SQL Server Security – Find the Source of a Recurrent Mass SQL Edit on a Server

Securitysql serversql server 2014sql-injection

I'll try to explain my problem as clear as possible.

The server of a company I support runs many websites. This server runs Windows Server 2012 with Microsoft SQL Server 2014.

Almost all of the websites are running a proprietary web application, made by the same company.

Only some of the websites are affected by a regular mass editing of (almost) every TEXT, NTEXT and NVARCHAR(MAX) fields in their respective databases.

HTML with malicious or spam links is added to every record of the table, only in the field with the type specified above.

The server has already been scanned with several tools and all the main password (administrator, sa of SQL Server) has been changed. I also tried to run the SQL Profiler to try to identify the mass update query, but without success.

As I can imagine for now, this may be an SQL Injection attack that uses a vulnerability in the software that runs those websites, but why only some of them? Other websites with the same version never got this problem.

As you know, is there something else I can try, or I'm missing? Reply without problems if you may need other data.

Best Answer

SQL Injection is hard to track from SQL Server side. Instead of looking at sql server, you should look at your web server IIS logs.

Use Log Parser to parse your IIS Logs to track down the source of sql injection. e.g.

logparser.exe -i:iisw3c -o:Datagrid -rtp:100 “select date, time, c-ip, cs-uri-stem, cs-uri-query, time-taken, sc-status from C:\wwwlogs\W3SVCXXX\u_ex1207*.log where cs-uri-query like ‘%declare%’”

Read up on

SQL Injection – a Serious Security Issue by Erland Sommarskog
SQL Injection: How it Works and How to Thwart it
Protecting Yourself from SQL Injection in SQL Server - Part 1 and Part 2 from Aaron Bertrand.

Related Solutions

Sql-server – How to get more information from dm_exec_query_stats

First, do your have columns of data type TEXT or NTEXT in your database? If

select 
c.TABLE_NAME,c.COLUMN_NAME 
from INFORMATION_SCHEMA.columns c, 
INFORMATION_SCHEMA.tables t 
where c.DATA_TYPE in ('ntext','text') 
and t.table_name=c.table_name 
and t.table_type='BASE TABLE'

returns any rows, you probably lost a lot of data during this attack, as the code truncates the existing values to 8000 characters. In that case you need to restore from a backup.

To answer your question, there is no direct way to get to that information from SQL Server. However, using the T-SQL code that was originally intended to be executed (the code that the above code was injected into), you should be able to identify the place in your app where the injection happened. From there you can look through the web site logs to find submissions to that particular page or form that took a long time or that submitted an unusual amount of characters. You can use the columns creation_time and last_execution_time in sys.dm_exec_query_stats to narrow down the time of the attack(s).

Important, once you have the place identified that allowed for the injection to happen, you need to close that gap immediately. You should also review the rest of the application to make sure that no other vulnerable spots lurk in your code. There is a little more information about what to look out for when injection-proofing your app here: http://sqlity.net/en/2547/sql-injection/

SQL Server – Should a Subquery Be Used to Help Find the Correct Plan?

For future readers, I went ahead and tested both methods (with and without the subquery), and they both worked equally well on all tested environments. I do not know if the database statistics needed updated on the databases that originally had a problem or not, but like many developers, I am not in charge of that and don't have any ability to alter it.

From what I can see, the advantage of using LEFT JOIN in this case is that it removes the attraction for the plan builder to consider this a good thing (which it isn't, in this case), while still letting the plan builder choose from all the other choices. The advantage for the subquery is that you still get the INNER JOIN ability to remove any (rare) invalid rows, but you do not let the plan builder include that fact in the critical plan (because the INNER JOIN is in the outside query, not the subquery). In essence, you are restricting what joins the plan builder can use by placing them in the subquery, and doing the other joins in the main query.

Of course, anytime you restrict the plan builder, you are taking a chance that you restrict it too far and it comes up with a non-optimal plan. Going forward, I won't necessarily use either technique until I find I need to. Note that I also tried to use hints or explicitly tell SQL Server to use a particular type of join, but those were never as fast as when I let it choose everything itself.

In the end, it turned out that, due to the ugliness of the code that built this query (on the fly, even), the LEFT JOIN was far easier to implement and have some confidence that I wouldn't break anything, so I went that way. But that decision was made by factors external to the database.

Best Answer

Related Solutions

Sql-server – How to get more information from dm_exec_query_stats

SQL Server – Should a Subquery Be Used to Help Find the Correct Plan?

Related Question