s3c-watch

Many folks have asked for help on what to do when their website is sql-injected. Instead of posting their comments, I think it is better to consolidate a generic response here.

Incident response plan

Do follow your corporate incident response plan, if you have one.

Otherwise, this is a suggested plan for recovery:

Step 1: Disconnect the server

Plug out your network cable, so that your website will not infect people browsing your website.

Step 2: Database recovery

If you have a good backup of the database, then you can restore it. Otherwise, you have to reverse the changes done by the attack by searching and removing all the injected content.

Step 3: Application code review

This is the most important. Don’t connect the server until the code vulnerability has been fixed. Although your web access logs can give you a clue which ASP page(s) were vulnerable to the attack, it is pertinent to code review ALL your pages. Chances are, if one page is not securely coded, the rest are not too.

Some of there pages provide useful information on sql-injection:

• http://www.microsoft.com/technet/security/advisory/954462.mspx
• http://msdn.microsoft.com/en-us/library/ms161953.aspx

• http://msdn.microsoft.com/en-us/library/ms998271.aspx

Step 4: Testing and deployment

After getting all the vulnerable code rectified, get a reputable company to do a penetration test.

After passing all the review and testing, you should be assured enough to once roll out the website.