Pink Edition

SQL Injection Hack

At about 00:50 AM GMT, this site was successfully attacked by one of the latest SQL injection attacks that have been flooding the web and infected more than a million websites worldwide.

It took me less than 10 minutes to discover the attack, at which point I took the entire website offline to prevent anyone else - i.e. you - to get infected by the script they added to my site.

Was there any damage done to you - my readers?

If you visited this site between 0:45 and 01:05 GMT I strongly suggest you run a virus/spyware check, and check if your anti-virus is up to date. According to my logs, 35 people visited this site during that time.

But, the risk of any of these 35 people getting infected is extremely low. All anti-virus applications already know about the specific script and would have blocked it before it had a chance to be executed (it was first patched by anti-virus programs about a year ago).

Was there any damage done to baekdal.com?

Oh yes - big time. The attacker destroyed every single table in my database. It deleted almost all content. As such, this site was damaged beyond the point of repair, and I would have lost everything - all my articles, all comments, everything - where it not that my server backs-up the database each day.

Luckily the backup worked like a charm, and it took only 20 minutes to restore it. The only problem is that any comment made during the 10 hours from my latest backup to 00:50 AM was lost, so was my latest design article (but I republished it).

What now?

Well, I have checked every single line of code, looking for any points where an attacker would be able to run an SQL injection hack. I must admit that I was a bit surprised that it happened in the first place, because my database system "should" prevent it by default. My CMS system have a built in protection module specifically to prevent this sort of thing.

In my search I found 2 spots that did not use this protection module. Both have been fixed, and everything is back to normal.

BTW: Read this article if you want to technical explanation about how to prevent injection hacks (or this one).

Advice to fellow web creators

SQL injection hacks are currently flooding the web, and according to the "professionals" it will get a lot worse in the years to come. So...

  1. Check your site if you are using any kind of SQL database - that includes MySQL and MsSQL (among others). Make sure that you never send invalidated data into your database.
  2. Remember that this is not just about form fields. Any SQL request is potentially open to an attack. A simple "select" request can easily be modified, which was actually what happened in my case. All database requests need to be validated, not just the ones that sends data from a form.
  3. If you create web applications you might consider creating separate database accounts for the web application data, and your customers' data. It doesn't prevent an attacker to do damage, but it does prevent him from destroying everything.
  4. Backup, backup, backup, backup - ohhh... did I mention... backup!

And if your website does get infected, you need to do 5 things (in this order):

  1. Damage protection. Take your site offline (just pull the plug) - this is always the first step - ALWAYS!
  2. Identify the extent of the damage and check your logs etc.
  3. Fix the damaged parts
  4. Prevent it from happening again - look through your code, and solve any problem you find.
  5. Put the site back online.

I must admit that I start to dream about the good old days, when you could make a website and not have to worry about these things.

In this year alone I have been the victim of identity theft, spammers using my email address as the sender, and now SQL injection hacks.

The amount of work we, web developers, have to do besides making the site is growing in size and complexity. You are no longer able to "just make a website", because you have to incorporate so many things just to be safe from harm.

Comments

1

billyboylindien - Jun. 4, 2008

The power of backup ;)

2

Niels - Jun. 4, 2008

O boy,

This is just not fun anymore. I have seen this happening more and more with websites that have quite some traffic and visitors. I am glad for you that you were able to restore it back to its original state.

3

Tim - Jun. 4, 2008

Glad you fixed without too much trouble. :-)

4

Thomas Baekdal - Jun. 4, 2008

Billyboy, Niels and Tim, Thanks!

5

Travis - Jun. 5, 2008

Hey Thomas - sorry to hear you got hit, but I'm glad that you were able to restore most everything. It's a good reminder for all of us, that just because nothing has happened yet, doesn't mean we should stop keeping an eye out for problems or security holes. Keep up the great work!

6

Jonathan - Jun. 8, 2008

We seem to have gone back in time...

Incidentally, you say "My CMS system have a built in protection module specifically to prevent this sort of thing." I see Baekdal.com runs on IIS, so it's possible this blog may use SQLServer as well. If so, did the attack exploit the recent Microsoft SQLServer injection vulnerability that's been doing the rounds?

7

Thomas Baekdal - Jun. 8, 2008

Jonathan, Yes (and no).

I am running IIS and Microsoft SQL server, and I was attacked by the latest run of SQL injection scripts that have been flooding the net.

But I wouldn't call it a vulnerability. And, eventhough the latest runs of attacks is targeted ASP/ASP.NET + Microsoft SQL, all databases and programming languages is at risk. It is just as easy to attack a PHP site running MySQL.

The problem is that the data is not validated probably before it is sent to the database.

8

air.hacker@yahoo.com - Sep. 16, 2008

hi

sql injection

what hacking?

 

Published: Jun. 4, 2008
in personal notes

Subscribe / Select »

Thomas Baekdal

Thomas Baekdal is a Writer, Interaction Designer, Change Advocate and Project Manager.

» About Baekdal
» Contact Information