Recently we have faced a Skye virus attack on a LAN. One of the users received a message

Do you think this is the definition of SEXY? I do.
http://www.xxxxxxxxxx.com/uploads/94603/NewPicture004.JPG.zip

Now the same message was started to send from this machine to all his skype contacts. Also sent email through email client.  In a couple of minutes all systems were infected.  We have done the following steps to fix it

1. Cleaned the hosts file
We have noticed that the hosts file  located in c:\windows\sysetm32\drivers\etc\ was edited by the virus and it added many lines to the file at the very bottom.  We  scrolled down to the end and removed all unwanted entries.  Remember  this file is read only and you need to change the file attribute to save it.

2. Cleaned the System using ComboFix

Download this and run the file.  Follow the instructions and complete the steps. In some cases you need to do with something on the Network Card. Go to Device manager and you will find two copies of the same network card. One with an Yellow color and other is normal. Now remove the Normal card and click on Scan for hardware changes and your card will be automatically installed. Note that you may also to set the IP address if you are using static IP address

3.  complete System scan using a good Anti Virus

Use any good anti virus program to do a full system scan. I recommend Avast Antivirus and do a boot time scan with that

This is a small notes about SQL Injection ( Microsoft SQL Server)

How does SQL injection work?

Formatted SQL queries are passed through text boxes (Login pages, search pages etc). These queries are executed by the sql server. Consider an example of a login page which has two text boxes one for Username and another for password

Now, if the program is not well created a hacker (or a person who knows SQL commands) can pass any sql query to through these text boxes. And that will be executed by the sql server. SQL server does not know where the query comes. For example , a person can pass a query to drop a table through this text box.

How to find SQL Injection?

If you doubt that there something wrong in the database (may be tables altered, data dropped , even database dropped  without your permission) you should immediately start SQL server Profiler to monitor  the SQl commands.  The sql profiler will show all queries that the sql server executes. Now you can see that there may be alter or drop commands appearing in the profiler. When you find it, check the details of that and you can understand that which user executes these commands.  I assume that sql server does not allow remote connections. If you allow remote connections, any user who knows the username and password can directly do anything on the database

Following is a case of sql injection

Suppose there is table called ‘City ‘and there is a query to select a user from the city. Let  us take a small search page which fill find a user from the table called ‘usrs’.  There will be a text box to enter the name of the person that we need to search. Suppose the name of the person is ‘Aneesh’. Now when the user types ‘Aneesh’ and hit on the ‘Search’ button the SQL query will be executed ask follows

SELECT * FROM users  WHERE name = 'Aneesh' ;

Now think, the user enters in the seach box as given below

Aneesh; drop table users--

At this time the sql query will be executed as given below

SELECT * FROM users   WHERE name = 'Aneesh';drop table OrdersTable--'

Now we know what will do if the above query is executed. It will drop the table ‘users’

How can we Prevent SQL injection?

When a web application is developed make sure that you always use proper validations .I hope this will be the best practice. Also, in our case the login text boxes have no size limit. That means any one can enter long sql queries through these text boxes. So make sure that you set SIZE FOR EACH TEXT BOXES.  I login text boxes can be up to 10 and password can be up to 10. It depends upon the nature of the web application. In general for a medium company I don’t think that the user id and password do not need more than 10 characters.

Don’t think that this is only enough, but you can do this in your programs. I experienced and I have taken these measures to prevent it. Following are  few cases of sql injection

Why do you buy FTP software by paying much money when windows itself provides it . FTP service can be installed in windows IIS and you can create as many virtual directories as you need. You can also set quota for each users by windows’ default quota management. You don’t want to run behind any third party FTP server software. I  am going to demonstrate how to install IIS FTP service on a windows 2003 server with  disk quota for the user.  You can set the disk quota in terms of  Kilobyte (KB) , Megabyte (MB), Gigabyte (GB), Terabyte (TB) and  Exabyte (EB) .  In the following example I am going to create a virtual directory for the user ‘test’ with 1 GB disk quota .

Step1 : Create a user ‘test’ on windows

Step2 :  Install IIS FTP service

Step3 : create a virtual directory under the default FTP and name it as ‘test’ and point to a location , say c:\inetpub\wwwroot\test . Give write permission for the user ‘test ‘

Step4 :  Take Properties of  ‘C’ Drive and go to ‘Quota’ as mentioned in the following figure

Step5 :  Click on ‘Quota Entries’  . Got o ‘Quota menu and click on ‘New Quota Entry’ and  input the Quota limit

You can install both apache and IIS on same port if the system has two IP address. You may install IIS and apache server in normal way. IF IIS is started  prior to Apache, IIS will take all the IP address and apache cannot start on the same port. Do fix this, we need to tell IIS to bind only one ip.

You need HttpCfg.exe utility to do this tak. It is available by default on Windows Server 2003 but if you’re using Windows XP you can install HttpCfg.exe as part of the Windows XP Service Pack 2 Support tools. Then open a command prompt and type the following, replacing xxx.xxx.xxx.xxx with the IP address you’d like to bind to IIS:

C:\Windows\system32>httpcfg set iplisten -i xxx.xxx.xxx.xxx