Ok so some a$$.... got into one of my sites and really took it apart. Basically they were able to destroy all data on the site. I thought I was protected. The site is <!-- w --><a class="postlink" href="http://www.smilescanning.com/">www.smilescanning.com/</a><!-- w -->. I originally got hacked via sql injection but I thought I fixed that and they really went after me again. Can someone point me to a resource so that I can lock down my other sites so this doesn't happen again?
Thanks....Did they delete files as well? If so I would check the users on the server. Usually they will create a user for them self on the server and use that user account to gain access to the server in future.No they did not delete files. They just deleted data. I THINK my server is safe. There are no new users there. After looking at the site, can you see anything that I should change from a security standpoint? I thought I took care of the sql injection issue but then it happened again so obviously there is a vlunerability somewhere......That site you listed: is it back up and running for me to check it out?Yeah it is back up and running...it just is an empty site data-wise. I am hoping someone can find some vulnerability that I can patch prior to trying to restore it.I was 1 minute in the page looking for sql injection then i found an easier way.
I just changed myself to admin.
<!-- m --><a class="postlink" href="http://www.smilescanning.com/admin/admin.asp">http://www.smilescanning.com/admin/admin.asp</a><!-- m -->
Someone got some job to do:bash: :chainsaw:
People prolly just googled to that admin page.
Make your admin folder password protected asap.
Make your login also not to give any kind of error messages.
Giving any kind of string to lower login field crashed the login script.Also ensure you add the relevant meta to ensure search engines do not index those pages.OMFG!!!!!! Yeah that pretty much leaves it open doesn't it. SOB. Thanks!
Tell me more about meta tags that ensure that search engines don't index certain pages.See the proble, you admin panel is indexed by google: <!-- m --><a class="postlink" href="http://www.google.co.za/search?q=site%3Awww.smilescanning.com&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US
fficial&client=firefox-a">http://www.google.co.za/search?q=site%3 ... =firefox-a</a><!-- m -->
These should help:
<meta name="robots" content="noindex, nofollow" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="0" />
<meta http-equiv="cache-control" content="no-cache, must-revalidate" />
<meta name="GOOGLEBOT" content="noarchive" />Though I'm not entirely sure how to do this with traditional ASP (I'm a .NET developer), you could parameterize your queries so that no injection can take place.
For example, your actual query would be, "SELECT * FROM Customers WHERE customerName = @customerName"
Then, you create a parameter "@customerName" and set it to a value from Request.Form, QueryString, etc.,
The code would be somewhat (I haven't done ASP for 3 years now...So, bear with me!) like this:
<%
Dim strCustomerName = Request.QueryString("customerName")
Dim strSql = "DECLARE @customerName AS VARCHAR(100);" & _
"SET @customerName = '" & strCustomerName & "';" & _
"SELECT * FROM Customers WHERE customerName = @customerName;"
%>
Just a safer way to write code...That is helpful. Thanks!!
Thanks....Did they delete files as well? If so I would check the users on the server. Usually they will create a user for them self on the server and use that user account to gain access to the server in future.No they did not delete files. They just deleted data. I THINK my server is safe. There are no new users there. After looking at the site, can you see anything that I should change from a security standpoint? I thought I took care of the sql injection issue but then it happened again so obviously there is a vlunerability somewhere......That site you listed: is it back up and running for me to check it out?Yeah it is back up and running...it just is an empty site data-wise. I am hoping someone can find some vulnerability that I can patch prior to trying to restore it.I was 1 minute in the page looking for sql injection then i found an easier way.
I just changed myself to admin.
<!-- m --><a class="postlink" href="http://www.smilescanning.com/admin/admin.asp">http://www.smilescanning.com/admin/admin.asp</a><!-- m -->
Someone got some job to do:bash: :chainsaw:
People prolly just googled to that admin page.
Make your admin folder password protected asap.
Make your login also not to give any kind of error messages.
Giving any kind of string to lower login field crashed the login script.Also ensure you add the relevant meta to ensure search engines do not index those pages.OMFG!!!!!! Yeah that pretty much leaves it open doesn't it. SOB. Thanks!
Tell me more about meta tags that ensure that search engines don't index certain pages.See the proble, you admin panel is indexed by google: <!-- m --><a class="postlink" href="http://www.google.co.za/search?q=site%3Awww.smilescanning.com&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US
fficial&client=firefox-a">http://www.google.co.za/search?q=site%3 ... =firefox-a</a><!-- m -->These should help:
<meta name="robots" content="noindex, nofollow" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="0" />
<meta http-equiv="cache-control" content="no-cache, must-revalidate" />
<meta name="GOOGLEBOT" content="noarchive" />Though I'm not entirely sure how to do this with traditional ASP (I'm a .NET developer), you could parameterize your queries so that no injection can take place.
For example, your actual query would be, "SELECT * FROM Customers WHERE customerName = @customerName"
Then, you create a parameter "@customerName" and set it to a value from Request.Form, QueryString, etc.,
The code would be somewhat (I haven't done ASP for 3 years now...So, bear with me!) like this:
<%
Dim strCustomerName = Request.QueryString("customerName")
Dim strSql = "DECLARE @customerName AS VARCHAR(100);" & _
"SET @customerName = '" & strCustomerName & "';" & _
"SELECT * FROM Customers WHERE customerName = @customerName;"
%>
Just a safer way to write code...That is helpful. Thanks!!