asp.net - How to clean up after an SQL Injection Attack?

Question

I have several old sites that have just been taken offline by my hosting company, apparently due to a SQL injection attack. I looked inside my database and yes I was hacked. *oops*

My database has been filled with script tags that have been appended to my original data (at least my original data is still there so that was nice of them).

I have been looking though my old code and have seen a few unsanitised input locations, so obviously I will go through this thoroughly and check for more. Im also downloading the hacked site to compare it to the version I uploaded years ago (using some kind of file checker program), this should allow me to see if they have tried to add a backdoor.

My questions are…

1) Is there a way I can strip out all the appended scrip tags from my database as they are all exactly the same?

2) Is there anything else I should be aware of or have overlooked?

I would just like to point out that no sensitive material are stored on these old sites so it’s no big deal, I would just like to get them back up and running again.

I am bushing up on my security knowledge and will shortly delete all the files on the host, change all the passwords and upload the improved (and less hacker friendly) site.

Thanks...

Answer 1

Specifically answering your script tag replacement issue, I can't see this anything other than being a manual task.

I'm sure you've considered this, but a simple replace statement on a field ought to get this stuff out:

update MyTable
set field = replace(field, 'unwanted', '')
where field like '%unwanted%'

If there are many tables and fields, then I'm sure you could conjour some sort of automation using the SQl data dictionary. Something like the following:

DECLARE @ColName varchar(255), @TableName varchar(255), @sSQL varchar(1000)
DECLARE colcur CURSOR for
 SELECT name, object_name(id) 
   FROM syscolumns
  WHERE name = 'Moniker'

  OPEN ColCur
 FETCH NEXT FROM ColCur 
  INTO @ColName, @TableName

WHILE @@FETCH_STATUS = 0
BEGIN
    Set @sSQL = 'update ' + @TableName + ' set ' + @ColName + ' = replace(' + @ColName + ', ''unwanted'', '''') where ' + @ColName + ' like ''%unwanted%'''

    exec(@sSQL) 

    select @ColName, @TableName
    FETCH NEXT FROM ColCur 
    INTO @ColName, @TableName
END 

CLOSE ColCur
DEALLOCATE ColCur

Answer 2

I guess these would be some steps in an ideal scenario:

1. Keep your site offline. Maybe you'd like to display a "Down to technical maintenance" message rather than a 404.
2. Make a backup of the hacked database, you may want to analyse it later
3. Make sure that you fix code pieces vulnerable for SQL Injections. I'd recommend doing this in a team, to be more thorough.
4. Restore your database from a backup
5. Upload the (hopefully) fixed homepage
6. Contact your lawyer because you may have probably leaked customer data.
7. With your lawyer you would discuss the next legal steps.

As you mentioned, no sensitive material was stored on the hacked page, that probably means you can skip steps 6 and 7.

Answer 3

This is an ideal time to use your backup if you have one, because you don't know exactly how your data was corrupted. If you don't have a backup, then this should be a lesson to use backups in the future and to protect yourself against such attacks. Also, if you don't have a backup, you should create an algorithm which cleans up your data, this doesn't guarantee that no junk will remain though.

Answer 4

first Protect From SQL Injection

then, restore the data from a recent backup.