How to find + stop SQL injection attacks

There’s a lot of stuff out there about SQL injection attacks, but there’s not much that will help you figure out how to stop these attacks from occurring.

First, let’s talk about what a SQL Injection Attack really is. Some people think it’s a virus of sorts, that is “inside your site.” Not the case. These are bot attacks by other virus infected computers. They simply use a brute force approach of scanning URLs that take POST/GET inputs and attempt to send their own data to them.

So, how do you track these down and stop them? For web sites powered by Microsoft’s IIS, here are our suggestions:

1. Look at your IIS logs
   Try searching for the word “DECLARE” or “EXECUTE.” If you’ve been hit by an attack, these will more than likely show up in your IIS logs — at least for any attack that was attempted using “GET” posts. If you do find any instances of “DECLARE” or “EXECUTE” these are the pages to start with.
2. Use centralized database connection handling
   Simple, make a centralized file (e.g. connection.asp if you are using ASP) that handles all of your DB access. This way, it’s easier to make sure that you are SQL encoding your pages. You can easily search queries for “DECLARE” and “EXECUTE” and stop the attacks dead in their tracks.
3. Implement a site wide solution
   If you are running your own server, we highly recommend ISAPI_Rewrite from HeliconTech (http://www.helicontech.com/isapi_rewrite). This is an ISAPI filter that allows you to do a variety of things, including scan URL data. This will stop 99% of attacks without changing ANY code on your site!\
4. Never use “sa” as your database user, create a user for the database you’re working from and then remove privileges to read the master dbo. This prevents the attacker from “sniffing” your database structure, however, these attacks have evolved so that sanitized stored procedure based attacks happen even with these types of security in place. See http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf for more information on this and other ideas in preventing SQL Injection attacks.

If you’ve ever been scratching your head wondering where the leak in your programming is (or have taken over a project from someone else) then the best way to determine through which page the attack happened is by checking out the IIS logs.

There are many scripts available to clean up, but the best tip is to backup hourly, and to follow best practices (some of which I highlighted here). Good luck

How to setup a Windows 2003 Web Server

Every time we setup a W2K3 box as a Web Server we do the following

Stage 1
1.1 Copy i386 to c:\
1.2 Configure Windows Permissions on all partitions
- Leave
Administrators (Full)
System (Full)
Remove Everything Else
1.3 Rename Administrator
1.4 Rename Machine
1.5 Reboot
1.6 Install Windows Updates (Not the .NET Frameworks)
1.7 Add IP’s to TCP/IP
1.8 Add DNS suffix to TCP/IP (Only if required)
1.9 Disable Shutdown Event Tracker
1.10 Reboot

Stage 2
2.1 Install Support Tools
2.2 Install Resource Kit Tools
2.3 Install KB908521 (Not needed if w2k3 SP2)
2.4 Install SNMP
2.5 Install SNMP Informant
2.6 Configure Windows Time
2.7 Reboot

Stage 3
3.1 Install R2 (Only if you want it)
3.2 Reboot

Stage 4
4.1 Setup Automatic Updates
4.2 Setup MS DNS
4.3 Set TCP/IP to Local DNS
4.4 MSTDC Fix

Stage 5
5.1 Install IIS
5.2 Allow direct Metabase Edit
5.3 Set IIS IP’s to be listened on
5.4 Restart IIS
5.5 Set Default Documents
5.6 Set W3SVC Logs Params
5.7 Install FastCGI
5.8 Install PHP 5.1 & 5.2 (FastCGI Mode)
5.9 Install Zend Optimizer (32bit edition)
5.10 Install Perl
5.11 Install Python
5.12 Configure IIS SMTP
5.13 Disable IIS SMTP Socket Pooling
- http://www.isaserver.org/tutorials/i…etpooling.html
5.14 Reboot

Step 6
6.1 Install .NET Framework 2.0
6.2 Install .NET Framework 2.0 SP1
6.3 Install .NET AJAX 1.0
6.4 Install .NET Framework 3.5 (Make sure you use the installer without SP1)
6.5 Install .NET Framework 3.5 SP1 (Only if using Helm 4.1)
6.6 Reboot

Step 7
7.1 Install ISAPI_ReWrite
7.2 Install JMail.NET
7.3 Install W3JMail
7.4 Install Hotlink Blocker
7.5 Install IIS Password
7.6 Install Winrar
7.7 Install Persists ASP Email
7.8 Install Persists ASP JPeg
7.9 Install Persists ASP Upload
7.10 Reboot

Naturally if the Box isn’t going to be a DNS Server you wouldn’t install MSDNS, instructions apply to both 32bit and 64bit w2k3. I’m not going to explain each step in detail the info is just so you can see what order we do things. It has been very well tested and we haven’t had any issues

At each step we test everything we install so we make sure PHP is working correctly before proceeding onto the next step. If you need to install MySQL or MSSQL I’d do it at Step 8. Once everything is setup you would install Helm as a remote or control.

Restoring a corrupt MetaBase in IIS 6.0 on Windows 2003

Recently I had the unforunate event of “Interface not Supported” when I clicked on the Home Directory of a website hosted on our Windows 2003 Standard machine. I’ve followed (or tried to) several people’s advice. Talk of metabase.bin etc confused me as there were no such files!

So, on my own destructive mission, I saw a “History” folder (other than the “MetaBack” folder) in Inetsrv (under the System32 directory)

Low and behold, there were several Metabase.xml files. So I took the oldest one (which was an hour before the corruption), ran iisreset /stop. Copied the file and overwrited MetaBase.xml and ran iisreset /start again.

Booya. It worked again. FUCK YOU MICROSOFT