Remote Attacks On My Database
Nov 29, 2007
Hi, I´m new on this forum, I just need help to solve or avoid better saying attacks to a SQL Server 2005 database. I ´ve had some intruders on my database, changing some data on 2 tables. the information there is too important. But i need to know how can i get all the remote address that make some masive updates on my DB. I´ve make some triggers to avoid that, but those peaoples have reach modify data. I think is some user on the same VPN.
Help me please what can i do to get the ip address.
View 1 Replies
ADVERTISEMENT
Mar 22, 2008
Dear guys
I'm developing a web site that subscribers will directly connect to sql express and send results of their desktop application to database.
So every body, including hackers can easily obtain a login. ofcourse I will restrict each login to execute only one stored procedure specially created for himself and do nothing else. (or anotherquery to verify validity of each user, instead of creating special stored procedures for each one)
But, I'm worried about frequency of running that stored procedure buy bad users. I can limit frequency of running stored procedure, but anyhow each time of such control also takes time. should I pay attention to such matter?
I also don't know what if a user tries to broute force server with incorrect user names and passwords repeatedly. does it lead to slowing down the server? again, should I pay attention to such matter?
does firewall help? does IP tarcking help? are these enough? if so, where can I find extra information?
In fact this problem persists even if I want to redirect user communications to web service instead of direct connection to data base or even using emails. Anyhow hackers can do the same thing but only some more complexity is added to my project. I found this article for IP tracking in web sites http://weblogs.asp.net/omarzabir/archive/2007/10/16/prevent-denial-of-service-dos-attacks-in-your-web-application.aspx . Is this enough?
I wish to know the way big networks do in real world.
Can any one please help me? Infact I'm not a professional in security. what ever kind of extra suggestions will be appreciated.
regards.
View 9 Replies
View Related
May 1, 2007
Hello, Our Security specialist, is running an audit on one of my systems. All pages pass except the login page. It keeps saying I am getting hit with a SQL injection attack. I filter out special characters, both on the Client Side validation and the server side.It is only the one page I have is failing, and I am beginning to wonder if it is producing false positives.Protected Sub btnLogin_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnLogin.Click If Not Page.IsValid Then
lblError.Text = "Page Invalid"
Exit Sub End If Dim strMesage As String = ""
If Not IsInputSanitized(strMesage) Then
lblError.Text = strMesage
Exit Sub End If If Not ValueIsValid(txtUserName.Value.Trim) Then
lblError.Text = Globals.Message_InvalidCharacters
Exit Sub End If Public Function IsInputSanitized(ByRef p_strReturnMessage As String) As Boolean Dim loop1 As Integer Dim arr1() As String Dim coll As NameValueCollection Dim regexp As String = "^([^<>" & Chr(34) & "\%;)(&+]*)$"
Dim reg As Regex = New Regex(regexp) coll = Request.Form arr1 = coll.AllKeys 'Start at 1 so you will skip over the __VIEWSTATE
For loop1 = 0 To UBound(arr1) 'Skip over the ASPNET-generated controls as they will give a false positive.
If Left(coll.AllKeys(loop1), 2) <> "__" Then If Not reg.IsMatch(Request(arr1(loop1))) Then
p_strReturnMessage = Globals.Message_InvalidCharacters
Return False End If End If Next loop1 'If it never hit false retrun true
p_strReturnMessage = "Success"
Return True End Function If Not ValueIsValid(txtPassword.Value.Trim) Then
lblError.Text = Globals.Message_InvalidCharacters
Exit Sub End If If Not ValidateUser(txtUserName.Value.Trim, txtPassword.Value.Trim) Then
lblError.Text = Globals.Message_LoginInvalid
End If End Sub Here are the other validation routines 'This is a check to make sure that the String Values Entered into the Database field 'are indeed valid and without characters that can be used in injection attacks
Function ValueIsValid(ByVal p_Input As String) As Boolean Dim strIn As String = p_Input Dim x As Integer Dim A As String Dim l_Return As Boolean = True For x = 1 To Len(strIn) A = Mid(strIn, x, 1) 'Check each character in the string individually
If InStr("<>+%|?;()", A) <> 0 Then 'If this is not a "Bad" character
l_Return = False 'tack it onto the output string
End If Next Return l_Return End Function
View 8 Replies
View Related
Nov 6, 2006
I am taking a class where the professor really dislikes using parameterized queries because he considers them to be pointless. Despite the many points that I and a classmate bring up, the only thing he considers valid is using them to prevent SQL injection attacks. To prevent this, he replaces all single quotes with a pair of single quotes. I know this works for SQL server, but will fail in some others (for instance MySQL also allows '). Is there other possibilies such as the ' that need to be protected against?
View 4 Replies
View Related
Aug 16, 2006
Hello to everyone
I am running MS SQL 2005 Express I get per day 2-4 hackers attacks trying to login from €œsa€?
Some 37 calls times per second one of attack was continuing 4 days
Is there some setting into MS SQL 2005 to reduce that?
Can you recommend me good firewall for DDOS attacks?
Is it there some legal action that I can take to this people I have their IPs most are from US and Canada?
Thank you in advance
val
View 9 Replies
View Related
Jan 24, 2004
this is a question I put in the sql community in microsoft, but havent be answered in full
------------
I am using dynamic sql to do a query with differents 'order' sentences and/or 'where' sentences depending on a variable I pass to the sp
ex:
create proc ex
@orden varchar(100)
@criterio varchar(100)
as
declare consulta varchar(4000)
set consulta=N'select pais from paises where '+@criterio' order by '+@orden
------------
I'd like to know it it uses 2 sp in the cache, as I read, the main sp and the query inside the variable of the dynamic sql. if so, as I imagine, then I suppose I have to do the main sp without any 'if' sentence to be the same sp, and so taking it from the cache and not recompile the sp
now, I have various 'if' sentences in the main sp (the caller of the dynamic sql) but I plan to remove them and do the 'if' by program -it is in asp.net-, so I suppose it is better because in this way the main sp is took from the cache, supposing this uses the cache different that the dynamic sql in the variable
what do u think? does the dynamic sql use 2 caches? if so, u think it is better to try to do the main sp same in all uses (no 'if' statements)?
-----
They told me this coding is not good (dynamic sql) because it can give control to the user?
I ask, how does it give control to use? what ar sql injection attack and how to prevent them?
I use dynamis sql because I have 150 queries to do, and thought dynamic sql is good
is it true that dynamic sql have to be recompiled in each execution? I suppose so only if the sql variable is different, right?
can u help me?
View 4 Replies
View Related
Apr 8, 2004
Hi,
On my site I have a simple textbox which is a keyword search, people type a keyword and then that looks in 3 colums of an SQL database and returns any matches
The code is basic i.e. SELECT * FROM Table WHERE Column1 LIKE %searcg%
There is no validation of what goes into the text box and I am worried about SQL injection, what can I do to minimize the risk
I have just tried the site and put in two single quotes as the search term, this crashed the script so I know I am vunerable.
Can anyone help, perhaps point me in the direction of furthur resources on the subject?
Thanks
Ben
View 3 Replies
View Related
Mar 2, 2006
My site has come under attack from sql injections. I thought I hadthings handled by replacing all single quotes with two single quotes,akaReplace(inputString, "'", "''")Alas, clever hackers have still managed to find a way to drop columnsfrom some of my tables. Can anybody direct me towards a best practicedocument on preventing these attacks?Thank you thank you,Kevin
View 4 Replies
View Related
Nov 24, 2004
It is not uncommon for me to review the event logs of our SQL Server and notice that someone is attempting to figure out the password for one of the SQL user accounts.........especially the "sa" username. But lately our SQL server has to be rebooted to where it is starting to become a nightly thing.
Last night the SQL Server was bombarded with attempted failed connections for 2 hours before it finally gave a blank BSOD. The SQL Server in question is in mixed mode and is a shared server. Strictly using Windows Authentication mode is not an option for us. The server has "beefy" hardware and has all updates and patches.
Sometimes, when I log on the server and notice that an IP address is making such attacks on the server, I put up an IPSEC policy against that IP. But that is not a good solution for reasons I dont think need to be outlined here.
So my question is, what can I do to better protect our SQL Server from these types of attacks? My thought on these attacks is not different than a DDOS that eventually takes the server down.
I have already done TCP/IP Hardening but not sure what else to do.
Thank you all for your replies.
View 3 Replies
View Related
May 10, 2007
Greetings all,
For entertainment purposes, I've been reading some articles on SQL Injection Attacks and there should be a cover charge to read these articles. (excuse the sarcasm)
Most defense is based on the use of stored procedures or read only settings on the tables.
I'm looking for practical opinions and possibly some code that would convince me personally that this is indeed a real threat.
Also, if possible, please post remedies that are solid and not open ended.
Thanks all,
Adamus
View 1 Replies
View Related
Apr 10, 2008
I am trying to use the Import Wizard to setup a daily job to import new records based on an ID field (PK). The source database is remote and a replica. I am inserting new records to update my table called the same thing. Both are SQL Native Client
Code Snippet
select *
from [CommWireless].[dbo].[iQclerk_SaleInvoicesAndProducts] as S1
join [IQ_REPLICA].[dbo].[iQclerk_SaleInvoicesAndProducts] as S2
on S1.SaleInvoiceID = S2.SaleInvoiceID
where S1.SaleInvoiceID > S2.SaleInvoiceID
When I parse the query, I keep getting an error message.
Deferred prepare could not be completed.
Statement(s) could not be prepared.
Invalid object name 'IQ_REPLICA.dbo.iQ_SaleInvoicesAndProducts'. (Microsoft SQL Native Client)
Anyone know an easy why to get this to work? Or should I add a create table to verify new records?
View 8 Replies
View Related
Jan 4, 2008
I've used the ADS sample program and it works well. I looked at the code and changed it to VB (sorry, I'm not biligual yet), and have tried to 'adjust' it so I can connect to a remote PC (XP running IIS) instead of the local PC using the workgroup information database (system.mdw). Any ideas of the connection string that could make the connection?..my intention is to RDA once a week between a mobile device (3g/gsm) and a 'poor man's' IIS web server.
I've tried everything I can think of, and I'm sure its possible since all I'm doing is changing the connection path.
View 1 Replies
View Related
Jun 13, 2007
How can I connect to a remote database, based on Microsoft sql server? Is there any article that can help? I have read few over the net, but not working for me yet
View 3 Replies
View Related
Feb 3, 2007
I am using SQL Server 2000 database in my VB.Net project.
My VB.net application is installed one two machines in different cities i.e. there are two separate databases.
First machine's IP address is say 202.33.44.55 and other machine IP address is say 203.33.55.66. Now I want to use each others databases i.e. I want to set their database group.
So that in my VB.Net's application which is installed on 202.33.44.55 I could see data of the 203.33.55.66 by just changing the connection string
View 9 Replies
View Related
May 14, 2007
Hi can anybody know how to connect remote database with asp.net application? Actually my database is in different machine (in different server, different location) so i want to connect that server. Every time I'm getting the fallowing message
An error has occured while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.
Thank you,
Nagu
View 4 Replies
View Related
Jun 18, 2008
hi all,
I have a remote(online) database of my web portal.
I want to take backup of that remote(online) database to my local machne.
This is SQL Server 2005 database.
Please tell me how I take backup of my database?
View 2 Replies
View Related
Mar 4, 2006
Hello,
My database stays in a remote site and I have access it through VPN. I would like connect my current Windows based Asp.Net application with this database. What are my options? Can I connect remote database with SqlDataAdaper, will that be slow? Should I sue Web Services to connect database?
View 1 Replies
View Related
Apr 18, 2006
Hi to all:
I always had a problem connecting to SQL Server from home using EM.
I do add a new server registration, but i always get the following exception:
A Connection could not be established to IP ADDRESS
Reason: SQL Server does not exist or access denied.
ConnectionOpen(Connect())
At the same time, I do use a utility, found at http://sql.bhaidar.net to connect to the same database and works perfect.
Is there any configuration I should do to my pc, don't know maybe some port configuration or so, to allow EM to connect to those remote databases?
Thanks in advance.
Regards
View 3 Replies
View Related
Apr 11, 2001
I have a need to connect to a remote (i.e. database on the clients site) SQL Server database from a live application. It is relatively easy under Oracle, but I havent tried to do to an SQL Server. Has anyone done this? The remote SQL Server database in question is 6.5
You can set up odbc connections to remote clients (99% sure on this) so you could go this way. You can also connect directly to a sql box through an IP address in sql7, but I am not too sure how it is with 6.5.
View 1 Replies
View Related
Aug 15, 2000
Please excuse me as although I have lots of database design & development experience I'm not database administrator and I'm new to SQL Server.
I have a SQL server 7 database on a remote web server which I can access over the Internet.
I have SQL server 7 installed on my local network server and I use Enterprise Manager to administer and configure the databases on the server.
Can I use Enterprise Manager to administer and configure the remote database?
If I can't then how do I make changes to the remote database? Do I need to FTP objects or use RAS?
Any help would be very much appreciated?
View 1 Replies
View Related
Sep 19, 2000
Hello Everyone,
I got a problem when I tried to backup SQL 7.0 database to a remote location.
The situation isthat I have two SQL Servers (both are SQL Server 7), They are in the same domain, but in two different NT servers mechines. When I create a new backup device, I can only see the local partitions.
I tried to use T-SQL to create the backup device. It can create it, but when I tried to use it, I got a error message, saying the disk not exist.
I thought that might have something to do with disk sharing, but not sure. Can any of you give me some advice on how I can access the remote partitions from SQL's Enterprise Manager? Thank you very much!
Lunjun
View 2 Replies
View Related
Dec 10, 2000
Can someone help me, PLEASE:
How to update a remote sql server 7 database!
View 2 Replies
View Related
Aug 3, 2003
Hi,
We have 2 Windows server installed . A installed with Windows 2000 server with SQL server 2000 and B is installed with only Windows 2003.
We setup the SQL database on Windows 2003 using a control panel and the database will be setup remotely on the Windows 2000 server.
Is it possible so that the SQL database file to be placed locally on Windows 2003 server instead on the Windows 2000 server which has the SQL 2000 server installed?
Thanks,
View 3 Replies
View Related
Jun 20, 2008
Can I administrate database from client ?
I used to do this by using win remote-desktop to windows server 2003, but since the administrator's password had changed (for security reason), I can do that anymore.
The sys.Admin allow me to make changes in server room but I dont want them watching what I am doing, I may want to add some table, some field depend what users demand. what I have in my notebook is SQL2000 personal edition which cannot modify table's structure.
Any suggestion will be very appreciated.
Thanks
ps. sorry for my poor english
View 6 Replies
View Related
May 4, 2006
Hi,
We are using SQL-Server (2005) for the first time and have developed an app that uses 2 dozen tables and a bunch of SP, triggers, etc.
How do we get our entities to our client site without a lot of copying and pasting? How about the data we want to upload for lookup tables - how would we get the data there?
Moreover, how do we sync stored procedures with the live database as we make changes during development?
Thanks,
Mark
View 1 Replies
View Related
Jul 20, 2005
Hello,First, sorry for my bad English.Here is my problem:BoxA: XPpro + Apache + php (using php_mssql.php)+ ADOdb + MS SQL Server+ My_Prog (using local MS SQL PUBS database)BoxB: NT4 + Apache + php (using php_mssql.php)+ ADOdb + My_Prog (usingremote BoxA PUBS database)BoxC: W2KMy_Prog uses:$serveur = '10.0.0.1'; BoxA's IP address$admin_nom = 'sa';$admin_mdp = '';$base = 'PUBS';$conn = &ADONewConnection($sgbd);$conn->debug = true;$a = $conn->Connect ($serveur,$admin_nom,$admin_mdp,$base);From BoxC, using IE, connecting to:- BoxA My_Prog : I access PUBS, that's OK- BoxB My_prog : "Warning: mssql_connect(): message: Echec de laconnexion de l'utilisateur 'sa'. Raison : Non associé à une connexionsécurisée SQL Server. (severity 14) in ...adodb-mssql.inc.php on line438." (I prefer to report the "French" message)Anyone knows about ?Thanks in advance,Eric
View 1 Replies
View Related
Dec 15, 2005
I just installed the 90 day VS2005 Professional Edition - prior to this I was using VS2005 Beta 2 -
I have a database on a remote server that I have been using in VS2005 Beta 2 with no problems - In VS2005 Beta 2 I succesfully ran aspnet_regsql against this database and set up connection strings in the Web.config file and everything ran fine.
Now after installing VS2005 ( I re-installed Windows XP Pro to make it a clean install - this has not been a short process ) anyway the same projects are not working in VS2005 90 day edition
I get the error
An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
I tried enabling TCP/IP and named pipes in the server manager but no luck
thanks
View 5 Replies
View Related
Feb 8, 2007
Hi everybody
I have a remote SQLExpress instance running. I can connect to its databases with the SQL Server Management Studio Express and Visualstudio (Datasources) on a remote system and on a local system.
But as soon as I try to run or debug a vb application a system security error apears.
Thanks for you help
Ueli
View 6 Replies
View Related
Oct 10, 2007
Hi
I am trying to conect to a remote database using SQL Management Studio Express from inside a LAN but get an error message indicating that the server does not accept remote connections. However, I can connect with no problems from outside our LAN. I am looking for suggestions on how to resolve this issue
Bob
View 3 Replies
View Related
Feb 10, 2006
I've been reading the threads about using a mdf on a remote machine.
I've enabled TCP/IP and started the browser service as well as adding sqlserver.exe and sqlbrowser.exe to the firewall exception list.
I'm still unable to create/connect to a mdf using the data source wizard and that seems in line with the threads I've read.
I've found examples on how to write the connection code in my program but I'm still unsure about a couple things.
If I create the mdf on my local machine and then copy it to the remote machine, does sql server express have to be installed on the remote machine or just the local machine? It seems like just having the mdf on the remote machine would mean that for multiple users to access the mdf, there would be several copies of sql server trying to manage the mdf or do I misunderstand what is going on here?
Thank you
View 1 Replies
View Related
Dec 29, 2006
I am running the SQL express advanced on the same PC that also hosts my Visual Basic Express application. I have user instances turned off and full-text enabled and working from within a SQL query window. However, I can not create a working connection to the database using the data source wizard from the server explorer within VB.NET. Since this is on the same PC, do I need to enable anything other than shared memory? I get the error: Provider SQL Network Interfaces, error 26 Error locating server/instance.
DeBug
View 12 Replies
View Related
May 12, 2007
Hi,
I'm using "Microsoft SQL Server Database Publishing Wizard" to import and create database on a remote server.
Is there a convenient tool to update SQL database on a remote server to match with database that I have on my computer?
View 2 Replies
View Related
