Mark, Thanks for the info. I tried this and it located the code. I removed the comment and Executed however, the code still remains. Any help you can offer would be great!
Thanks! >For those of you who have been hit by this attack and who need to try >something short of restoring your DB, this script will generate a series of >update statements in reverse of the hack that's been going around: > >----------------------------------------------------------- >DECLARE @T varchar(255), @C varchar(255) >DECLARE @sql varchar(4000) >DECLARE @script varchar(255) >/*fill in the value of the malicious script. */ >select @script = '<script src="*scriptsrc"></script><!---' > >DECLARE Table_Cursor CURSOR FOR > SELECT a.name, b.name > FROM sysobjects a, syscolumns b > WHERE a.id = b.id AND a.xtype = 'u' > AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167) > > OPEN Table_Cursor > FETCH NEXT FROM Table_Cursor INTO @T, @C > WHILE (@@FETCH_STATUS = 0) > BEGIN > SELECT @sql = 'update [' + @T +'] set ['+ @C +'] = Replace([' + >@C + '],''' + @script + ''','''')' > PRINT @sql > > /*uncomment this after checking the output using print */ > --EXEC(@sql) > > FETCH NEXT FROM Table_Cursor INTO @T, @C > END >CLOSE Table_Cursor >DEALLOCATE Table_Cursor > >------------------------------------------------------- > >1) Replace the value of @script (the select at the top) with the value of >the string that's been inserted into your DB >2) Run the script AS IS - you should see a list of "update" statements that >look like this: > >update [**tablename] set [**columnName] = Replace([**ColumnName],'<script >src="*scriptsrc"></script><!---','') > >Where **tablename and **columname represent actual tables/columns from your >DB. > >You can then run the updates individually to strip out the malicious code... >I also converted the update to a select to compare the values and see what >the result would be on update. > >3) If you are brave you can comment out the "EXEC(@sql)" line and rerun the >script. Doing so will hit every table and every char column with these >updates so be sure you know what you are doing. > > >-Mark ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309407 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
