|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep
|
Is POST data even in the logs?
Maybe you could just grep for occurrences of a single-quote (both hex
and non-hex) and double dashes within the 200 responses.
-Jon
On Fri, Mar 26, 2010 at 5:40 PM, Michael Lazin <microlaser@gmail.com> wrote:
> We have a customer who had an entire table dropped from their MS SQL server
> database, they are running a customer built ASP site with database backend.
> They are blaming us but 2nd level support believes it to be the result of a
> SQL injection attack. I have been given the unfortunate duty of trying to
> find the hack, I do security on the Linux servers, but there is no one else
> here who knows enough about logs who could do any better. I am working
> under the assumption that the attack will show up with in the logs as a
> POST, and it will be a 200 (successful connection). There are 295 unique
> IPs that have passed post data that are 200s. I know this from grep and wc
> -l. Anyone know enough about MS logs to give me some hints that might help
> me find the hack with grep?
>
> --
> Michael Lazin
>
> ASCII ribbon campaign ( )
> against HTML e-mail X
> / \
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
>
>
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|