How to find + stop SQL injection attacks

There’s a lot of stuff out there about SQL injection attacks, but there’s not much that will help you figure out how to stop these attacks from occurring.

First, let’s talk about what a SQL Injection Attack really is. Some people think it’s a virus of sorts, that is “inside your site.” Not the case. These are bot attacks by other virus infected computers. They simply use a brute force approach of scanning URLs that take POST/GET inputs and attempt to send their own data to them.

So, how do you track these down and stop them? For web sites powered by Microsoft’s IIS, here are our suggestions:

1. Look at your IIS logs
   Try searching for the word “DECLARE” or “EXECUTE.” If you’ve been hit by an attack, these will more than likely show up in your IIS logs — at least for any attack that was attempted using “GET” posts. If you do find any instances of “DECLARE” or “EXECUTE” these are the pages to start with.
2. Use centralized database connection handling
   Simple, make a centralized file (e.g. connection.asp if you are using ASP) that handles all of your DB access. This way, it’s easier to make sure that you are SQL encoding your pages. You can easily search queries for “DECLARE” and “EXECUTE” and stop the attacks dead in their tracks.
3. Implement a site wide solution
   If you are running your own server, we highly recommend ISAPI_Rewrite from HeliconTech (http://www.helicontech.com/isapi_rewrite). This is an ISAPI filter that allows you to do a variety of things, including scan URL data. This will stop 99% of attacks without changing ANY code on your site!\
4. Never use “sa” as your database user, create a user for the database you’re working from and then remove privileges to read the master dbo. This prevents the attacker from “sniffing” your database structure, however, these attacks have evolved so that sanitized stored procedure based attacks happen even with these types of security in place. See http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf for more information on this and other ideas in preventing SQL Injection attacks.

If you’ve ever been scratching your head wondering where the leak in your programming is (or have taken over a project from someone else) then the best way to determine through which page the attack happened is by checking out the IIS logs.

There are many scripts available to clean up, but the best tip is to backup hourly, and to follow best practices (some of which I highlighted here). Good luck

Easiest & Most comprehensive Mail Marketing tool

iContact’s main to goal is to incorporate sophisticated features into a simple, easy to use and affordable package. Although many programs attempt to achieve this balance, iContact does so incredibly well.

Great User Interface

iContact is able to do this because of their great user interface, which allows new email marketers hit the ground running with basic features, but also makes it simple for the more experienced to access the features they need. Either way, iContact has created an awesome product, which is why over 50,000 customers currently use iContact.

Basic Features You’ll Love

iContact makes it easy for new email marketers to get in the game quickly:

• Inexpensive: just under $10/month to start!
• Over 300 professionally designed email templates make your emails look professional
• Schedule your messages to be distributed in the future to help save time
• Their system automatically makes sure your emails won’t be flagged as SPAM, so your users will always get your emails.
• Track what your subscribers do with your emails, so you know how well your newsletters are being received.
• Event RSVP tracking
• Distribute surveys easily

.

.

Advanced Features You’ll Love

Professional email marketers also get everything they need to manage their bulk email lists:

• Quickly segment your email list to customize which subscriber types get certain emails
• Set-up autoresponders to help automate your email campaigns
• iContact maintains a detailed history of subscriber actions to help you customize your campaigns
• Design and upload your own email templates
• Unlimited number of email lists

Downside: iContact’s Support Hours

The only downside to iContact is the hours they are available to call. Support is not 24×7, but from 8am to 8pm EST. However, their support staff is very helpful, and many times you will find that it’s actually easier to use their online knowledge base, which has video demonstrations and step-by-step instructions to help you with everything you need.

iContact Pricing

With iContact’s pricing, you only pay for the amount of emails you are going to send, which means that you can start off with an inexpensive plan and pay more only when you know that your newsletter is successful. Plus, iContact is one of the most affordable email marketing providers available.

Contacts	Monthly
250	$9.95
500	$14.00
1000	$19.00
2500	$29.00
5000	$47.00
10000	$74.00
15000	$109.00
25000	$149.00
35000	$239.00
50000	$379.00
75000	$529.00
100000	$699.00

Is It Right For You?

Because of its features and ease of use, iContact is best for both new email marketers just getting started as well as advanced email marketers who have years of experience. However, if you are a Fortune 500 company or have an extremely large email list (over 100,000 subscribers), iContact probably isn’t right for you.

Basically, iContact has everything you will need to run successful email marketing campaigns.

Speed up website load time by denying tracking

Recently it has dawned upon me that not everyone knows about tracking cookies or analytics (Google and so forth) and what it really means when visiting websites… It’s always seen as a form of spy-ware or hacking Trojan to help people gather information and exploit it to their advantage. That is absolutely true, however, not in a “hacking” sense…

Advertising companies are fond of requiring statistics and demographic information from a website before they tend to invest in advertising, and most websites (if not all) have Google Analytics installed to help them track their users for very powerful reports as to trends when visiting the website. Combined with Webmaster Tools (also a Google product) and some comparison data from the physical server logs, this is more than enough to track trends, visitors and useful information when giving it to possible advertisers to decide if your website is indeed worth investing in.

Enter the Nielsen reporting facility. They claim to be the leaders in gathering data and useful information on the public visiting a specific website. Indeed, what they claim is very nice, but how they go about achieving that borders on the “spyware” side.

