HELP! Production DB was SQL INJECTED! [duplicate]
Solution 1:
The first thing to do is not panic. But I see you've skipped that and have decided to
The second thing is to take the site down and make sure it's not accessible from the outside until you can figure out what's broke. Start looking at access logs and try to find out what the main problem is.
The third thing to do is see if you backup your DB regularly and just do a roll back. You might lose some data -but you'll be in a better spot than you are right now
The fourth thing to do is - DO NOT - give out the url because apparently it's unsecure
Solution 2:
Definitely make sure to install the newest version of UrlScan--it was pretty much designed to stomp on this sort of attack.
If you have IIS logs, the entry point should be pretty obvious--look for the one the hackers were hammering.
Another good backstop, if at all possible, is to deny INSERT and UPDATE rights to the web user account and punch that through stored procedures instead. That sort of backstop saved us from having a similar problem with a similar legacy app when this was a zero-day attack.
I think you can also remove the PUBLIC user's right to scan tables, which should keep them from doing the "foreach table" style attacks.
Solution 3:
As a reference point, this is the work of the ASPRox bot SQL Injection attack. It seems to surface it self now and then because it gets pretty viral when compromised systems are found. You can Google around for "ASPRox bot" and get some additional cleansing methods and further prevention treatments. I just found this PDF file that has a nice overview on its tactics and links to some cleanup options.
The problem is that virus/injection model essentially took every single text field in ALL your database tables and put in a little snippet that calls out to the URL specified to attempt to infect any other web clients and attempt to make them zombies that visit your site.
So make sure to check all databases on that server in question, not just the one with the database involved to do a proper cleansing.
It appears you're on the right path with the suggestions here, but having some "formal" references to the virus name might help with additional needs.
Solution 4:
First, you have to shut the site down, to prevent further injection attacks.
Second, you need to do a security audit, to determine what logging you have, and what security is in place on the system, and determine how the attackers got in.
Third, you need to put in place logging and security for those areas where you were compromised, at the very least. Put in place a system for detecting intrusion that informs you immediately (such as a pager).
Fourth, inform management that the downtime is a consequence of their ignoring security.