Hundreds of websites under attack and Microsoft are you doing something?

Following my last post on the subject of SQL injection, this story is far from being finished. First thanks to all your comments, I really applied most of the advices, licke checking against query string vulnerabilities,XSS, etc...

I don't use dynamic SQL queries, only stored procedures. I don't say it's perfect but all the basics are covered.

But the attacks are still going on. I know from which server it's coming on, but I still don't know how they do it. However I raise the alarm again today, because of few things I discovered:

- The number of sites attacked is growing up by the minutes, on Google 11000 results found yesterday searching for jpdog.3322, this morning 27000!!
- All the attacked pages are all .ASP or .ASPX, not a single HTML file or PHP.
- I changed many times the database username and password, and of course the same in my connection strings, and the attack continue.
It looks like the nasty code is able to read the web config file, which is a very serious security flaw if it's the case.

So far the only way I found to block the database access was to create a user with all database permissions denied except Select. I can see in my SQL logs the constant Login failed for the user xxx... (one try every two minutes)

I urgently request from Microsoft now an answer on the matter, because I don't think now this is just a simple SQL injection attack, but something more dangerous.


 

8 Comments

  • I know this is an obvious statement but have you tried encrypting your connection strings ?

    I hope you get to the bottom of it soon dude

  • Looks like server just scanned for specific for open MS SQL ports and brute force attack with dictionary. It's not related to any site or web.config.
    I see this on few servers (for last, fresh server, attack was started in 3 hours after I am install MS SQL!!!)
    I am solve this problem very easy. Block access to MS SQL ports via firewall (access allowed only for specific IP)

  • It's probably just a hex injection. Properly secured code and web pages shouldn't be affected by this though and it's not a new problem.

  • Glad you found the source of it man. I have my DB server safely locked away behind a firewall only access is via the main web servers

  • I'm glad you posted this. I checked in on our servers and found one that's been under a brute force attack for a couple days now.

    All of the attempts on our server have come from 72.26.227.42.

  • Obvious question is do you have SQL open at the firewall to external users.

    Hey - is this your dedicated server? If so why don't you install a packet sniffer and actually see what they are doing instead of trying to guess ;-)

    Dave

  • Not sure how your failure to secure your server is Microsoft's fault? You say you have covered the basics, but that's really not good enough. Your server security is only as good as your weakest point.

    My suggestion is to open a paid support ticket with Microsoft, so that they can formally help you resolve the issue(s).

  • "I agree with you. My SQL server is behind a second firewall. I am not using sa but a simple user with read access only See my new post about the matter, it's really new for me and apparently thousands of us, because this time it's coming through a cookie executing some SQL commands along the request stream. Prove me wrong, but it's the first time I heard that a cookie can execute itself! If it's not a flaw, what is it? Paschal" 
    I agree with tmorton and everyone else. No traffic from the internet should come any where NEAR your SQL server. We have a firewall in front of our web servers. Then a second firewall in front of our SQL servers that only allow traffic from the internal network to it.
    DB servers should never be accessible to the web. I'm not sure how you sleep at night if they are.

Comments have been disabled for this content.