Articles

Help for hacked sites: SQL injection


LUCAS BALLARD: Hi. I’m Lucas Ballard. I’m a software engineer
at Google. And I work on Google’s
safe browsing. I’d like to provide more
information for site owners who were notified that their
site was infected with malware, specifically with
the type SQL injection. You can see sample infected URLs
and the type of malware infection when you verify
ownership of your site in Google Webmaster Tools. Google Webmaster Tools
can be found at google.com/webmasters. With regard to the malware type
SQL injection, this means that your site’s database
is likely compromised. For example, the hacker may have
programmatically inserted malicious code into every record
of the database table. Later, when the server loads a
page that requires information from the database, the malicious
code is now embedded in the page’s content. To make this more concrete,
let’s say you have a blog about boating. Each blog post is stored as
a record in a database. Through a SQL injection, your
database could be compromised and records modified to include
an iframe with content from the attack site. Now, when a user visits a page
on your blog, the post that loads in their browser doesn’t
just contain your musings about boating, but also contains
code to make them the next victim of malware. To investigate the results of
a SQL injection, if you’ve verified ownership of your
site in Webmaster Tools, confirm the issue by copying the
sample URLs shown in the malware section. Don’t open these URLs
in a browser. Instead, use Wget or cURL to
check for unwanted code. Your server will need to be
online to use these tools. Next, try to correlate the
damage seen in the URL source code through Wget or cURL with
the actual database record. One way to get an estimate of
how many records were affected is to look for strings
of the hacker’s code. For example, if you noticed your
pages include a dangerous iframe, you could
perform a query searching for iframe code. There are also tools, like
phpMyAdmin, that provide more visibility to your
database entries. Check database log and error
files for unusual activity, such as unexpected SQL commands
that seem abnormal for regular users or errors. This can provide more
information about the hacker’s intent. When you’re ready to clean
your site of the SQL injection, which is in a
following step of our hacked site recovery process, you can
either update each database record, or you can
restore your last known database backup. This, of course, doesn’t
actually correct the original vulnerability that allowed the
hacker to compromise your site in the first place. We’ll talk more about database
security in a following step. I hope this video provides
background on SQL injections and how they can be used to
distribute malware on an innocent site. Before you move to the next
step, be sure to review file system damage assessment to
better investigate your entire site, rather than just a single
type of infection. Thanks for watching.

Leave a Reply

Your email address will not be published. Required fields are marked *