John Sladek on 26 Mar 2010 20:18:20 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

What did dropping the table do to the site?  Did it cause unsuccessful
connections that would have been logged from all ip's?  If so, maybe you
can use them as an indication as to what part of the log you can look at
for the suspect connection.

On Fri, 2010-03-26 at 17:40 -0400, Michael Lazin wrote:
> We have a customer who had an entire table dropped from their MS SQL
> server database, they are running a customer built ASP site with
> database backend.  They are blaming us but 2nd level support believes
> it to be the result of a SQL injection attack.  I have been given the
> unfortunate duty of trying to find the hack, I do security on the
> Linux servers, but there is no one else here who knows enough about
> logs who could do any better.  I am working under the assumption that
> the attack will show up with in the logs as a POST, and it will be a
> 200 (successful connection).  There are 295 unique IPs that have
> passed post data that are 200s.  I know this from grep and wc -l.
> Anyone know enough about MS logs to give me some hints that might help
> me find the hack with grep?
> -- 
> Michael Lazin
> ASCII ribbon campaign ( )
> against HTML e-mail    X
>                                     / \
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --
> Announcements -
> General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --