Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6

Thread: prevent hacking

  1. #1
    Senior Coder
    Join Date
    May 2004
    Posts
    1,457
    Thanks
    15
    Thanked 0 Times in 0 Posts

    prevent hacking

    I have a admin backend that I bilt in asp that is password protecting using asp and a access database.

    The db has been hacked twice recently where it seems somone got a hold of the passwords.

    what can I do to prevent hacking?
    Any suggestions?

  • #2
    Regular Coder
    Join Date
    Sep 2007
    Posts
    179
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Question well...some Q 2 u

    well this is not nice at all...first of all do not panic!
    make backups...

    did you set your connection string to the databse with a username and password?
    your server you using is your privet or you got an acount?

  • #3
    Senior Coder
    Join Date
    May 2004
    Posts
    1,457
    Thanks
    15
    Thanked 0 Times in 0 Posts
    so far all this person has done (and i traced the ip) is to log in and change the login passwords (there is a facility to do this) so that noone else can log in)
    im just trying to find ways to make it more secure.
    most of the insert statements strings go thorugh the following function:

    Code:
    Function ToSQL(Value, sType)
      Param = Value
      if Param = "" or isnull(param) then
        ToSQL = "Null"
      else
        if sType = "Number" then
          ToSQL = CDbl(Param)
        else
          ToSQL = "'" & Replace(Param, "'", "''") & "'"
        end if
      end if
    end function
    any ideas on improving?

  • #4
    ess
    ess is offline
    Regular Coder
    Join Date
    Oct 2006
    Location
    United Kingdom
    Posts
    866
    Thanks
    7
    Thanked 30 Times in 29 Posts
    You should use SSL on your sever to ensure that communications between browser and server are encrypted and reduce chances of sniffing attacks.

    Second of all, you should ensure that your application doesn't throw any errors to the browser that may demonstrate the underlying technology (i.e. database, or programming in use) in use...and that errors are logged and perhaps emailed so that you are aware of errors as they occur.

    finally, you should always check all input and verify that...1) the data is in the correct data type (i.e. if you're expecting positive numbers, then only accept positive numbers), and 2) you should ensure that any characters such as >, <, =, !=...etc are probably escaped and perhaps even disallowed.

    I would also consider changing the database connection string so that it is not the same one you've used before...in case the hacker is keeping storage of any previously found weaknesses.

    I would also recommend that you use XSS and SQL scanners. there are loads of free ones on the net...here is a link that lists quite a number of SQL and XSS utilities.

    http://egharish.blogspot.com/2007/09...ity-tools.html

    cheers,
    ~E
    Last edited by ess; 09-23-2007 at 06:40 PM.

  • #5
    Regular Coder
    Join Date
    Sep 2007
    Posts
    179
    Thanks
    4
    Thanked 0 Times in 0 Posts

    i'm talking about

    Code:
     SQL Server local or remote IP in SERVER=
     pDatabaseConnectionString = "Driver={SQL Server};UID=username;password=0000;DATABASE=dbname;SERVER=0.0.0.0"
    
    mySQL  Server 2.5
    pDatabaseConnectionString = "Driver={mySQL};Server=mysqlserver;database=dbname;Uid=username;Pwd=0000"
    
    
    mySQL  Server 3.51 local
    pDatabaseConnectionString = "Driver={MySQL ODBC 3.51 Driver};Server=mysqlserver;database=dbname;user=username;password=0000;OPTION=3"

  • #6
    Senior Coder
    Join Date
    Dec 2002
    Location
    Arlington, Texas USA
    Posts
    1,065
    Thanks
    4
    Thanked 8 Times in 8 Posts
    Are you preventing SQL Interjection attacks? If not then it is entirely possible that the person entered through SQL interjection and then changed the db password. Some ways to prevent interjection are by
    • using parameterized queries
    • Using ADO inserts & Updates instead of the SQL Insert & Update
    • adding a function to change apostrophies and also semi colons to their ascii values.

    If you don't think that that hacker came in via SQL interjection you can convert your asp code to a dll file, see this link, ASP2DLL this way the username and password are not visible by the hacker looking at your source code.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •