Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

bergman on 26 Mar 2010 14:55:40 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

From: bergman@merctech.com

To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>

Subject: Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

Date: Fri, 26 Mar 2010 17:55:34 -0400

Reply-to: bergman@merctech.com, Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

In the message dated: Fri, 26 Mar 2010 17:40:16 EDT, The pithy ruminations from Michael Lazin on <[PLUG] slightly OT: finding SQL injection in M$ logs with grep> were: => --===============0571321618== => Content-Type: multipart/alternative; boundary=0016e68ea0205b9a5e0482bb0240 => => --0016e68ea0205b9a5e0482bb0240 => Content-Type: text/plain; charset=ISO-8859-1 => => We have a customer who had an entire table dropped from their MS SQL server Ouch. [SNIP!] => -l. Anyone know enough about MS logs to give me some hints that might help => me find the hack with grep? Sorry, no. However, this may cheer you up: http://xkcd.com/327/ => => -- => Michael Lazin => => ASCII ribbon campaign ( ) => against HTML e-mail X=> / \ You're kidding, right? Are you aware that your email was sent as a multipart MIME message, with both text/plain (acceptable) and text/html (ick) parts? Mark => => --0016e68ea0205b9a5e0482bb0240 => Content-Type: text/html; charset=ISO-8859-1 => Content-Transfer-Encoding: quoted-printable => => We have a customer who had an entire table dropped from their MS SQL server= => database, they are running a customer built ASP site with database backend= => .=A0 They are blaming us but 2nd level support believes it to be the result= => of a SQL injection attack.=A0 I have been given the unfortunate duty of tr= => ying to find the hack, I do security on the Linux servers, but there is no = => one else here who knows enough about logs who could do any better.=A0 I am = => working under the assumption that the attack will show up with in the logs = => as a POST, and it will be a 200 (successful connection).=A0 There are 295 u= => nique IPs that have passed post data that are 200s.=A0 I know this from gre= => p and wc -l.=A0 Anyone know enough about MS logs to give me some hints that= => might help me find the hack with grep? => -- Michael Lazin ASCII ribbon campaign ( ) against HTML = => e-mail =A0 =A0X =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= => =A0 =A0 =A0 =A0 / \ => => --0016e68ea0205b9a5e0482bb0240-- => => --===============0571321618== => Content-Type: text/plain; charset="us-ascii" => MIME-Version: 1.0 => Content-Transfer-Encoding: 7bit => Content-Disposition: inline => => ___________________________________________________________________________ => Philadelphia Linux Users Group -- http://www.phillylinux.org => Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce => General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug => => --===============0571321618==-- => ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep
From: Michael Lazin <microlaser@gmail.com>

References:

[PLUG] slightly OT: finding SQL injection in M$ logs with grep
From: Michael Lazin <microlaser@gmail.com>

Prev by Date: Re: [PLUG] tmux, a better screen(1) ???

Next by Date: Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

Previous by thread: Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

Next by thread: Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

Index(es):

Date

Thread