Thursday, April 19, 2012

How To Clean Infected site or SQL INJECTION "<script src=>"

If your site has been hacked and your web pages are opening some website that mean your website has been hacked. There are two kind of possible injections your site may have:
  • File injection: Your web files like html pages/javascript/css may have virus, than check your pages: you will found the this type code added at the end of each page's html: "".
  • SQL Injection: If you have a content management system than your content database is hacked using sql injection. Please see your table/file where you are keeping your page's content(like product info, page info, menu info, header info, footer info). You will found that each row of your table is being and following text has been added at the end of each records:

  • For your web files, you have to check all your files and fix manually one by one.
  • For content database, you can run the following update SQL query to fix:
SET [ItemName] = Replace(cast([ImageName] as nvarchar(100)), '<title&&rt;<script src=http://', '')
Please modify this query and replace your table name, column name for the bold letters in query.

Other ways to fix this issues:

  • Remove query string
  • Do not use in-line sql statement in your server side script (like select * from table where id=' + request.quesrystring(id) or value from query string)
  • Check the length of id in query string, if it is more than 20 chars than it is most likely infected. Quick fix trim id to 20 characters, so it will remove that malicious string and than it will not work.

I hope this will help someone to make their day and to over come of this nightmare.

I have fixed many infected content databases using this SQL in sql server/access db. I hope it will help you too.
FYI: url( in infected script may be changed in your case. so replace to your url.

Please don't forget 22 April "Earth day", do something to protect our mother earth"
Use code4green for your code generation.

No comments:

Post a Comment