New SQL injection using CAST

posted by Debt Prison on Friday, August 8th 2008 under: Self Help Tags: cast, declare, hack, sql injection

My site is currently getting hit by a CAST sql injection attack which, so far, seems specific for servers with coldfusion. However, according to a visitor to this article the attack had evolved, effecting MSSQL. Here’s a sample of the attack string start..

?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST

Here’s a more complete sample of attack

Here’s another good article concerning this sql injection that’s wreaking havoc.

First off, if you see anything like this hitting your site - then yes your site is being hit by a ‘hack your site’ attempt. This can be coming from a particular person who wants to mess up your day. But often they are coming from a bot or serveral bots trolling the web. See also Making Money Online, Ten Things I Wish I Knew As A Beginner

In the case of the above mentioned attack the injection adds a script to the end of each table/file - once this file is accessed by a visitor to your site they are redirected automatically to another site which can download a virus onto their computer… The domain from which the virus is generated seems to be 127.0.0.1

The attack normally starts out by hitting a specific url. That’s how it was for me, it was just hitting the one article. But hours later I’m getting hits on various url’s and the attacks are coming from various IP’s each time. Hence it can’t be blocked by IP.

It seems the infection, which can dowload a virus onto a visitors computer, is repaired by rewriting the attack string to remove the script from the database tables or by running query. There are other possible repairs as outlined in the above mentioned article..

Some sites are getting hit thousands of times in a single day with this attack. Hopefully this vile collection of garbage code will be struck down shortly…

Here’s the steps I take when I see an attack

I’m still a novice (I can’t even run a query automatically to scan a table and remove a particular text). First off, back up weekly and download onto your p.c.. Backup your files onto an external hard drive weekly.

1. I password protect all public directories (to give me time to research the attack). Since this site averages about 20 visitors per hour it’s not causing a big problem to shut it down for 30 minutes.

2. I block the i.p. address of the attack if it appears to be coming from only one (unlike this one).

3. Using google search engine I research the attack to see if my site may be vulnerable.

4. I contact my host to inform them of the attack and inquire about certain details I’ve read as relates to vulnerability. “Are you guys running coldfusion?” for example. Some attacks can hit one website, break through, and then actually corrupt other sites supported by your host.

5. If my site is vulnerable I patch the vulnerability. Sometimes I may have to update my files to latest version of wordpress for example (which should be done anyway)…

6. I may change my passwords if the attack is designed to steal them…

7. After I feel safe about my security I remove the password protection from the directories. In the above mentioned case these are the steps I have taken. Though I’m still getting hit by this attack bot I feel confident my site is hardened enough to prevent this hack.