tag:blogger.com,1999:blog-804714437673009003.post8735830710293112689..comments2024-02-23T09:06:13.967+00:00Comments on Dynamoo's Blog: xinthesidersdown.com injection attack in progressUnknownnoreply@blogger.comBlogger10125tag:blogger.com,1999:blog-804714437673009003.post-60484841977735489052012-08-09T20:51:01.569+01:002012-08-09T20:51:01.569+01:00Tom, the only way to prevent attacks like this is ...Tom, the only way to prevent attacks like this is to properly code the .NET application to use parameterized queries instead of fully dynamic SQL when creating the queries which are sent to the SQL Server.Anonymoushttps://www.blogger.com/profile/07601203970632443303noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-28908518971444007472012-08-07T00:09:56.305+01:002012-08-07T00:09:56.305+01:00A website I manage got hit on August 1st too. We u...A website I manage got hit on August 1st too. We use ASP, ASP.NET and SQL Server as most of the people I found to be attacked by this malware network.<br /><br />Actually, we've detected a minor attack on the week before, coming from an USA IP (98.88.189.164). They've got into the FTP and slipped some files (including c99.txt). This allows RFI (Remote File Inclusion) and I don't Arigahttps://www.blogger.com/profile/16625005906589198723noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-89936612721231248392012-08-07T00:07:06.129+01:002012-08-07T00:07:06.129+01:00This comment has been removed by the author.Arigahttps://www.blogger.com/profile/16625005906589198723noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-54957023913850747632012-08-03T18:18:01.700+01:002012-08-03T18:18:01.700+01:00There is a decent explanation of the attack here: ...There is a decent explanation of the attack here: http://stackoverflow.com/questions/11751636/searching-logs-for-sql-injection<br /><br />The attacker uses the CAST function to add malicious SQL code to the end of a query string, which gets executed by SQL Server. Some suggest to search for the term "CAST" in your website logs, but so far, I have not been able to find that term, or any Anonymoushttps://www.blogger.com/profile/09182973256661389642noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-85140570222909156992012-08-03T17:44:46.847+01:002012-08-03T17:44:46.847+01:00Stevey,
How is the attack done, and what kind of ...Stevey,<br /><br />How is the attack done, and what kind of fix you have done.Kris Reddyhttps://www.blogger.com/profile/05909611416804356173noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-71324903799718917872012-08-03T17:37:31.131+01:002012-08-03T17:37:31.131+01:00What kind of fix can you install to stop this atta...What kind of fix can you install to stop this attack?Anonymoushttps://www.blogger.com/profile/09182973256661389642noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-10792546413342714652012-08-03T10:45:12.000+01:002012-08-03T10:45:12.000+01:00Check your databases/tables. It possibly has repl...Check your databases/tables. It possibly has replaced all the text/varchar fields contents with the html you are seeing.<br /><br />We had to restore our DB's then put a fix in to stop this type of hack.SteveyGhttps://www.blogger.com/profile/03164852715634416967noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-68565543191669028902012-08-01T16:29:36.574+01:002012-08-01T16:29:36.574+01:00A site I manage got hit. Looks like a bot views yo...A site I manage got hit. Looks like a bot views your home page, tries every link with a querystring, replacing each variable with an obfuscated script.<br /><br />The script casts a hex value to a varchar, which becomes a script that is executed.<br /><br />The script cursors over information_schema, gets all tables and columns of varchar, nvarchar, text and ntext, of size > 30.<br /><br />It Lornehttps://www.blogger.com/profile/01792282926193098795noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-20687732746887211512012-08-01T16:11:43.631+01:002012-08-01T16:11:43.631+01:00This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/04391887910727049536noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-18271373753412337792012-08-01T16:11:05.233+01:002012-08-01T16:11:05.233+01:00We are using Absolute Banner Manager to show banne...We are using Absolute Banner Manager to show banner ads on our website. This xinthesidersdown crap hacked our banner manager last night and destroyed our ads. When I log into the banner manager, my antivirus pops up saying a threat has been detected and shows me this xinthesidersdown.com/sl.php as the attacker. What do I do about this?Anonymoushttps://www.blogger.com/profile/04391887910727049536noreply@blogger.com