|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep
|
The POST data isn't actually showing in the logs, it just shows, POST and scriptname. I was hoping to find a POST with a suspicious IP but there are too many unique IPs passing POST data to do this easily.
grep \' *.log shows nothing, how would I do this in hex? grep '--' *.log shows nothing either.
I found this site that looks promising,
http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks#comment-form
egrep '/exec(\s|\+)+(s|x)p\w+/ix' *.log shows nothing and the rest of the regex on this page doesn't appear to work. I'm not a regex ninja so maybe I'm doing something wrong.
On Fri, Mar 26, 2010 at 5:55 PM, <bergman@merctech.com> wrote:
In the message dated: Fri, 26 Mar 2010 17:40:16 EDT,
The pithy ruminations from Michael Lazin on
<[PLUG] slightly OT: finding SQL injection in M$ logs with grep> were:
=> --===============0571321618==
=> Content-Type: multipart/alternative; boundary=0016e68ea0205b9a5e0482bb0240
=>
=> --0016e68ea0205b9a5e0482bb0240
=> Content-Type: text/plain; charset=ISO-8859-1
=>
=> We have a customer who had an entire table dropped from their MS SQL server
Ouch.
[SNIP!]
=> -l. Anyone know enough about MS logs to give me some hints that might help
=> me find the hack with grep?
Sorry, no.
However, this may cheer you up:
http://xkcd.com/327/
=>
=> --
=> Michael Lazin
=>
=> ASCII ribbon campaign ( )
=> against HTML e-mail X=> / \
You're kidding, right?
Are you aware that your email was sent as a multipart MIME message, with both
text/plain (acceptable) and text/html (ick) parts?
Mark
=>
=> --0016e68ea0205b9a5e0482bb0240
=> Content-Type: text/html; charset=ISO-8859-1
=> Content-Transfer-Encoding: quoted-printable
=>
=> We have a customer who had an entire table dropped from their MS SQL server=
=> database, they are running a customer built ASP site with database backend=
=> .=A0 They are blaming us but 2nd level support believes it to be the result=
=> of a SQL injection attack.=A0 I have been given the unfortunate duty of tr=
=> ying to find the hack, I do security on the Linux servers, but there is no =
=> one else here who knows enough about logs who could do any better.=A0 I am =
=> working under the assumption that the attack will show up with in the logs =
=> as a POST, and it will be a 200 (successful connection).=A0 There are 295 u=
=> nique IPs that have passed post data that are 200s.=A0 I know this from gre=
=> p and wc -l.=A0 Anyone know enough about MS logs to give me some hints that=
=> might help me find the hack with grep?<br clear=3D"all">
=> <br>-- <br>Michael Lazin<br><br>ASCII ribbon campaign ( )<br> against HTML =
=> e-mail =A0 =A0X<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=> =A0 =A0 =A0 =A0 / \<br>
=>
=> --0016e68ea0205b9a5e0482bb0240--
=>
=> --===============0571321618==
=> Content-Type: text/plain; charset="us-ascii"
=> MIME-Version: 1.0
=> Content-Transfer-Encoding: 7bit
=> Content-Disposition: inline
=>
=> ___________________________________________________________________________
=> Philadelphia Linux Users Group -- http://www.phillylinux.org
=>
=> --===============0571321618==--
=>
--
Michael Lazin
ASCII ribbon campaign ( )
against HTML e-mail X
/ \
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|