|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep
|
- From: Troy Sorzano <tsorzano@expertta.com>
- To: 'Philadelphia Linux User's Group Discussion List' <plug@lists.phillylinux.org>
- Subject: Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep
- Date: Fri, 26 Mar 2010 19:58:41 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
- Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
- Sender: plug-bounces@lists.phillylinux.org
- Thread-index: AcrNLQDNTILn0XtKStqJ14h5DFyhWgAEZOoQ
- Thread-topic: [PLUG] slightly OT: finding SQL injection in M$ logs with grep
Michael wrote: Friday, March 26, 2010 5:40 PM
>We have a customer who had an entire table dropped from their MS SQL server
>database, they are running a customer built ASP site with database backend.
You might want to start with the transaction logs from the SQL server. You can find the DROP TABLE in that and get the time stamp. Then check the IIS logs.
Unless you have other "hacking" evidence it may have been a Jr. SQL developer with fat fingers. The SQL server log will let you know the account that ran the command. Was it the same account that IIS uses?
In the IIS logs you can look for
drop (like JP suggested)
EXEC
xp_cmdshell
SELECT
INSERT
DELETE
No SQL commands should be in a clean IIS log.
Was any malware or root kits found on the server?
Were any new files with in the last few weeks found on the IIS server like EXE, BAT, CMD, PS, VBA, VB, VBS, JS, COM, SQL.
Troy
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|