morebeer写道：

morebeer wrote:

我遇到了同样的问题，数百个SQL表被这个

恶意javascript代码感染了。但是虽然关闭了原来的注射物并且还替换了所有表中的所有字符串，但是我的表格一遍又一遍地被感染了。我已经检查了所有存储的

程序，但是找不到任何可疑的东西。任何帮助如何获得

摆脱这个f *恶意软件非常感谢!!!

I got the same problem, hundreds of SQL tables been infected with this
malicious javascript code. But although closing the original injection
leak and also having replaced all strings in all tables, my tables
being infected again and again. I already checked all stored
procedures but couldn''t find anything suspicious. Any help how to get
rid of this f* malware is highly appreciated!!!

听起来好像你至少打开了一扇门。

你说你检查了你的存储过程...除非你是在你的程序中执行

动态sql语句，程序不是

问题。问题可能是您用来调用存储的方法

程序。


您是否使用动态SQL来调用它们？

坏：

cn.execute" yourprocedure''" &安培; querystring_value& "''"


或者您是否使用参数传递数据值？

好​​：
http://groups.google.com/group /micro...09dc1701?hl=en


您是否在将数据传递给存储过程之前验证数据？至少

在将其传递给程序之前检查它是否有恶意代码。


您是否正在编码（Server.HTMLEncode）从您的

数据库在写入响应之前？


坦率地说，所有这些建议都是通用的，可以在每个处理

的线程中找到在过去几周发布的攻击。浏览

他们并阅读我在这篇文章中忘记提及的内容。

-

Microsoft MVP - ASP / ASP.NET

请回复新闻组。这个电子邮件帐户是我的垃圾邮件陷阱所以我

不经常检查它。如果你必须离线回复，那么删除

NO SPAM

It sounds as if you have left at least one door open.
You said you checked your stored procedures ... unless you are executing
dynamic sql statements in your procedures, the procedures are not the
problem. The problem may be the method you are using to call those stored
procedures.

Are you using dynamic sql to call them?
Bad:
cn.execute "yourprocedure ''" & querystring_value & "''"

Or are you using parameters to pass your data values?
Good:
http://groups.google.com/group/micro...09dc1701?hl=en

Are you validating data before passing it to the stored procedures? At least
check it for malicious code before passing it to the procedures.

Are you encoding (Server.HTMLEncode) all data you retrieve from your
database before writing it to Response?

Frankly, all this advice is generic and can be found in every thread dealing
with this attack that has been posted in the past few weeks. Browse through
them and read what I have forgotten to mention in this post.
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don''t check it very often. If you must reply off-line, then remove the
"NO SPAM"

" Bob Barrows [MVP]"写道：

"Bob Barrows [MVP]" wrote:

你说你检查过你的存储过程...除非你在你的程序中执行

动态sql语句，程序是不是

问题。

You said you checked your stored procedures ... unless you are executing
dynamic sql statements in your procedures, the procedures are not the
problem.

取决于症状是什么。如果它只是他的一些记录

包含JavaScript，当稍后显示在页面上时，会导致他的用户出现问题

，当然还有SQL SP不会为他做任何事情。如果字段足够大，它将很高兴地将JavaScript与JavaScript存储在数据库字段中。

Depends on what the symptoms are. If it''s just that some of his records
contain JavaScript that, when displayed back on a page later, causes problems
for his users, then of course the SQL SP won''t do a thing for him. It will
happily store HTML with JavaScript in a DB field if the field is large enough.

您是否在传递数据之前验证数据存储过程？至少

在将其传递给程序之前检查它是否有恶意代码。

Are you validating data before passing it to the stored procedures? At least
check it for malicious code before passing it to the procedures.

因此，假设没有SP问题，本身就是可能的答案。在我看到的帖子中，这一个

并没有得到太多回答。一些

人*想要*在表单字段中允许HTML，因此检查恶意

代码更加困难。


很容易构建一个将剥离所有

< script> ...< / scriptcontent的RegExp。但你怎么做的事情，比如

< img src =" xyz.jpg" onLoad =" ...很多JS代码执行一些恶意的

的东西......">

??? （假设你*希望*允许< imgtags。）


答案肯定仍然是RegExp，但现在你可能需要/想要很多

RegExp'并且它们要复杂得多。


可能正确的答案就像很多论坛一样，你不能这样做
使用HTML标签，但必须使用非常有限的论坛标签集（例如，

[b]代替< band [img =" ... url ..."]他们

提供的< img>等的地方。显示时，结果中不会产生JavaScript。

So assuming no SP problems, per se, this is the likely answer. And this one
hasn''t really been answered too much in the postings I have seen. Some
people *WANT* to allow HTML in their form fields, so the check for malicious
code is more difficult.

It''s easy enough to construct a RegExp that will strip out all
<script>...</scriptcontent. But what do you do about something such as
<img src="xyz.jpg" onLoad="...a lot of JS code that performs some vicious
stuff...">
??? (Assuming you *wanted* to allow the <imgtags.)

The answer is surely still "RegExp", but now you probably need/want many
RegExp''s and they are much more complex.

Probably the right answer is something like many forums use, where you can''t
use HTML tags but instead must use the very limited set of forum tags (e.g.,
[b] in place of <band [img="...url..."] in place of <img>, etc.) that they
provide. Non of which will produce JavaScript in the result when displayed.

" morebeer"写道：

"morebeer" wrote:

>我遇到了同样的问题，数百个SQL表被这个

恶意javascript代码感染了。但是虽然关闭了原来的注射物并且还替换了所有表中的所有字符串，但是我的表格一遍又一遍地被感染了。我已经检查了所有存储的

程序，但是找不到任何可疑的东西。任何帮助如何获得

摆脱这个f *恶意软件非常感谢!!!

>I got the same problem, hundreds of SQL tables been infected with this
malicious javascript code. But although closing the original injection
leak and also having replaced all strings in all tables, my tables
being infected again and again. I already checked all stored
procedures but couldn''t find anything suspicious. Any help how to get
rid of this f* malware is highly appreciated!!!

在受感染的数据库中查找具有db_owner角色的用户。拿走它

并分配db_datareader和/或单个对象（表/视图/程序）

权利。


之一这些用户正在你的连接字符串中使用。

-

戴夫安德森


未经请求的商业电子邮件将在成本

Look in your infected database for users with db_owner role. Take it away
and assign db_datareader and/or individual object (table/view/procedure)
rights.

One of those users is being used in your connection string.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of