# We got hacked...



## Greg Alsobrook (Apr 2, 2007)

One of our severs was hacked yesterday... From what we can tell, it's some sort of SQL injection that was done through one of our ASP pages... It has a redirect going to nihaorr1.com.

We've done some research, and apparently this is pretty common... and the only intent is to 'harass'....

My question is... does anyone have any experience in removing this 'script' and repairing a small SQL database from this sort of attack?


----------



## smiddy (Apr 5, 2006)

It probably slows things down a little too. I'll see if I can find something out about it here for ya.


----------



## LarryFlowers (Sep 22, 2006)

This attack has been under way since Mid April...

The easiest way to deal with it is to restore the database from backups if you have them... there is a Microsoft TechNet page that deals with the problem:

http://www.microsoft.com/technet/security/advisory/951306.mspx

Also refer to this web site, where a number of affected individuals have been researching and dealing with the problem.

http://forums.iis.net/t/1148917.aspx


----------



## tcusta00 (Dec 31, 2007)

LarryFlowers said:


> ... restore the database from backups


:eek2: Huh? Back-what? :lol:

Just kidding, AirRocker. Hope you figure it out... sucks dealing with problem databases, especially when it's not your screwup. Good luck.


----------



## LarryFlowers (Sep 22, 2006)

"the only time you need your back up is when you don't have it"

Backups are a Pain in the A##... but this is why...

Face it, the evil technology empire has shifted tactics.. the virus and trojan is no longer the weapon of choice... attacks thru infected web pages are the new weapons.

Doesn't mean you dont need to be vigilant on all fronts, it just means we have a new threat source and we have to adapt.

I just wish the governments of the world would treat these guys like any other terrorist, they are economic terrorists, and send in the SEALS!


----------



## Drew2k (Aug 16, 2006)

SQL Injections attacks ... works than a dirty needle in a back alley ...


----------



## tcusta00 (Dec 31, 2007)

LarryFlowers said:


> I just wish the governments of the world would treat these guys like any other terrorist, they are economic terrorists, and send in the SEALS!


Amen to that! The laws need to catch up to the 20th century. (and then maybe we can make the leap into the 21st.  )


----------



## markrubi (Oct 12, 2006)

It's even in the news today..
http://www.theregister.co.uk/2008/04/24/mass_web_attack/


----------



## Richard King (Mar 25, 2002)

One of these guys needs to be caught and made an example of. A hanging in the public square broadcast on Utube might be appropriate.


----------



## glennb (Sep 21, 2006)

Richard King said:


> One of these guys needs to be caught and made an example of. A hanging in the public square broadcast on Utube might be appropriate.


Maybe even broadcast it on _youtube_ instead of _Utube_.


----------



## phat78boy (Sep 12, 2007)

Man that sucks. I have dealt with this a few times and I will agree with LarryFlowers. Get out your most recent backup and do a restore. You can try to fix things manually, but you'll have burnt so much time its better to just lose the data and try to re-input what was lost.


----------



## Greg Alsobrook (Apr 2, 2007)

well, we're back up and running...

a *HUGE* thanks to Earl Bonovich... who logged into our severs last night and cleaned everything up for us... only took him about 15 minutes... 

thanks again Earl... i owe you bigtime!!


----------



## tcusta00 (Dec 31, 2007)

What a guy!!


----------



## Drew2k (Aug 16, 2006)

AirRocker said:


> well, we're back up and running...
> 
> a *HUGE* thanks to Earl Bonovich... who logged into our severs last night and cleaned everything up for us... only took him about 15 minutes...


 uh-oh! An outsider logging in to a server!? That would open up a whole 'notha can of worms where I work! :lol:

Glad you're back up and running, though, and glad you had a recourse to let someone in ... sometimes I miss the simpler days when it didn't take change requests, committees, control review boards and technical assessments to get something done...


----------



## phat78boy (Sep 12, 2007)

Congrats on the quick cleanup.


----------



## phat78boy (Sep 12, 2007)

Drew2k said:


> uh-oh! An outsider logging in to a server!? That would open up a whole 'notha can of worms where I work! :lol:
> 
> Glad you're back up and running, though, and glad you had a recourse to let someone in ... sometimes I miss the simpler days when it didn't take change requests, committees, control review boards and technical assessments to get something done...


Man, tell me about it. Red tape takes so much fun out of the job.


----------



## Greg Alsobrook (Apr 2, 2007)

markrubi said:


> It's even in the news today..
> http://www.theregister.co.uk/2008/04/24/mass_web_attack/


i meant to say this yesterday and forgot...

thanks for posting this link... pretty interesting stuff...

and thanks to larry flowers for his links as well...


----------



## Greg Alsobrook (Apr 2, 2007)

Drew2k said:


> uh-oh! An outsider logging in to a server!? That would open up a whole 'notha can of worms where I work! :lol:
> 
> Glad you're back up and running, though, and glad you had a recourse to let someone in ... sometimes I miss the simpler days when it didn't take change requests, committees, control review boards and technical assessments to get something done...


yeah... we deemed him trustworthy... :lol:

we're a very small company... only about 10 employees... my dad acutally owns the place... we know just enough to get us by when it comes to the SQL stuff... and the guy that built our database for us is no where to be found... so we're kinda on our own... we would have been in a really big pickle if not for earl... he seriously saved the day... i can't imagine how long it would have taken to rebuilt those databases... probably months... we had backups of everything... except that database... :lol: ... retrospect had not been backing it up properly... and we hadn't gotten around to fixing it yet... but you better bet your a$$ we got a backup now... 

anyway... thanks to all for your input... you guys better watch out for this thing... apparently it's pretty widespread... and it did actually do some damage to the database... nothing major... but it wasn't just to 'harass' afterall...

i agree that these guys should be treated as terrorists (because that's what they are) and punished to the fullest extent of the law....


----------



## LarryFlowers (Sep 22, 2006)

AirRocker, glad you are back up and are backing up :lol: 

Kudos to Earl!!!

Suggestion, hire somebody who can redo some of your SQL code. I don't do it or I would volunteer. You need to be able to verify the data being entered into the database for "validity". I am not a SQL expert, but one of my clients National Offices, who run a number of SQL database that receive information from web based forms, called in an outside agency who wrote some SQL code that "verified" information that was entered into web based forms so that this couldn't happen.

Amazing, if you do a Google search today for nihaorr1.com, you will get about 35,000 infected web site hits... on the day you started this thread, that number was over 100,000.


----------



## smiddy (Apr 5, 2006)

Kewl stuff Earl! Glad you are back up AirRocker...I got distracted with work to ask our guys, but it seems it wasn't needed.


----------



## Richard King (Mar 25, 2002)

glennb said:


> Maybe even broadcast it on _youtube_ instead of _Utube_.


There might be a better audience that way.


----------

