April 2008 - Posts

Clarification on IIS reported sql-injection exploits
26 April 08 05:31 AM | steve schofield | 4 comment(s)

My post will not get as much press as Slashdot, but here is some postings from sources at MS, including Bill Staples on the SQL Injection attacks that help clarify things.

• http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx
• http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx
• http://it.slashdot.org/article.pl?no_d2=1&sid=08/04/25/1358234
• http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx (Sample ASP debugging code)

• http://hackademix.net/2008/04/26/mass-attack-faq

Here is a post on forums.iis.net about this topic
http://forums.iis.net/t/1148917.aspx?PageIndex=1

For those who want to use Log parser to detect in your IISLogs if you've been hit, here are a few log parser examples.

'This will find all webpages that had sql injection.  You can change the wording between the %% to look for a different string
logparser -i:iisw3c "select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like '%CAST%'" -o:csv

'This will give you the first time your site was hit, if applicable. 
logparser -i:iisw3c "select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like '%1.js%'" -o:csv

'Download Log Parser 2.2
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1287

Hope this helps,

Steve Schofield
Microsoft MVP - IIS

Going to the MVP summit - April 13th to April 18th
12 April 08 05:09 AM | steve schofield | with no comments

If you are an MVP, I'll be in Seattle / Redmond staying at the Sheraton for the 2008 MVP summit.  See you there!

Steve Schofield
Microsoft MVP - IIS

Script to pull Windows Server 2008 servers AD and log to a text file
08 April 08 09:59 PM | steve schofield | with no comments

Here is a script to pull all Windows Server 2008 servers out of your Active Directory and log to a text file.  Just change the LDAP string.

Const ADS_SCOPE_SUBTREE = 2
Set fso = Wscript.CreateObject("Scripting.FileSystemObject")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
    "SELECT Name FROM 'LDAP://DC=example,DC=com' WHERE objectClass='computer' " & _
        "and operatingSystemVersion = '6.0 (6001)'" 
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
    Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value
    LogInfo objRecordSet.Fields("Name").Value
    objRecordSet.MoveNext
Loop

set objCommand = Nothing
set objRecordset = Nothing
set objConnection = Nothing

' ---------------------------------------------------------------------------------------
' |                                 Loginfo     |
' ---------------------------------------------------------------------------------------

Sub LogInfo(strResult)
 dim objFile, fso2
 objFile = "output.txt"
 If fso.FileExists(objFile) Then
  Set objFile = fso.OpenTextFile(objFile, 8)
  objFile.WriteLine strResult
 Else
  Set objFile = fso.CreateTextFile(objFile, True)
  objFile.WriteLine strResult
 End If
 objFile.close
 Err.clear
End Sub

 

IIS7 - post #66 - Installing PERL on IIS 7.0
06 April 08 12:36 AM | steve schofield | with no comments

Here are three links that discuss installing how-to install PERL on IIS 7.0.

http://www.freenetbuilders.com/index.php?option=com_content&task=view&id=52&Itemid=54

http://forums.iis.net/t/1146580.aspx?PageIndex=1

http://forums.iis.net/t/1146580.aspx?PageIndex=2

 

Filed under: IIS, perl