My SQL database has been infected with a virus which I cannot get rid of. I cleaned my database and reloaded it to the server and 10 minutes later 1000 records were infected with the virus. Discountasp support said it was due to sql injection even though I have made sure all my sql commands were coded with parameterized statements. The support staff said to update the (CMS) Content Management System. What is that and how do I update it. I am on the IIS 7 server.
Sorry to hear that. CMS is, for example, a packaged collection that can be installed then allows you to add content rather than the need to code the added content. DNN (Dot Net Nuke) is one widely used CMS example. Did you install a package that does use SQL Server and then became infected?
SQL injection I wrote the programs that use SQL commands to get data from my viewers. I did not install any other software other than my own web site and then used SQL Server thru discountasp. I briefly looked at Dot Net Nuke and I really don't know much about it except it probably costs a lot of money and I would have to reprogram everything all over again. It looks like I am screwed and will have to make website static so no input data can be processed.
If that is the case and you have sanitized the user input, then it could be that your SQL (and probably site) user/pass has been compromised. It may be prudent at this point to do a thorough virus scan of your computer(s) to see if any viruses or malware are found. Here are links to a few free detection tools: http://www.microsoft.com/security/malwareremove/default.mspx http://vil.nai.com/vil/stinger/ http://www.safer-networking.org/en/spybotsd/index.html http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx Once you find the problem and clean it up you can change your account passwords and the SQL exploit shouldn't return. If it does, then it is definitely SQL injection.
