Menu
Since so many other websites have been hit I have to assume it is a bot!
It has injected a script with:
Yesterday: http://google-stats50.info/ur.php
Today: http://google-stats49.info/ur.php
It injected it into multiple tables.
First, how did it identify the tables and columns?
Second, what should I search for in the logs to identify the source page?
We do not have ftp on any of our servers. We have 1 contact form but it is email and not even connected to the database.
We are using SQL Server and IIS.
490
You probably have a page that is not validating/sanitizing user input. TextBoxes and QueryStrings that are used to provide parameters to a SQL Query are a commonly exploited in a SQL Injection attack (there are other ways as well though...). In addition to this you are probably not using parameterized queries when you access the database.
This will lead to a world of hurt.
They most likely figured out your database structure by querying the system tables:
SELECT *
FROM sys.Tables
And the column names:
SELECT *
FROM sys.columns
Some links you should look at:
If this were my website I would drop EVERYTHING until the site had been secured. Your site and database are in grave danger.
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
