Tracking a Sql Injection Attack
Thursday, 14 June 2007
Another day at work, A simple line of code:
Did quite a bit of damage updating an entire column with the hackers link.
Well our job was to identify the attacker. and we did it.
First we had to know the precise data and time. ref
Well the attack update a SQL database, first we searched SQL logs and server events but nothing.
The only way was to read the transaction logs, where SQL has register every single actions performed into the DB.
All we needed was a way to read that DB transaction log database.ldf file.
The program called ApexSQL log did the job quite well. We were able to get the date and time of the update.
Now is the time to search IIS logs. Not so difficult, we looked that day and time and wolla:
tipo=offerta&id=12update+offerte+set+titolo=’hackckersite.org/”>
So we identify the hacker IP, if he was not smart enoguh to use a proxy!
At this point we contact their ISP and inform about the activity.