Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Help please - Block SQL injection?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Help please - Block SQL injection? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Help please - Block SQL injection? - 2.Jul.2008 10:57:20 AM   
manning

 

Posts: 81
Joined: 9.Oct.2006
Status: offline 		Our company website is now published behind the ISA 2006 server after many years of just sitting out in the wild on a lonely little server with nothing to protect it. Apparently I am not publishing it correctly through ISA though because over the last 3 or 4 days  somebody has injected code into the SQL backend of the website twice. I've been plowing through the logs trying to find how they got in to no avail yet.

So to the point, how do I block this code injection? It appends a script to the end of every line for our website which in turn seems to try and install something called Generic Downloader.z or at least that is what McAfee calls it when it alerts me that my site is infected.

It is simple enough for me to just keep editing out the code, or restore over the tables, but that obviously doesn't fix anything really now does it.

Please, any help is appreciated.

_____________________________

Manning

Please bear with me, I am incredibly distracted by a dozen other thing.

ISA 2006 standard on Server 2k3 R2
Post #: 1
RE: Help please - Block SQL injection? - 2.Jul.2008 1:19:11 PM   
paulo.oliveira

 

Posts: 609
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi,

maybe you can take a look at this articles to help you protect your database:

A Secure SQL server
Hacking a SQL Server

Regards,
Paulo Oliveira.

(in reply to manning)
Post #: 2
RE: Help please - Block SQL injection? - 2.Jul.2008 4:38:43 PM   
manning

 

Posts: 81
Joined: 9.Oct.2006
Status: offline 		Hi,

Yes, I have a third party that is going to help sort out the SQL Server security part being as I am even more ignorant with SQL server than I am with ISA.

I guess what I am asking, not very well, is whether there is a ISA element that I should consider in this regard or if it is all just SQL hardening? From what I have read so far, firewalls don't really help as much as I thought they would in protecting a website that uses an SQL backend.

_____________________________

Manning

Please bear with me, I am incredibly distracted by a dozen other thing.

ISA 2006 standard on Server 2k3 R2

(in reply to paulo.oliveira)
Post #: 3
RE: Help please - Block SQL injection? - 6.Jul.2008 9:26:18 PM   
dbellion

 

Posts: 5
Joined: 16.Jun.2006
Status: offline 		Hi
Yes you can block sql injection strings.
If you right click a published website, go to Configure HTTP - there's a lot you can do here to secure your web server.
For SQL injection, use the Signatures tab. Add filters for Request URL and Request Body for common strings used in sql injection... eg:
select%20 (the %20 represents a space in signature field so type "select ")
delete%20
sp_
xp_
create table (type create table in signature field)
drop table
;-
|
^
..
char(
syscolumns
-search the web for sql injection to learn more about it to compile a list of strings you would want to block.
I also block other strings like "hkey", "c:", "d:", "regedit" etc...
Hope that helps as a starting point, worth getting external penatration testing to make sure you're covered.

(in reply to manning)
Post #: 4
RE: Help please - Block SQL injection? - 7.Jul.2008 7:33:55 AM   
paulo.oliveira

 

Posts: 609
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi,

thanks for the great tip! Now you can combine both for a hard level of security, block strings and hardening your database.

Regards,
Paulo Oliveira.

(in reply to dbellion)
Post #: 5
RE: Help please - Block SQL injection? - 7.Jul.2008 9:32:46 AM   
manning

 

Posts: 81
Joined: 9.Oct.2006
Status: offline 		Wow! Awesome information there. Thank you very much, that is a great starting point.

_____________________________

Manning

Please bear with me, I am incredibly distracted by a dozen other thing.

ISA 2006 standard on Server 2k3 R2

(in reply to dbellion)
Post #: 6
RE: Help please - Block SQL injection? - 7.Jul.2008 9:56:31 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi D,

Great info!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to manning)
Post #: 7
RE: Help please - Block SQL injection? - 11.Jul.2008 9:21:53 AM   
manning

 

Posts: 81
Joined: 9.Oct.2006
Status: offline 		Hi,

I took at look at my web publishing rule for the site in question and I can't find what you mention below:

quote:

ORIGINAL: dbellion
If you right click a published website, go to Configure HTTP - there's a lot you can do here to secure your web server.
For SQL injection, use the Signatures tab.


I'm supposed to be looking at the rule, right? Not something in IIS on the web server? When I right click the web publishing rule for this site or any of my other sites I don't see anything in the popup menu about Configure HTTP, and when I select Properties I don't see anything under any of the tabs that takes me anywhere like what you describe. I'm lost. What am I missing? Do I need to create a Protocol definition and use that for this site instead of the default HTTP protocol?

ISA 2006 Standard.

_____________________________

Manning

Please bear with me, I am incredibly distracted by a dozen other thing.

ISA 2006 standard on Server 2k3 R2

(in reply to dbellion)
Post #: 8
RE: Help please - Block SQL injection? - 11.Jul.2008 12:07:14 PM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		If you don't see the Configure HTTP option on the Web Publishing Rule, then someone unbound the Web Proxy Filter from the HTTP protocol. Reenable that to get the option back and make the changes, then you can unbind it again later.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to manning)
Post #: 9
RE: Help please - Block SQL injection? - 11.Jul.2008 2:16:02 PM   
manning

 

Posts: 81
Joined: 9.Oct.2006
Status: offline 		Ah, I see now. Thanks

_____________________________

Manning

Please bear with me, I am incredibly distracted by a dozen other thing.

ISA 2006 standard on Server 2k3 R2

(in reply to tshinder)
Post #: 10
RE: Help please - Block SQL injection? - 22.Jul.2008 4:18:42 PM   
manning

 

Posts: 81
Joined: 9.Oct.2006
Status: offline 		OK, slightly off tangent, but still regarding SQL injection vulnerabilities. Was the recent wave of SQL injection attacks so different from earlier ones that a well written website would still have been vulnerable? By that I mean, if a site had been written a year ago taking into consideration SQL injection security issues at the time, would that have helped prevent the recent varient of attacks?

_____________________________

Manning

Please bear with me, I am incredibly distracted by a dozen other thing.

ISA 2006 standard on Server 2k3 R2

(in reply to manning)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Help please - Block SQL injection? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts