Hi malware fighters,
This is the cert-advice for the users:
JavaScript and Active-X running in a browser can be so dangerous, and seen in the light of the latest massive SQL injection ( http://www.theregister.co.uk/2008/04/24/mass_web_attack/ ) ,and the abuse of sloppy coded ASP infecting millions of websites, the advice for users of browsers is to block JavaScript and Active-X by default.
So I was right after all to promote the use of NoScript in Firefox or Flock browser, and the times you have to use JavaScript aren’t that many to turn it temporarily on when you cannot go without it. Read here:
http://www.us-cert.gov/current/index.html#compromised_websites_hosting_malicious_javascript
And this can be done at the server-side?
This is a T-SQL script that searches all databases in the SQL server to prevent “<script”. If this has ‘malicious code’ inside, has to be checked manually (or adopt the script to do this automatically) but generally the T-SQL would look like this:
==========
exec sp_msforeachdb '
Print(''Scanning Database [?]'')
DECLARE @T varchar(255), @C varchar(255)
DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from [?].dbo.sysobjects a,[?].dbo.syscolumns b
where a.id=b.id and a.xtype=''u'' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
order by a.name, b.name
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
If Left(@T,1)<>''#''
Begin
Print('' Scanning Table [''+@T+''], Column: [''+@C+'']'')
Exec(''if exists(select [''+@C+''] from [?].dbo.[''+@T+''] where [''+@C+''] like ''''%<script%'''') print ''''>>> FOUND in [''+@T+''].[''+@C+'']'''''')
End
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
'
==========
N.B.: It may this scan could take a considerable time to perform; look at the printout and look for “>>> FOUND” to see tables in which you can find a ‘<script’-snippet,
polonus