Prevent creation of invalid tables D99_Tmp and kill_kk

Preventing illegal table D99_Tmp and kill_kk is to prevent our website from being attacked, and it is also a necessary line of defense for SQL security defense. Although the attacker using this method is a hacker's bird, however, we also have to prevent such attacks, so as not to cause unimaginable consequences. We will not talk much about it. Let's talk about the prevention methods:
Xp_cmdshell allows the system administrator to execute a given command string in the form of an operating system command line interpreter and return any output in the form of text lines. It is a powerful extended storage process.

When a hacker attacks SQL Server, the first method used is to execute the xp_mongoshell command of the master extended storage process to destroy the database. For the sake of database security, it is best to disable xp_mongoshell.

You can remove xp_cmdshell:

The following is a reference clip:
Use Master
Exec sp_dropextendedproc Nxp_cmdshell
Go

If necessary, you can restore xp_mongoshell back:

The following is a reference clip:
Use Master
Exec sp_addextendedproc Nxp_cmdshell, Nxplog70.dll
Go

In this way, every step of security protection is very important. I hope it will help you. SQL server 2000 database. I don't know why I have an additional D99_CMD table, which indicates that the website has an injection vulnerability.

Use injection points. it can be in your database. create one more table. the injection points can be used. read all the information of your website and put it in this table. and try again to "hacker ..

When a hacker attacks SQL Server, the first method is to execute the xp_mongoshell command of the master extended storage process to destroy the database. For the sake of database security, it is best to disable xp_mongoshell, xp_cmdshell allows the system administrator to execute a given command string in the form of an operating system command line interpreter and return any output in the form of text lines. It is a powerful extended storage process.

In general, xp_mongoshell is unnecessary for administrators. The elimination of xp_mongoshell will not affect the Server.

You can remove xp_cmdshell:
Use Master
Exec sp_dropextendedproc Nxp_cmdshell
Go

If necessary, you can restore xp_mongoshell back:
Use Master
Exec sp_addextendedproc Nxp_cmdshell, Nxplog70.dll
Go

If you have a Server on your own and use SQL Server, you 'd better run this Code. The running method is very simple: Execute it in the query analyzer, and then many hacker attack methods will be lost.

Use Master
Exec sp_dropextendedproc Nxp_cmdshell
Go

When running

EXEC master. dbo. xp_mongoshell dir c:

The system will generate the D99_Tmp table during this command. After xp_mongoshell is blocked, this Code cannot be run. blocking xp_mongoshell will not affect the normal operation of the system. We recommend that you block this stored procedure if you have any conditions.

In addition, there are several dangerous extended stored procedures in the MSSQL database. By default, the Public group has executable permissions, which can be used by SQL Injection users to read file directories and user groups, you can write dangerous scripts to the server by writing them to the database first and then exporting them as files, or directly use some stored procedures to execute commands, such as xp_mongoshell. These stored procedures are as follows:

Sp_makeweBTask
Xp_mongoshell
Xp_dirtree
Xp_fileexist
Xp_terminate_process
Sp_oamethod
Sp_oacreate
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumkeys
Xp_regenumvalues
Sp_add_job
Sp_addtask
Xp_regread
Xp_regwrITe
Xp_readweBTask
Xp_makeweBTask
Xp_regremovemultistring

Corresponding Measures: Delete the stored procedure or executable file or modify the executable permission of the user group corresponding to the stored procedure. The script for deleting the stored procedure is:

Drop PROCEDURE sp_makeweBTask
Exec master .. sp_dropextendedproc xp_cmdshell
Exec master .. sp_dropextendedproc xp_dirtree
Exec master .. sp_dropextendedproc xp_fileexist
Exec master .. sp_dropextendedproc xp_terminate_process
Exec master .. sp_dropextendedproc sp_oamethod
Exec master .. sp_dropextendedproc sp_oacreate
Exec master .. sp_dropextendedproc xp_regaddmultistring
Exec master .. sp_dropextendedproc xp_regdeletekey
Exec master .. sp_dropextendedproc xp_regdeletevalue
Exec master .. sp_dropextendedproc xp_regenumkeys
Exec master .. sp_dropextendedproc xp_regenumvalues
Exec master .. sp_dropextendedproc sp_add_job
Exec master .. sp_dropextendedproc sp_addtask
Exec master .. sp_dropextendedproc xp_regread
Exec master .. sp_dropextendedproc xp_regwrITe
Exec master .. sp_dropextendedproc xp_readweBTask
Exec master .. sp_dropextendedproc xp_makeweBTask
Exec master .. sp_dropextendedproc xp_regremovemultistring

If the D99_TMP data table is found in the database, notify the website administrator to fix the SQL injection vulnerability. This table is the default auto-increment table of an SQL injection tool and contains the names of all files and folders in the C directory, server network management should check xp_dirtree's extended stored procedure permissions and set it to public group unreadable to prevent malicious visitors from reading local file information, deleting xp_dirtree stored procedure, or deleting xpstar. dll file, which is located in the SQL installation directory.

EXEC sp_addextendedproc xp_dirtree, @ dllname = xpstar. dll
EXEC sp_addextendedproc xp_fileexist, @ dllname = xpstar. dll

In terms of programs: the simple preventive method is to write asp programs in this way:

When writing code id = request ("id ")
Change to id = int (request ("id "))
In this way, the SQL string after the id is changed to a number will be cleared.

In addition, set SQL = "select * from XXX where id =" & id
Change to SQL = "select * from XXX where id =" & id &""
The SQL strings added by the hacker will not be processed and executed or fail to be executed.