Troy Sorzano on 27 Mar 2010 04:14:25 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

  • From: Troy Sorzano <tsorzano@expertta.com>
  • To: 'Philadelphia Linux User's Group Discussion List' <plug@lists.phillylinux.org>
  • Subject: Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep
  • Date: Sat, 27 Mar 2010 07:14:40 -0400
  • Accept-language: en-US
  • Acceptlanguage: en-US
  • Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
  • Sender: plug-bounces@lists.phillylinux.org
  • Thread-index: AcrNLQDNTILn0XtKStqJ14h5DFyhWgAEZOoQABb0TrA=
  • Thread-topic: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

Michael wrote: Friday, March 26, 2010 5:40 PM

>We have a customer who had an entire table dropped from their MS SQL server 
>database, they are running a customer built ASP site with database backend.  

If you have the transaction logs here is how to read them. PowerPoints make every thing look easy.
https://www.blackhat.com/presentations/bh-usa-07/Fowler/Presentation/bh-usa-07-fowler.pdf

http://www.sans.org/reading_room/whitepapers/application/forensic_analysis_of_a_sql_server_2005_database_server_1906?show=1906.php&cat=application

I use to work for a local company that created a database monitoring tool.  It is now owned by http://www.nitrosecurity.com/information/products/nitroview-database-monitor/ It was running on MBX hardware with CentOS and using a mirror port would sniff all the SQL traffic.  It supported MySQL, MS SQL, Oracle and Sybase.  It was SQL aware and would parse all the requests into useful log files and alert on suspicious activity. Of course it would only help if it was in place before the table was dropped.  There was a default rule for any schema changes to generate alerts.  That reminds me, if it was a SQL Injection your IIS's SQL account should not have so many rights.<g> 

I have seen SQL injection in the wild.  A few years ago I got called in to look at a IIS/SQL box.  It had been hit with this http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx   Searching the IIS logs for EXEC and the file system for .JS turned up the evidence.

More times than not when a client calls and says "I've been hacked" it turns out to be something else.

Troy
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug