We've been hacked!

Yes it happened to one of my client's - their database was hacked using a SQL injection attack. This was the second time it happened in a month. (Actually third it happened over night again while I was trying to clean up the database and figure out where the vulnerable code was located.)

It turns out the vulnerable pages were old classic ASP pages written about 7 years ago (not by me or anyone I know). I showed the client the danger of this type of code by deleting a test table we created in the site's database.

The vulnerable web pages have been updated and the client is happy. I am guessing that the web site was hit by one of the Bots that is looking for sites susceptible to SQL injection attacks. They have been out there for several months now, but seem to be coming more common.

Lessons Learned:
Make sure your web host is making nightly backups of your web site and keeps them for several days. IMHO a week - 10 days is better.

If you are dealing with a legacy site (old code) try and devote resources to check the code for these vulnerabilities.

Warning Moderate Level TechTalk:
The hack tried to get open an I-Frame with a size of zero using javascript which would load malicious software on the users computer. Google nihaoor1 to see how many sites have been affected. You'll see code such as script src="...nihaorr1.com...". (On April 8, 2008 there were over 3000 pages showing up in Google.)

Warning Higher Level TechTalk:
How did the hack work?
The site used pages such as eventdetail.asp?eventID=151 and the attacker just added text to the querry string they sent to the web site. If one looked in the traffic logs for the site the altered URL would look like this: eventdetail.asp?eventID=151;DECLARE @S VARCHAR(6000);SET @S=CAST(0xNumberString AS VARCHAR(6000)); EXEC(@S)

The NumberString was the ascii values for SQL commands which created SQL variables and a cursor to look at the sysobjects and syscolumns tables for data columns that they can add text to. The updated text was HTML for creating the Iframe and JavaScript.

Related Links:
Information Week (Jan 8, 2008) Web Pages Hacked By Database Attack
Sans Newsletter (Jan 8, 2008) SQL Injection Attack Infects Thousands of Websites
Webhosting Tech Forum (April 14, 2008) SQL 2000 Database hacked
Insecure.org (April 14, 2008) Mysterious Javasacript appearance