Is this hacking?

I have a web site where users can request detailed information from a lead
page by passing an id to the server.

The id is passed as a query string which means it is appended to the URL
when making a request (like "http://mysite.mypage.asp?id=1")

I keep track of the ids to see what information is being requested the most
frequently.

Recently instead of ids of data type integer I am seeing things like this:

id=33%20'%20and(char(94)%2Buser%2Bchar(94))%3E0%20and%20''='

id=33%20%20and(char(94)%2Bdb_name()%2Bchar(94))%3E0

id=33%20%25'%20and(char(94)%2Buser%2Bchar(94))%3E0%20and%20' %25'='

Does anyone know what's going on here?

Thanks
Dave

RE: Is this hacking?

Hi Dave,

These vicious query strings indicate the site is most likely under SQL
injection attacks. The most common approach to deny SQL injection is adding
validation code to check query strings or form data sent by clients.

For your reference, below are some information I found about how to prevent
web applications from SQL injection attacking:

Ways to get SQL injections include:

1. Direct access to sql via open port
2. Public Web server by inserting long query strings.

Basic Recommendations:

- Every input that will be used by the database should be verified against
SQL Injection attacks.

- Suggest closing ports and limiting or filtering length of query strings.

- Store database access credentials in a secure storage, for example,
DPAPI.

- Minimize the user permissions on the database, but notice that datareader
and datawriter are too wide and can be further refined.

- Permission shouldn't be granted directly to tables, but instead be
granted to views and stored procedures used to access other objects.

- Utilization of stored procedures to avoid SQL Injection attacks.

- The pages with information about errors should be general, avoid
information disclosure.

- Different HTML control types and length limit aren't ways to avoid
attacks.

Here's a list of additional reading:

Stop SQL Injection Attacks Before They Stop You
http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/ default.aspx

Cross-Site Scripting and SQL Code Injection
http://www.microsoft.com/technet/community/chats/trans/sql/s ql91702.mspx

Advanced SQL Injection in SQL Server Applications
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

(more) Advanced SQL Injection
http://www.nextgenss.com/papers/more_advanced_sql_injection. pdf

Improving Web Application Security - Threats and Countermeasures
http://www.microsoft.com/downloads/details.aspx?FamilyId=E9C 4BFAA-AF88-4AA5-
88D4-0DEA898C31B9&displaylang=en

Steps to Help Secure SQL Server 2000:
http://labs.microsoft.com/sql/prodinfo/previousversions/secu ringsqlserver.ms
px

Security Guidance for SQL Server:
http://www.microsoft.com/technet/security/prodtech/SQLServer .mspx

Some attacking and protection samples of ASP:

SQL Injection Attacks - Are You Safe?
http://www.sitepoint.com/article/sql-injection-attacks-safe/ 5

I hope the information above will be of some help. If you find the site has
already been hacked, the most recommneded action is you can use one of your
MSDN Technical Support Incidents to work with Microsoft via telephone based
support on this kind of critical situation. This will be the most effective
way for us to assist you on any complicated/business critical issues Please
refer to the support note below.

About the information of free incident support for MSDN subscribers, please
look at:
http://msdn.microsoft.com/subscriptions/support/default.aspx .

To obtain the phone numbers for Microsoft Customer Service and Support
services technology request, please take a look at the web site listed
below.
http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHON ENUMBERS

Thanks and have a nice week.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: Is this hacking?

Thanks WenJun

Re: Is this hacking?

You are welcome Dave.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.