How To Clean Up After a SQL Injection Attack

NEW AND IMPROVED UPDATE: Cleaning Up After a SQL Injection Attack, Part 2

[UPDATE: Added code to deal with replacing text in the ntext fields of SQL Server 2000.]

One of our clients got hit with a web attack a week or so ago. We’re still not quite sure how this particular attack was carried out — we’re thinking an unpatched web server at the hosting facility — but it did cause me to look at the log file of the web site to see who might have been able to overwrite index.htm in the root directory. (The FTP logs held the clue — a rogue in Asia who cracked the password.)

As I said, it turned up nothing, but I did see a series of SQL Injection attacks — none of which were successful (always check your variables, kids!) — but they piqued my interest, so I took it apart. Continue reading How To Clean Up After a SQL Injection Attack

Microsoft Patch Breaks Zone Alarm

Got a call from a client today complaining that he could no longer access the Internet. He’s running Zone Alarm 7.

Trek out to the site and lo and behold, we can ping IP addresses thru the firewall, but we can’t resolve any names. Turns out DNS had a big hole in it, and it’s been patched by the major vendors, Microsoft among them.

So, Microsoft rolls out KB951748 yesterday as part of Patch Tuesday, and this morning all the machines set to autoupdate who are also running Zone Alarm find themselves out of luck.

The quick fix is to run ZoneAlarm’s Internet Zone Security in “Medium” mode.

Zone Alarm released a knowledge base article suggesting three options: the aforementioned “medium mode” fix; uninstalling the patch or adding your DNS servers to the trusted zone.

Adding the DNS servers to the trusted zone is the most secure solution as it allows you to run in full stealth and still enjoy the “benefits” of the Microsoft path.

Get your Mac ready for the beach!

I’ve recently run into some space issues on my primary partition on my home Mac Mini. Not really problems, since I’ve got 200GB of additional storage attached to it, but you never want to have a primary partition wanting for space (on any system, as you need that “free space” for the page file/virtual memory).

On Windows machines, I recommend using a tool like SpaceMonger to profile your hard drive(s) and delete unwanted files, etc. (Note – NEVER DELETE a file unless you know what it is, what it does, and that it’s unnecessary or redundant)

On my Mac, I had already analyzed my disk, moved or deleted things that didn’t belong on my system drive, but I still didn’t have as much free space as I’d like. And that’s when I discovered Xslimmer.

Most (90%) of Mac programs are now “Universal Binary” programs, meaning that they can run on older, PowerPC-powered Macs as well as new, Intel-powered machines. Which means (basically) that there’s two sets of code on every program that’s on your hard drive. Additionally, Mac programs often ship (download) with multiple language packs to support a broader range of users. I only speak English, so I rarely (never) need to run a program in Spanish. Or Dutch. Or whatever they speak in Kazakhstan.

What Xslimmer does is analyzes your applications folder, and strips out the code you don’t need. If you have a PowerPC Mac, it will strip out the Intel code from your apps, and vice versa. It also removes unnecessary language packs from your apps. The initial analysis and “slimming” took about an hour (during which time I was still able to work without any memory hit) and it saved me almost 4.5GB of space!

So if you’ve got some Mac bloat (and lots of applications), Xslimmer might help your Mac fit into its thin jeans again!

Stopping Shell Shortcuts from Resolving

We love Terminal Server. We think its a pretty great solution for small businesses; put a little more money into a server and you can keep your older hardware around.

In setting up our terminal server environments, we like putting shortcuts to various shares on the desktop. However, the server always wants to convert them from \\server\data to their local equivalent, d:\data.

But a quick registry entry will eliminate that.

Create a new DWORD value of “LinkResolveIgnoreLinkInfo” in this key:


… and set it to a data value of “1”

Reboot and that’ll do it.

(You can also put this in the CURRENT_USER key, but I’m not sure why you’d want to.)