Clarification on IIS reported sql-injection exploits

My post will not get as much press as Slashdot, but here is some postings from sources at MS, including Bill Staples on the SQL Injection attacks that help clarify things.

Here is a post on forums.iis.net about this topic
http://forums.iis.net/t/1148917.aspx?PageIndex=1

For those who want to use Log parser to detect in your IISLogs if you've been hit, here are a few log parser examples.

'This will find all webpages that had sql injection.  You can change the wording between the %% to look for a different string
logparser -i:iisw3c "select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like '%CAST%'" -o:csv

'This will give you the first time your site was hit, if applicable. 
logparser -i:iisw3c "select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like '%1.js%'" -o:csv

'Download Log Parser 2.2
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1287

Hope this helps,

Steve Schofield
Microsoft MVP - IIS

Published Saturday, April 26, 2008 5:31 AM by steve schofield

Comments

# re: Clarification on IIS reported sql-injection exploits

Tuesday, April 29, 2008 1:05 PM by rrobbins

Thanks Steve! This is really useful information. I was beginning to get worried that this massive SQL Injection attack was not a wake up call for developers because I was not finding much discussion about it in the blogs and nobody was providing any resources or tips.

# re: Clarification on IIS reported sql-injection exploits

Thursday, May 01, 2008 12:30 AM by steve schofield

My pleasure.  The sql injection is bad coding and Classic ASP was a quick and dirty way of coding.  MS has posted some sample error coding people should look at.  

# re: Clarification on IIS reported sql-injection exploits

Saturday, May 24, 2008 8:50 AM by cnaught

This worked great for me to help figure out the sql injection attack that I have been getting everyday now for a week.  I fixed it by making sure there was no ";" or "cast" inside of the variable that is passed in.  But is there a way to universally protect again this form of attack, without me having to change hundreds of SQL statements?

# re: Clarification on IIS reported sql-injection exploits

Saturday, May 24, 2008 12:36 PM by steve schofield

Hi Cnaught,

I'm glad this was helpful.  About changing hundreds of sql statements.  The best advice I can offer is have your sql statements and parameters in code check for bad statements before being submitted to your database.  If you are still unsure, I would check on http://aspadvice.com/lists about techniques to prevent this, I'm not a seasoned enough coder to have to change an application being exploited like this.  

Good luck,

Steve