From my brief overview of the tracking code installed on several South African websites, I found that several attempts at creating “objects” with client-side JavaScript code made it possible for them to determine which programs you have installed on your PC. Indeed, very interesting.

What would a company want with that type of information anyway? Why not just leave it at Google Analytics, a well known website tracking and analytic software made freely available to anyone and everyone?

Something to hide perhaps, but I can only speculate as to their reasons. Perhaps some advertisors insist on this specific piece of tracking code being installed on the website. Nobody would notice right?

Well, some more advanced users have, and most of them have done something about it already, speeding up their South African websites by noticable amounts, they’re enjoying a glimpse of what true broadband speeds are like in other countries, and with this little tutorial, so can you!

Here’s how!
Read more

Changing Table Ownership in SQL Server

Recently I had the unfortunate event of a live server being setup and used by only 1 user which wasn’t dbo. Either the programmer didn’t know any better or… well… he was the village idiot… anyway, so… on with the code. Here is a simple T-SQL statement that will get and loop through all Stored Procedures, Tables and Views and update them to use dbo (or any other user you’d like):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

DECLARE @tbl sysname
DECLARE tblcur INSENSITIVE CURSOR FOR
	SELECT name FROM sysobjects
	WHERE xtype IN ('U','V','P') AND uid = user_id('olddbuser')
OPEN tblcur
WHILE 1 = 1
	BEGIN
		FETCH tblcur INTO @tbl
			IF @@fetch_status <0
				BREAK
 
			SET @tbl = 'olddbuser.' + @tbl 
			EXEC sp_changeobjectowner @tbl, 'dbo'
	END
DEALLOCATE tblcur

So what’s this CLSID {ABF05265-635E-44B0-A28F-AEA45247ACA0}?

I was working on a server when I noticed an error in the Windows Event Log in this format

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: SERVER1

Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {ABF05265-635E-44B0-A28F-AEA45247ACA0} to the user SID (S-1-5-21-573225893-205518295-3307690801-69150). This security permission can be modified using the Component Services administrative tool.
Digging up on the registry gave me this information. The CLSID value {ABF05265-635E-44B0-A28F-AEA45247ACA0} happens to be for Microsoft.SqlServer.Dts.Server.DtsServer.

I checked the Component Services console and opened the Properties for the MSDTSServer DCOM application. I’ve added the user account mentioned in the error message in the Launch and Activate Permissions and that did the trick

How to setup a Windows 2003 Web Server

Every time we setup a W2K3 box as a Web Server we do the following

Stage 1
1.1 Copy i386 to c:\
1.2 Configure Windows Permissions on all partitions
- Leave
Administrators (Full)
System (Full)
Remove Everything Else
1.3 Rename Administrator
1.4 Rename Machine
1.5 Reboot
1.6 Install Windows Updates (Not the .NET Frameworks)
1.7 Add IP’s to TCP/IP
1.8 Add DNS suffix to TCP/IP (Only if required)
1.9 Disable Shutdown Event Tracker
1.10 Reboot

Stage 2
2.1 Install Support Tools
2.2 Install Resource Kit Tools
2.3 Install KB908521 (Not needed if w2k3 SP2)
2.4 Install SNMP
2.5 Install SNMP Informant
2.6 Configure Windows Time
2.7 Reboot

Stage 3
3.1 Install R2 (Only if you want it)
3.2 Reboot

Stage 4
4.1 Setup Automatic Updates
4.2 Setup MS DNS
4.3 Set TCP/IP to Local DNS
4.4 MSTDC Fix

Stage 5
5.1 Install IIS
5.2 Allow direct Metabase Edit
5.3 Set IIS IP’s to be listened on
5.4 Restart IIS
5.5 Set Default Documents
5.6 Set W3SVC Logs Params
5.7 Install FastCGI
5.8 Install PHP 5.1 & 5.2 (FastCGI Mode)
5.9 Install Zend Optimizer (32bit edition)
5.10 Install Perl
5.11 Install Python
5.12 Configure IIS SMTP
5.13 Disable IIS SMTP Socket Pooling
- http://www.isaserver.org/tutorials/i…etpooling.html
5.14 Reboot

Step 6
6.1 Install .NET Framework 2.0
6.2 Install .NET Framework 2.0 SP1
6.3 Install .NET AJAX 1.0
6.4 Install .NET Framework 3.5 (Make sure you use the installer without SP1)
6.5 Install .NET Framework 3.5 SP1 (Only if using Helm 4.1)
6.6 Reboot

Step 7
7.1 Install ISAPI_ReWrite
7.2 Install JMail.NET
7.3 Install W3JMail
7.4 Install Hotlink Blocker
7.5 Install IIS Password
7.6 Install Winrar
7.7 Install Persists ASP Email
7.8 Install Persists ASP JPeg
7.9 Install Persists ASP Upload
7.10 Reboot

Naturally if the Box isn’t going to be a DNS Server you wouldn’t install MSDNS, instructions apply to both 32bit and 64bit w2k3. I’m not going to explain each step in detail the info is just so you can see what order we do things. It has been very well tested and we haven’t had any issues

At each step we test everything we install so we make sure PHP is working correctly before proceeding onto the next step. If you need to install MySQL or MSSQL I’d do it at Step 8. Once everything is setup you would install Helm as a remote or control.