e. ASP.NET, ColdFusion, PHP, etc.? Do you know how the attack took place, i.e. was it via a URL (querystring)?





exploits_of_a_mom.png


(sorry :rolleyes:)
 
thanks flyer
the website is in asp but they tell me they are now designing all new websites in dot net, and offering a conversion service to dot net. Its seems the attack was a url string to direct users to a bogus virus infected site. I am assured it was "just" a malicious attack and not one designed to rectrieve or view the database records, there seems no evidence to suggest anything else has been tampered with.
 
I'd be wary of any web developer that called an SQL injection a "virus", and SQL injection is an exploit, because it exploits vulnerabilities in existing code.

Web developers cannot be expected to produce a site that will remain exploit free, that would be an unreasonable expectation, as hackers are always coming up with new and wonderful ways of hacking sites. This is why you see popular CMS systems and popular forum software releasing security updates on a monthly basis (approx).

It sounds like you have a bespoke site coded by your web developer, as opposed to something off the shelf. If that is the case then yes, it is fair you should expect to pay for ongoing maintenance including security updates unless it is covered in the SLA you agreed to. Unless, as Flyer says above, you can prove they were negligent and brought it upon themselves....
 
^ You'd like to think he's got this sussed since 2008.
 
I just re-read your post.

7 hours development time @ £85
Click to expand...

£600 to fix n SQL injection vunerability?

The fix should be a simple change to the code, they have already identified the corrections, they just need to deploy them now. I would find it VERY difficult to justify £600 for this.

The repair work to the database could feasibly involve manually intensive work, however a few SQL queries should suffice and that would take half an hour.

The other thing of note, is that SQL injection attacks are in the main deployed against two types of site.

1. Extremely popular CMS, bulletin boards and scripts as the high number of targets and possible reward justifies the time taken to code and distribute the attack.

2. High value targets such as Banks for possible monetary gain.

So the question is, which of those does your site fall into? I do not know your business, but unless you are a major corporation with high visibility and an attractive proposition for hackers, something is starting to sound a bit suspicious.....
 
As others said, SQL injection is a vulnerability, not a virus.

And if they designed the site in 2006, they are right to charge you for fixing it, unless you have an ongoing maintenance agreement with them and they are responsible for maintaining the website, in which case they should have patched it up when the vulnerability became known.

And £85 per hour is not unreasonable, hourly rates for web SQL development generally vary from £50 to £100 (£120 is the highest I have seen for this sort of work).

7 hours for this does sound execcessive though.
 
Yep, def sorted at the time. Thx for your comments though.


Completely changed & rebuilt website since then.


Have a great new year
 
Why is spam from 3 days ago still on here?

Do none of the mods or admins actually read the threads on this forum or view the reports?
 
mapleleaf said:
Yep, def sorted at the time. Thx for your comments though.


Completely changed & rebuilt website since then.


Have a great new year
Click to expand...

Getting a bit confused now... which post was this in reply to?
 
You must log in or register to reply here.

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)

Similar threads

Z
Problem using our clubs web site
Replies
9
Views
2K
SpikyMikey
SpikyMikey
R
Mobile Benz Tech
Replies
0
Views
337
Rubyred
R
Piff
PC trojan
2
Replies
20
Views
4K
st13phil
st13phil
chic0821
Reply's to questions
Replies
6
Views
911
Petrol Pete
Petrol Pete
DSM10000
Any quick and easy way to set up a new router with existing devices?
2
Replies
24
Views
2K
ChrisPDuck
ChrisPDuck
Back
Top Bottom