prevent hacking

esthera · 09-23-2007, 06:03 PM

I have a admin backend that I bilt in asp that is password protecting using asp and a access database.

The db has been hacked twice recently where it seems somone got a hold of the passwords.

what can I do to prevent hacking?
Any suggestions?

sasha85 · 09-23-2007, 06:06 PM

well this is not nice at all...first of all do not panic!

make backups...

did you set your connection string to the databse with a username and password?
your server you using is your privet or you got an acount?

esthera · 09-23-2007, 06:13 PM

so far all this person has done (and i traced the ip) is to log in and change the login passwords (there is a facility to do this) so that noone else can log in)
im just trying to find ways to make it more secure.
most of the insert statements strings go thorugh the following function:

Code:

Function ToSQL(Value, sType)
  Param = Value
  if Param = "" or isnull(param) then
    ToSQL = "Null"
  else
    if sType = "Number" then
      ToSQL = CDbl(Param)
    else
      ToSQL = "'" & Replace(Param, "'", "''") & "'"
    end if
  end if
end function

any ideas on improving?

ess · 09-23-2007, 06:37 PM

You should use SSL on your sever to ensure that communications between browser and server are encrypted and reduce chances of sniffing attacks.

Second of all, you should ensure that your application doesn't throw any errors to the browser that may demonstrate the underlying technology (i.e. database, or programming in use) in use...and that errors are logged and perhaps emailed so that you are aware of errors as they occur.

finally, you should always check all input and verify that...1) the data is in the correct data type (i.e. if you're expecting positive numbers, then only accept positive numbers), and 2) you should ensure that any characters such as >, <, =, !=...etc are probably escaped and perhaps even disallowed.

I would also consider changing the database connection string so that it is not the same one you've used before...in case the hacker is keeping storage of any previously found weaknesses.

I would also recommend that you use XSS and SQL scanners. there are loads of free ones on the net...here is a link that lists quite a number of SQL and XSS utilities.

http://egharish.blogspot.com/2007/09...ity-tools.html

cheers,
~E

sasha85 · 09-23-2007, 06:41 PM

Code:

 SQL Server local or remote IP in SERVER=
 pDatabaseConnectionString = "Driver={SQL Server};UID=username;password=0000;DATABASE=dbname;SERVER=0.0.0.0"

mySQL  Server 2.5
pDatabaseConnectionString = "Driver={mySQL};Server=mysqlserver;database=dbname;Uid=username;Pwd=0000"


mySQL  Server 3.51 local
pDatabaseConnectionString = "Driver={MySQL ODBC 3.51 Driver};Server=mysqlserver;database=dbname;user=username;password=0000;OPTION=3"

miranda · 09-23-2007, 07:50 PM

Are you preventing SQL Interjection attacks? If not then it is entirely possible that the person entered through SQL interjection and then changed the db password. Some ways to prevent interjection are by

using parameterized queries
Using ADO inserts & Updates instead of the SQL Insert & Update
adding a function to change apostrophies and also semi colons to their ascii values.

If you don't think that that hacker came in via SQL interjection you can convert your asp code to a dll file, see this link, ASP2DLL this way the username and password are not visible by the hacker looking at your source code.