Just wanted to give some info to help other hosts who might of been having some issues with hackers. Before I start though this experience has to do with the following person who signed up with GearHost a while back. If you see a signup from this person/company be prepared:
Customer Domain: networksgalaxy.com
Customer Location: Egypt
Customer IP (most of the time): 22.214.171.124
First off I have to say this exploit has been proven on 6 other hosting companies I've seen let alone the millions of sites that might have this problem. What is it? SQL Script Injection and RPC malformed requests on MS SQL Server. To start ... I'm an alright programmer and engineer, I've been programming for years, even worked at Microsoft as a software architect at 19 (the second youngest there) and built our iControl product from scratch. I'm proficient in MS Technologies both programming and technology. With a good amount of experience though you never can be too sure that your application is secure and that goes for any company. Note: The following cannot be fixed by a firewall unless you block all access to TCP port 1433 which then removes customer abilities to access their databases via Enterprise Manager.
Three days ago we had some strange activity with iControl. I built iControl to log requests, all and any and report any type of malformed requests through a simple set of functions (if anyone wants them email me). We were getting a large amount of SQL injection attempts by the above user all over iControl but all of them were unsuccessful except two pages (ASP pages) that did not implement the protection. Below he tried many attempts to hack the system but we have removed many built in system stored procedures so that his requests would be invalid.
The exploit is widely known and implemented by most programmers but it's not full proof and is not implemented by enough. What I'm talking about is the ability to sanitize your input data. This is a must as you cannot trust the users data input at all times. The below code proves by entering this code on a username/password screen a user can create an account and destroy your data:
' exec master..xp_cmdshell 'net user test testpass /ADD' --
You can protect your self by doubling your single quotes (when detected) as noted above. Even though the RPC service may lie awake and vulnerable to hacks, exploits, etc.
The above user found out about the two pages and had some fun by trying to hack our system, we shut his account down and posted it above. We have other measures in place, thank goodness, that prevented an attack but I urge all to follow some basic steps in the prevention of SQL Script Injection and RPC requests to SQL Server.
Anyway, just wanted to give the heads up and make sure your applications are secure!
███ Ryan Kekos GearHost - HostingCon Advisory Board and Speaker
███ PaaS Cloud for .NET and PHP Developers
███ 100% real cloud - all apps/sites live in web farm clusters, all SSD, etc.
███ Signup for 100 Domains & 100 Databases - No credit card required