Solution to database Trojan

 

Editor: reference this article: http://www.bkjia.com/Article/200807/28102.html

Solutions to the latest popular database Trojan

Some time ago, the data in individual tables in the company's main website database was often modified and infected. Because the website was previously made by someone else, the code was a bit messy, so I only read the file code related to these tables. The reason may be that no dangerous characters are filtered when parameters are received. Therefore, the Formatting Function that accepts parameters is added. In the database connection file, replace ";" with ";".. However, after one day, it was infected with a Trojan, and the replacement of semicolons did not play a role.

So I searched and found a lot of examples of Database SQL Injection Trojan Horse-mounting since January March. It seems that this Trojan-mounting method is very popular during this time, and it is only for Asp + SQL Server websites, only your website code has the SQL injection vulnerability, and it may be infected with Trojans. It only applies to fields similar to char/text in the text type. The modified data is basically followed by JavaScript, 1.js, B. js and so on.

However, you can only find a method to prevent SQL injection. Search for the following code on the Internet and add the code to the database connection file:

<%

Response. Buffer = True

Const EnableStopInjection = True

If EnableStopInjection = True Then

If Request. QueryString <> "" Then Call StopInjection (Request. QueryString)

If Request. Cookies <> "" Then Call StopInjection (Request. Cookies)

If Request. Form <> "" Then Call StopInjection (Request. Form)

End If

Sub StopInjection (Values)

Dim regEx

Set regEx = New RegExp

RegEx. IgnoreCase = True

RegEx. Global = True

RegEx. pattern = "'|; | # | ([\ s \ B + ()] + ([email = select % 7 Cupdate % 7 Cinsert % 7 Cdelete % 7 Cdeclare % 7C @ % 7 Cexec % 7 Cdbcc % 7 Calter % 7 Cdrop % 7 Ccreate % 7 Cbackup % 7Cif % 7 Celse % 7 Cend % 7 Cand % 7Cor % 7 Cadd % 7 Cset % 7 Copen % 7 Cclose % 7 Cuse % 7 Cbegin % 7 Cretun % 7Cas % 7Cgo % 7 Cexists) [/s/B] select | update | insert | delete | declare | @ | exec | dbcc | alter | drop | create | backup | if | else | end | and | or | add | set | open | close | use | begin | retun | as | go | exists) [\ s \ B [/email] +] *)"

Dim sItem, sValue

For Each sItem In Values

SValue = Values (sItem)

If regEx. Test (sValue) Then

Response. Write "the SQL Injection risk is detected. Please confirm the information you submitted ."

Response. End

End If

Next

Set regEx = Nothing

End Sub

%>

Note: The value in regEx. Pattern is set according to your needs. If you do not set it properly, the submitted information will also prompt SQL injection.

After this code is added, No Trojans are injected.

A few days ago, I checked the IIS log from the Space Provider and found the specific web site and method of SQL injection, as shown below:

2008-06-23 16:01:31 GET/xxx. asp id = 90; DECLARE % 20 @ S % 20 VARCHAR (4000); SET % 20 @ S = CAST (Bytes % 20AS % 20 VARCHAR (4000 )); EXEC (@ S);-Mozilla .8.166.17 Mozilla/4.0 + (compatible; + MSIE + 7.0; + Windows + NT + 5.1; +. NET + CLR + 2.0.50727)-www.xxx.com 200 0 271 1432

After the code in the middle is decrypted:

DECLARE @ T varchar (255 ),

@ C varchar (255)

DECLARE Table_Cursor CURSOR

Select

A. name, B. name

From sysobjects,

Syscolumns B

Where a. id = B. id and

A. xtype = 'U' and

(B. xtype = 99 or B. xtype = 35 or B. xtype = 231 or B. xtype = 167)

OPEN Table_Cursor

Fetch next from Table_Cursor INTO @ T, @ C

WHILE (@ FETCH_STATUS = 0)

BEGIN

Exec ('Update ['+ @ T +'] set ['+ @ C +'] =

Rtrim (convert (varchar, ['+ @ C +']) +

"Trojan content "')

Fetch next from Table_Cursor INTO @ T, @ C

END

CLOSE Table_Cursor

DEALLOCATE Table_Cursor

In addition, this SQL statement is injected every few minutes, And the IP address is constantly changed, so the real source of the SQL statement cannot be found. This shows how mean this kind of person is.

If the IIS log on the website is large, you can query and analyze the IIS website log import analysis tool written by chxwei a few days ago.

Finally, if the database is modified and infected with Trojans:

1. Check IIS logs, Which pages are injected, and modify the code of those pages to prevent SQL injection.

2. If there is no IIS log and the page to be used cannot be found, add the code in the database connection file as mentioned above.

The emergence of SQL injection is certainly a vulnerability in website code, so code standardization is the focus.

From: webshell blog