• 0

Hacked site - SQL Injection?


Question

Folks,

I'm wondering if I can get some info. Recently the place where I work, got there website hacked.

Basically the site had lots of random pages added to it, selling random drugs(aka those little blue pills people like to buy)

Now the web host/design company are saying that there server and database wasn't compromised. Here is where I get confused:

The unauthorised content was immediately removed from the system and a full investigation process started to identify the root cause and if at all possible the source of this incident.

After detailed investigation, it would seem that a malicious visitor had uploaded pages containing key words which would assist in promoting a 3rd party site in its Google rankings.

In an effort to provide further reassurance, we performed a consistency check on the database comparing it to known good data. The results showed that no data had been tampered with or modified in any way.

Now if the server/database wasn't compromised what content was immediately removed?

They also go on to say it may off been SQL Injection - Now it is my understanding that for SQL injection to work it would be bad coding of SQL statements which would leave the database compromised?

They also list few other things like:

• Cross site scripting

• Malformed cookies

• Session hijacking

But the part that confuses me is they said they had to remove content from the site. But the site is database driven which means the content would have to be injected in to the Database some how?

Does this make sense to anyone?

Link to comment
Share on other sites

5 answers to this question

Recommended Posts

  • 0

It's hard to tell without more details. One of my websites got 'hacked' a while ago. It was absolutely nothing to do with my code, database or my hosted files, but my domain name was going to an Asian drugs website. Turns out my host's name servers were vulnerable to DNS poisoning and that's how the 'hacker' did what they did. Once my host had updated their name servers, everything was back to normal. So, in a way, they removed content (all the crap about Asian drugs) but they didn't modify my database or files in anyway.

Were the dodgy pages being served by your application - as if it was pulling the data from your database, or were they seemingly standalone?

Link to comment
Share on other sites

  • 0

My experience is web hosts will usually say it is your code first before they ever admit they may have a vulnerability. From their point of view though they do have lots of web sites and good chances that there is some bad code there. Maybe it is kind of like telling somebody to RTFM before helping them...

Link to comment
Share on other sites

  • 0

It's hard to tell without more details. One of my websites got 'hacked' a while ago. It was absolutely nothing to do with my code, database or my hosted files, but my domain name was going to an Asian drugs website. Turns out my host's name servers were vulnerable to DNS poisoning and that's how the 'hacker' did what they did. Once my host had updated their name servers, everything was back to normal. So, in a way, they removed content (all the crap about Asian drugs) but they didn't modify my database or files in anyway.

Were the dodgy pages being served by your application - as if it was pulling the data from your database, or were they seemingly standalone?

It looked like the pages where being pulled from our site, as it had our header/logo on the page.

The site worked fine when it was hacked, it was only if you went to a certain address. for example: www.domain.com/?p=123 (if you changed the number to any other number you'd get different page with a different message)

My experience is web hosts will usually say it is your code first before they ever admit they may have a vulnerability. From their point of view though they do have lots of web sites and good chances that there is some bad code there. Maybe it is kind of like telling somebody to RTFM before helping them...

The web host and the web coding/design comapny for our site are the same company.

Link to comment
Share on other sites

  • 0

SQL injections generally happen when form data isnt sanitised properly.

when they say data wasnt tampered with or modified, maybe they were just talking about existing data, and that they only removed data that was added by the sql injection.

XSS is also a possibility.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.