SQL injection + IIS logfiles parsing

During the past 2 weeks, we’ve been hacked at work. SQL injection was the method used and it gave us a little headache at the beginning, but I’ve written a script removing the extra string added in every fields of affected tables. Luckily, it affected only one database on the server. We are now in the process of modifying the code in out pages and there’s heaps to do! Most of the websites are coded in Co ld Fusion few years ago (I am new in the company…), so it’s a pain in the bum, let me tell you…

In the process, I looked through the IIS logfiles using logparser (see at the end for the link) to track down any unusual activities on the website. Log parser is amazingly useful to analyze IIS logfiles.

Once you’ve downloaded and installed logparser 2.2, you can analyze any logfiles generated by IIS.

  1. In IIS, right-click on the website you wish to analyze the logfiles
  2. A new window opens; in the ‘Enable Logging’ section, click Properties
  3. Go in the directory shown at the bottom of this window and copy the logfiles you want into logparser root directory (Usually C:\Program Files\Log Parser 2.2)
  4. Execute logparser; a command prompt window will open
  5. It’s time to run queries to analyze the log files!

Log parser commands are just like SQL commands. This

logparser “SELECT DISTINCT date, cs-uri-stem, c-ip, Count(*), AS Hits, FROM ex*.log GROUP BY date, c-ip, cs-uri-stem HAVING Hits>50 ORDER BY date, c-ip, Hots DESC”

will give a list of the how many times an IP address has hit a file on one day. Only hits over 50 will be displayed.

IIS log files are structured by columns with headers. For example, columns c-ip represents the IP address. To know more on what field to display, just open a logfile into notepad and look the headers.

You can then lookup the IP doing a whois or tracert in the command prompt or just visit a website such as http://cqcounter.com/whois or http://whois.domaintools.com

Log Parser 2.2

http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Advertisements

One thought on “SQL injection + IIS logfiles parsing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s