Find the source of a recurrent mass SQL edit on a server

Question

I'll try to explain my problem as clear as possible.

The server of a company I support runs many websites. This server runs Windows Server 2012 with Microsoft SQL Server 2014.

Almost all of the websites are running a proprietary web application, made by the same company.

Only some of the websites are affected by a regular mass editing of (almost) every TEXT, NTEXT and NVARCHAR(MAX) fields in their respective databases.

HTML with malicious or spam links is added to every record of the table, only in the field with the type specified above.

The server has already been scanned with several tools and all the main password (administrator, sa of SQL Server) has been changed. I also tried to run the SQL Profiler to try to identify the mass update query, but without success.

As I can imagine for now, this may be an SQL Injection attack that uses a vulnerability in the software that runs those websites, but why only some of them? Other websites with the same version never got this problem.

As you know, is there something else I can try, or I'm missing? Reply without problems if you may need other data.

Answer 1

SQL Injection is hard to track from SQL Server side. Instead of looking at sql server, you should look at your web server IIS logs.

Use Log Parser to parse your IIS Logs to track down the source of sql injection. e.g.

logparser.exe -i:iisw3c -o:Datagrid -rtp:100 “select date, time, c-ip, cs-uri-stem, cs-uri-query, time-taken, sc-status from C:\wwwlogs\W3SVCXXX\u_ex1207*.log where cs-uri-query like ‘%declare%’”

Read up on

• SQL Injection – a Serious Security Issue by Erland Sommarskog
• SQL Injection: How it Works and How to Thwart it
• Protecting Yourself from SQL Injection in SQL Server - Part 1 and Part 2 from Aaron Bertrand.

Answer 2

The server has already been scanned with several tools and all the main password (administrator, sa of SQL Server) has been changed.

If the SQL Server service account user is an administrator on the local machine, then you need to build a new machine from the ground up to replace it using long (14 character plus) cryptographically random passwords, and then shred the hard drives from the old machine; there's no telling what malware was installed on it.

If the SQL Server service account user is a domain admin, call a professional security specialist.

If neither of those is true, and you don't want to rebuild it from scratch (you should rebuild from scratch), take the SQL Server offline, drop every user, drop every login, change the SA password, and then carefully rebuild every login and user with long (14 character plus) cryptographically random passwords.

Then wipe out every agent job and rebuild them from scratch. While you're doing that, rebuild (preferably) or go over ever word in every piece of code every agent job calls... and every piece of data if you've got dynamic or concatenated SQL, and have issues with second order SQL injection.

Answer 3

As implied by Anti-weakpasswords's answer, if your machine really has been pwned, and the replacement is recurrent, it may be happening in an Agent job, or a Windows scheduled task!