SQL Injection Hack

At about 00:50 AM GMT, this site was successfully attacked by one of the latest SQL injection attacks that have been flooding the web and infected more than a million websites worldwide.

It took me less than 10 minutes to discover the attack, at which point I took the entire website offline to prevent anyone else - i.e. you - to get infected by the script they added to my site.

Was there any damage done to you - my readers?

If you visited this site between 0:45 and 01:05 GMT I strongly suggest you run a virus/spyware check, and check if your anti-virus is up to date. According to my logs, 35 people visited this site during that time.

But, the risk of any of these 35 people getting infected is extremely low. All anti-virus applications already know about the specific script and would have blocked it before it had a chance to be executed (it was first patched by anti-virus programs about a year ago).

Was there any damage done to baekdal.com?

Oh yes - big time. The attacker destroyed every single table in my database. It deleted almost all content. As such, this site was damaged beyond the point of repair, and I would have lost everything - all my articles, all comments, everything - where it not that my server backs-up the database each day.

Luckily the backup worked like a charm, and it took only 20 minutes to restore it. The only problem is that any comment made during the 10 hours from my latest backup to 00:50 AM was lost, so was my latest design article (but I republished it).

What now?

Well, I have checked every single line of code, looking for any points where an attacker would be able to run an SQL injection hack. I must admit that I was a bit surprised that it happened in the first place, because my database system "should" prevent it by default. My CMS system have a built in protection module specifically to prevent this sort of thing.

In my search I found 2 spots that did not use this protection module. Both have been fixed, and everything is back to normal.

BTW: Read this article if you want to technical explanation about how to prevent injection hacks (or this one).

Advice to fellow web creators

SQL injection hacks are currently flooding the web, and according to the "professionals" it will get a lot worse in the years to come. So...

1. Check your site if you are using any kind of SQL database - that includes MySQL and MsSQL (among others). Make sure that you never send invalidated data into your database.
2. Remember that this is not just about form fields. Any SQL request is potentially open to an attack. A simple "select" request can easily be modified, which was actually what happened in my case. All database requests need to be validated, not just the ones that sends data from a form.
3. If you create web applications you might consider creating separate database accounts for the web application data, and your customers' data. It doesn't prevent an attacker to do damage, but it does prevent him from destroying everything.
4. Backup, backup, backup, backup - ohhh... did I mention... backup!

And if your website does get infected, you need to do 5 things (in this order):

1. Damage protection. Take your site offline (just pull the plug) - this is always the first step - ALWAYS!
2. Identify the extent of the damage and check your logs etc.
3. Fix the damaged parts
4. Prevent it from happening again - look through your code, and solve any problem you find.
5. Put the site back online.

I must admit that I start to dream about the good old days, when you could make a website and not have to worry about these things.

In this year alone I have been the victim of identity theft, spammers using my email address as the sender, and now SQL injection hacks.

The amount of work we, web developers, have to do besides making the site is growing in size and complexity. You are no longer able to "just make a website", because you have to incorporate so many things just to be safe from harm.