Troy Sorzano on 26 Mar 2010 16:46:20 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

  • From: Troy Sorzano <tsorzano@expertta.com>
  • To: 'Philadelphia Linux User's Group Discussion List' <plug@lists.phillylinux.org>
  • Subject: Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep
  • Date: Fri, 26 Mar 2010 19:46:34 -0400
  • Accept-language: en-US
  • Acceptlanguage: en-US
  • Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
  • Sender: plug-bounces@lists.phillylinux.org
  • Thread-index: AcrNLQDNTILn0XtKStqJ14h5DFyhWgAEX9oA
  • Thread-topic: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

From: plug-bounces@lists.phillylinux.org [mailto:plug-bounces@lists.phillylinux.org] On Behalf Of Michael Lazin
Sent: Friday, March 26, 2010 5:40 PM
To: Philadelphia Linux User's Group Discussion List
Subject: [PLUG] slightly OT: finding SQL injection in M$ logs with grep


We have a customer who had an entire table dropped from their MS SQL server database, they are running a customer built ASP site with database backend.  They are blaming us but 2nd level support believes it to be the result of a SQL injection attack.  I have been given the unfortunate duty of trying to find the hack, I do security on the Linux servers, but there is no one else here who knows enough about logs who could do any better.  I am working under the assumption that the attack will show up with in the logs as a POST, and it will be a 200 (successful connection).  There are 295 unique IPs that have passed post data that are 200s.  I know this from grep and wc -l.  Anyone know enough about MS logs to give me some hints that might help me find the hack with grep?

-- 
Michael Lazin

ASCII ribbon campaign ( )
against HTML e-mail    X
                                    / \

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug