Ran into this recently on an old website on one of our servers, and there's an easy fix if your site doesn't have code requiring the use of system tables itself.
Simply deny access to syscolumns & sysobjects for whatever SQL account the website is using, as the attack uses those to do the table updates. This script can do it quickly:
declare @name varchar(200), @sql varchar(500), @type char(2), @tablelist varchar(800)
DECLARE sSysFiles CURSOR FOR
SELECT name, xtype FROM sysobjects where xtype IN ('s') FOR READ ONLY
OPEN sSysFiles
FETCH NEXT FROM sSysFiles INTO @name, @type
WHILE @@FETCH_STATUS = 0
BEGIN
IF @type = 'S'
BEGIN
select @sql = 'DENY SELECT, INSERT, UPDATE, DELETE ON [' + @name + '] TO [DatabaseUserName]'
EXEC (@sql)
END
FETCH NEXT FROM sSysFiles INTO @name, @type
END
CLOSE sSysFiles
DEALLOCATE sSysFiles
You should still of course do a code review for possible future modified attacks, but it's a quick & dirty to buy time.
Also, here's a script that's reversed from the attack code which basically reverses the attack - either shows all infections, or deletes their code back out (depending on what you un-comment). Warning: it does trim TEXT fields down to 8000 characters (although if you were infected, their code already trimmed them down to 4000), so use with caution.
USE [MyDatabaseName] GO DECLARE @CodeToReplace varchar(500) SELECT @CodeToReplace = '' --If fixing code, put the offending script here
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name
FROM sysobjects a,syscolumns b
WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN
--Uncomment next line to just show possible infections:
--EXEC('IF EXISTS (SELECT TOP 1 * FROM ['+@T+'] (NOLOCK) WHERE ['+@C+'] LIKE ''%.js>'') SELECT '''+@T+''' [Table Name],'''+@C+''' [Column Name],['+@C+'] FROM ['+@T+'] (NOLOCK) WHERE ['+@C+'] LIKE ''%script %''')
--Uncomment next line to fix them:
--EXEC('IF EXISTS (SELECT TOP 1 * FROM ['+@T+'] WHERE ['+@C+'] LIKE ''%script src%'') UPDATE ['+@T+'] SET ['+@C+']=REPLACE(RTRIM(CONVERT(VARCHAR(8000),['+@C+'])),''' + @CodeToReplace + ''','''') WHERE ['+@C+'] LIKE ''%script src%'' AND LEN(CONVERT(VARCHAR(8000),['+@C+'])) 8000')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor DEALLOCATE Table_Cursor
The bottom line for me is the cost -- $12.95/mo on top of the unit price for what? Dialing up to download a program guide & upload my preferences? Forget it.
I've got a cable DVR (Scientific Atlanta) through Cox, and yes, its software sucks by comparison (conks out if 3 programs happen to occur at the same time, other things too). But it's not sucky enough to pay a couple hundred $ a month plus a higher monthly fee just to get Tivo's extra features.
How is it that Dell has a laptop with 15" 1600 X 1200 resolution (native), but you can't find one for a desktop computer? You'd think whoever builds their screens (Quanta? not sure) would be able to market that tech elsewhere. Of course, I'd like to see that pixel density on a 20" screen...
I switched from roadrunner cable service in San Diego to DSL in Nevada. It's ADSL, 128k up, 384-1.5 down. Reliability has been near 100% - only problems have been when their DHCP server will do down (or get bogged) and you won't get an ip. Cable seemed to max out at a higher speed (especially upstream) - download speeds up to around 300k/s, but there seemed to be more lag, so web browsing & such seemed slower w/ cable. The cable service was very unreliable in our neighborhood too. DSL cost is okay too - $40/mo.
My one big complaint: nevada bell/pacbell(apparently) sell their users' e-mail addresses - I got one w/ signup that I never used. After about a month I checked it, and there were 200+ messages of spam. Yikes.
Personally, I often use Napster to check out signed artists who aren't well known - I run across a review, or hear a friend mention them, but I don't want to spend $16 on a CD I've never heard - and if I like it then I'll be buying a CD I wouldn't have otherwise.
I think it's that situation that really benefits artists (and record companies).
I've witnessed a lot of "successful" people in their 50's and 60's regretting having wasted their youth working long hours gaining their "success" - only to find out that their notion of success wasn't what it's cracked up to be. I didn't want to make that mistake - I was only working 40 hrs/wk, but even that seemed like too much of a sacrifice - so I quit, and now work freelance - currently only about 2 days a week. I don't rake in huge amounts of cash, but it's enough to live on, and the free time to do things I enjoy (snowboard, hike, travel, etc.) seems more valuable than the money ever could be.
Slashdot Mirror
Ran into this recently on an old website on one of our servers, and there's an easy fix if your site doesn't have code requiring the use of system tables itself.
Simply deny access to syscolumns & sysobjects for whatever SQL account the website is using, as the attack uses those to do the table updates. This script can do it quickly:
declare @name varchar(200), @sql varchar(500), @type char(2), @tablelist varchar(800)
DECLARE sSysFiles CURSOR FOR
SELECT name, xtype FROM sysobjects where xtype IN ('s') FOR READ ONLY
OPEN sSysFiles
FETCH NEXT FROM sSysFiles INTO @name, @type
WHILE @@FETCH_STATUS = 0
BEGIN
IF @type = 'S'
BEGIN
select @sql = 'DENY SELECT, INSERT, UPDATE, DELETE ON [' + @name + '] TO [DatabaseUserName]'
EXEC (@sql)
END
FETCH NEXT FROM sSysFiles INTO @name, @type
END
CLOSE sSysFiles
DEALLOCATE sSysFiles
You should still of course do a code review for possible future modified attacks, but it's a quick & dirty to buy time.
Also, here's a script that's reversed from the attack code which basically reverses the attack - either shows all infections, or deletes their code back out (depending on what you un-comment). Warning: it does trim TEXT fields down to 8000 characters (although if you were infected, their code already trimmed them down to 4000), so use with caution.
USE [MyDatabaseName]
GO
DECLARE @CodeToReplace varchar(500)
SELECT @CodeToReplace = '' --If fixing code, put the offending script here
DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name
FROM sysobjects a,syscolumns b
WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN
--Uncomment next line to just show possible infections:
--EXEC('IF EXISTS (SELECT TOP 1 * FROM ['+@T+'] (NOLOCK) WHERE ['+@C+'] LIKE ''%.js>'') SELECT '''+@T+''' [Table Name],'''+@C+''' [Column Name],['+@C+'] FROM ['+@T+'] (NOLOCK) WHERE ['+@C+'] LIKE ''%script %''')
--Uncomment next line to fix them:
--EXEC('IF EXISTS (SELECT TOP 1 * FROM ['+@T+'] WHERE ['+@C+'] LIKE ''%script src%'') UPDATE ['+@T+'] SET ['+@C+']=REPLACE(RTRIM(CONVERT(VARCHAR(8000),['+@C+'])),''' + @CodeToReplace + ''','''') WHERE ['+@C+'] LIKE ''%script src%'' AND LEN(CONVERT(VARCHAR(8000),['+@C+'])) 8000')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
The bottom line for me is the cost -- $12.95/mo on top of the unit price for what? Dialing up to download a program guide & upload my preferences? Forget it.
I've got a cable DVR (Scientific Atlanta) through Cox, and yes, its software sucks by comparison (conks out if 3 programs happen to occur at the same time, other things too). But it's not sucky enough to pay a couple hundred $ a month plus a higher monthly fee just to get Tivo's extra features.
How is it that Dell has a laptop with 15" 1600 X 1200 resolution (native), but you can't find one for a desktop computer? You'd think whoever builds their screens (Quanta? not sure) would be able to market that tech elsewhere. Of course, I'd like to see that pixel density on a 20" screen...
I switched from roadrunner cable service in San Diego to DSL in Nevada. It's ADSL, 128k up, 384-1.5 down. Reliability has been near 100% - only problems have been when their DHCP server will do down (or get bogged) and you won't get an ip. Cable seemed to max out at a higher speed (especially upstream) - download speeds up to around 300k/s, but there seemed to be more lag, so web browsing & such seemed slower w/ cable. The cable service was very unreliable in our neighborhood too. DSL cost is okay too - $40/mo.
My one big complaint: nevada bell/pacbell(apparently) sell their users' e-mail addresses - I got one w/ signup that I never used. After about a month I checked it, and there were 200+ messages of spam. Yikes.
I think it's that situation that really benefits artists (and record companies).
I've witnessed a lot of "successful" people in their 50's and 60's regretting having wasted their youth working long hours gaining their "success" - only to find out that their notion of success wasn't what it's cracked up to be. I didn't want to make that mistake - I was only working 40 hrs/wk, but even that seemed like too much of a sacrifice - so I quit, and now work freelance - currently only about 2 days a week. I don't rake in huge amounts of cash, but it's enough to live on, and the free time to do things I enjoy (snowboard, hike, travel, etc.) seems more valuable than the money ever could be.
This page has some info on it.