Troy Sorzano on 27 Mar 2010 04:14:25 -0700 |
Michael wrote: Friday, March 26, 2010 5:40 PM >We have a customer who had an entire table dropped from their MS SQL server >database, they are running a customer built ASP site with database backend. If you have the transaction logs here is how to read them. PowerPoints make every thing look easy. https://www.blackhat.com/presentations/bh-usa-07/Fowler/Presentation/bh-usa-07-fowler.pdf http://www.sans.org/reading_room/whitepapers/application/forensic_analysis_of_a_sql_server_2005_database_server_1906?show=1906.php&cat=application I use to work for a local company that created a database monitoring tool. It is now owned by http://www.nitrosecurity.com/information/products/nitroview-database-monitor/ It was running on MBX hardware with CentOS and using a mirror port would sniff all the SQL traffic. It supported MySQL, MS SQL, Oracle and Sybase. It was SQL aware and would parse all the requests into useful log files and alert on suspicious activity. Of course it would only help if it was in place before the table was dropped. There was a default rule for any schema changes to generate alerts. That reminds me, if it was a SQL Injection your IIS's SQL account should not have so many rights.<g> I have seen SQL injection in the wild. A few years ago I got called in to look at a IIS/SQL box. It had been hit with this http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx Searching the IIS logs for EXEC and the file system for .JS turned up the evidence. More times than not when a client calls and says "I've been hacked" it turns out to be something else. Troy ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|