[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep
The POST data isn't actually showing in the logs, it just shows, POST and scriptname. I was hoping to find a POST with a suspicious IP but there are too many unique IPs passing POST data to do this easily.
grep \' *.log shows nothing, how would I do this in hex? grep '--' *.log shows nothing either.
I found this site that looks promising,
egrep '/exec(\s|\+)+(s|x)p\w+/ix' *.log shows nothing and the rest of the regex on this page doesn't appear to work. I'm not a regex ninja so maybe I'm doing something wrong.
On Fri, Mar 26, 2010 at 5:55 PM, <firstname.lastname@example.org>
In the message dated: Fri, 26 Mar 2010 17:40:16 EDT,
The pithy ruminations from Michael Lazin on
<[PLUG] slightly OT: finding SQL injection in M$ logs with grep> were:
=> Content-Type: multipart/alternative; boundary=0016e68ea0205b9a5e0482bb0240
=> Content-Type: text/plain; charset=ISO-8859-1
=> We have a customer who had an entire table dropped from their MS SQL server
=> -l. Anyone know enough about MS logs to give me some hints that might help
=> me find the hack with grep?Sorry, no.
However, this may cheer you up:
=> Michael Lazin
=> ASCII ribbon campaign ( )
=> against HTML e-mail X=> / \
You're kidding, right?
Are you aware that your email was sent as a multipart MIME message, with both
text/plain (acceptable) and text/html (ick) parts?
=> Content-Type: text/html; charset=ISO-8859-1
=> Content-Transfer-Encoding: quoted-printable
=> We have a customer who had an entire table dropped from their MS SQL server=
=> database, they are running a customer built ASP site with database backend=
=> .=A0 They are blaming us but 2nd level support believes it to be the result=
=> of a SQL injection attack.=A0 I have been given the unfortunate duty of tr=
=> ying to find the hack, I do security on the Linux servers, but there is no =
=> one else here who knows enough about logs who could do any better.=A0 I am =
=> working under the assumption that the attack will show up with in the logs ==> as a POST, and it will be a 200 (successful connection).=A0 There are 295 u=
=> nique IPs that have passed post data that are 200s.=A0 I know this from gre=
=> p and wc -l.=A0 Anyone know enough about MS logs to give me some hints that=
=> might help me find the hack with grep?<br clear=3D"all">
=> <br>-- <br>Michael Lazin<br><br>ASCII ribbon campaign ( )<br> against HTML =
=> e-mail =A0 =A0X<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=> =A0 =A0 =A0 =A0 / \<br>
=> Content-Type: text/plain; charset="us-ascii"
=> MIME-Version: 1.0
=> Content-Transfer-Encoding: 7bit
=> Content-Disposition: inline
=> Philadelphia Linux Users Group -- http://www.phillylinux.org
ASCII ribbon campaign ( )
against HTML e-mail X
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug