so my database got hacked

Hello,

Before I say anything I have to tell you that I am not a programmer. I own a small web based business that has turned into my full time profession after becoming medically disabled from my 'real job.'

Recently we suffered from 'SQL injection' which introduced a script linking my website to some nefarious website called app52.com

The kind folks in discountasp support tried restoring the database with an older version but all of the available data is corrupt.

My web programmer who set up the website is no longer around.

I need someone who can remedy the security vulnerability and clean up the problem. So if you or someone you know could take on this project economically I would like to hear from you asap. Ideally I would like to work with someone in the SF Bay Area (we're in Alameda) but we're open to working with anyone who can get us back in business in short order.

 

http://www.californiadreamhomesandland.com/Pages/ReportParameters.aspx?SelTabId_2298FC6C73D3=ViewerTab&HideFltr_81DFB41E6DCD=False&ItmPath_25B7ED104E83=/English/Web%20Master/Looking%20for%20a%20job

 

Hi,
I can post at least 100 links to attacks against sites over the past 7 months that used SQL Server.
These attacks were targeted at Microsoft. They could have chosen any platform.
What made it easy, even after years of warnings, was the code out there allowing SQL attacks.


DiscountASP.NET is bar none the best Shared Host in the world.
These attacks are not the fault of DiscountASP.NET


SQL Injection attacksare something we haveall been fighting for about 9 years now.


Overthe past30 daysMicrosoft has turned up the heat.
http://support.microsoft.com/default.aspx?scid=kb;en-us;954476&sd=rss&spid=8940


http://blogs.msdn.com/tom/archive/2008/06/26/sql-injection-some-tools-to-help.aspx


If you need help with this please ask, I'm always willing.
Salute,
Mark

 

We got the problem fixed for now. I think the best route for us is to get away from ASP and move to an open source solution. Microsoft products are simply more vulnerable than others, particularly Unix based systems.
We are a small business and I've found out there are more secure and economical solutions out there.
I wish I had known more when I first set up our website.

 

First, I think it sucks that you got hacked. But this needs to be put into correct perspective: The attack you experienced was simply due to bad programming. Two simple mistakes were made:

#1: Hiring a programmer that did not take the most basic precuations against an injection attack. Injection attacks happen on all platforms, all the time, UNIX, Windows, all of them..

#2: Making and keeping backups OFFSITE. Emphasis on OFFSITE...!!! (P.S. DASP people, when are zipped backups going to be available by API?)

Don't blame ASP or DASP.... in this case the blame is squarely on the programmer. Anyexperienced and capableprogrammer will confirm this for you. Good luck.

 

A friend of mine owns a web development company. He's far too busy to be working on a small project like mine but he's also somewhat of an expert on internet security stuff. The bottom line is Microsoft products are more susceptible to being hacked than others. MS is also a more expensive platform. I'm not overly technical so I can't speak to specifics but I have no reason to doubt someone who has a good track record in the business.
Our website was put together in 2005 and I don't have ongoing support from a programmer so I can't really blame him.

 

Microsoft also happens to own a huge chunk of the installed market, and therefore vulnerabilities receive much more visibility than less used operating systems. I don't know how you come to the conclusion that MS is a "more expensive platform". I disagree with that, especially in a shared hosting context.I used to design/engineer/test UNIXsolutions for large companies once upon a time. UNIX/LINUX seemed a natural choice when I started my own business, but I came to find out that Microsoftnow offers some really slick tools and software that gives me the ability to develp software with ease. Coupled with a well hosted environment like DASP, it's helping me build a business in ways simply not possible just a few years ago. The Microsoft offerings are all well integrated to work together (they listen to their customers...), and so many people are using their stuff it's easy to get help...

 

Hi,
I'm facing the same problem...and it keeps coming back even after I restore my database. I wish DiscountAsp would help....but they seem to think that the problem is only with the code on my site.

 

This is not an issue with microsoftapis but the implementaion used. The code passes strings as sql commands making injection attacks easy but ado.net supports a feature known as aParameterized Commandswhere all values passed to the query are strongly typed and thus are invulnerable to injection attacks. if the original code is in a good state then switching the types of command used shouldnt be a big issue just added lines of code. Im no expert but im sure if you dig around you can find more information.

The worst case scenario is a rewrite of the whole data access layer to use the improved features of ado.net, if the code uses a different data access technology.

Hope this info helps.

Post Edited (L.Fergusson) : 7/29/2008 6:34:28 PM GMT

 

Well - if the problem continues to re-occur after restoring an uninfected database, then the problem is with your code, as explained by others above. It is not server-related.

A lot of users are frustrated when we say that we cannot help them, but we have valid reasons for not touching customer code. But even if we changedthat policy tomorrow we would simplynot have the resources to fix code problems for every customer who asked for help. So we have to maintain the hands-off policy that we have in place.