July 31, 2009 at 2:27 pm
Out website was hacked last week, apparently in the form of a SQL injection. While we are addressing the website issue itself, I want to see what I can do to determine the source of the attack. In fact, I don't know for sure it came through the website.
I'd like to know what my options are with the tools I have. I don't have redgate or anything. Just SQL Server 2005. Do the trans logs tell me who did an insert on a given date? is there a way to search the logs for a certain string? Is there another way other than the logs to see the username of who did a particular insert, update, or even a select?
July 31, 2009 at 3:18 pm
You might want to look at this freebe from Microsoft:
Log Parser 2.2 available from:
Microsofts description
Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.
July 31, 2009 at 3:48 pm
If it was a SQL injection attack your log perusing should show the login that peformed the offending action was the login you have your website using to connect to SQL server. You will need some form of connection logging from the web side (or if connections are logged on the SQL side) in order to track who did what beyond that generic login.
So basically if the command was a sql injection attack unless you log the commands sent from the web app somewhere and can tie those commands back to session ids and inbound IPs you might not be able to track this.
Just some thoughts as you go forward. I assume your company is doing everything it can to harden it's text inputs exposed to the web now? If so, have them include some web session and ip logging when suspect values are passed through. That way if you can't track it down this time you will at least be ready when they attack again.
July 31, 2009 at 3:58 pm
As a preventative measure, you may want to take a look at the freely available SQL Server Injection detection tool, Scrawlr, available from the clever chaps at HP.
August 1, 2009 at 9:12 am
These are all great suggestions, folks! Thanks very much!
August 4, 2009 at 12:45 pm
BenBooth (7/31/2009)So basically if the command was a sql injection attack unless you log the commands sent from the web app somewhere and can tie those commands back to session ids and inbound IPs you might not be able to track this.
Yes, but we are looking for hard evidence that this was, in fact, a SQL injection attack thru the website. There's always the possibility it was an ex-employee remoting in or somesuch thing. If I could see that the website login was involved, I wouldn't be able to see which web user it was, but at least I'd know how it was done.
August 4, 2009 at 12:46 pm
bitbucket (7/31/2009)
You might want to look at this freebe from Microsoft:Log Parser 2.2 available from:
Microsofts description
Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.
I couldn't make heads or tails of it.
August 4, 2009 at 12:46 pm
John Sansom (7/31/2009)
As a preventative measure, you may want to take a look at the freely available SQL Server Injection detection tool, Scrawlr, available from the clever chaps at HP.
That page has a download link which doesn't work.
August 4, 2009 at 1:55 pm
middletree (8/4/2009)
John Sansom (7/31/2009)
As a preventative measure, you may want to take a look at the freely available SQL Server Injection detection tool, Scrawlr, available from the clever chaps at HP.That page has a download link which doesn't work.
Lesson number one, never give up at the first hurdle.......
Here is what a little google time came up with
August 5, 2009 at 2:30 am
It might also be worth checking your web logs as query string parameters can also be vulnerable to SQL injection.
Try a search for apostrophes or any SQL keywords.
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply