The characteristics of the website are that there are no more suspicious files in the website files, and the website is basically ASP+SQLSserver architecture. Open the database from the enterprise manager, and you can see that the script Trojan has been added to the script of the database and the field characters.
Open the website log and you can see that the code was added via SQL injection.
No way, first remove the script through the query analyzer, fortunately, the hacker hangs the horse is still relatively regular, you can clear it at one time, write the clearing script for each table in the database in the query analyzer, and then execute it at once, okay, open the website, the world is clean. The clearing script is given below:
UPDATE table name set field name = REPLACE(field name, hacker url ,)
If the infected field is text, it is more troublesome, and some data may be lost during the conversion process to convert the text type to varchar(8000) through the convert function
After clearing, the clearing sql script will be saved, is everything fine, after two hours, the website has been hung up again!
I had to run the query analyzer again, run the script, and clear it. It's really clear, but people always have to sleep, so you can't catch secrets there with hackers.
Suddenly thinking that this is the sqlserver library, Microsoft must have a solution, we can't stop it from looking at the database to hang a Trojan horse, but we can make it unsuccessful. That's with triggers!
Anyone who is familiar with triggers knows that sql2000 inserts and modifies data in the inserted temporary table first, and then actually puts it in the corresponding table. Blocking the footsteps of hackers is in this temporary table!
The code of the hacker hanging horse has this word in it, because only in this way can the client open the website at the same time to hit the big hacker website, so let's start here.
The trigger code is given below:
CREATE trigger trigger name
on table name
for update,insert
as
declare @a varchar(100) - store field 1
declare @b varchar(100) - store field 2
declare @c varchar(100) -- store field 3
select @a=Field 1, @b=Field 2, @c=Field3 from inserted
if(@a like %script% or @b like %script% or @c like %script%)
begin
ROLLBACK transaction
end
The meaning of this trigger is to first define three variables and store the three easily stored in the inserted table
The string-type field that the hacker started, and then use like to fuzzly judge whether the value contains the word script, and if so, roll back the transaction without reporting an error, so as to paralyze the hacker and make him mistakenly think that he has hung up the horse.
Friends who have been hung up can take this script and modify it accordingly, which should ensure that the website is not hung up. In addition, there is also a text type for fields that are easy to be hung, but this type is more troublesome to deal with, and it has been observed that hackers often hang several fields at the same time to hang a table, so as long as one field is unsuccessful, the entire table is unsuccessful |
Posted on 2/8/2015 12:29:37 PM
|
|
|
