My post will not get as much press as Slashdot, but here is some postings from sources at MS, including Bill Staples on the SQL Injection attacks that help clarify things.
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx (Sample ASP debugging code)
Here is a post on forums.iis.net about this topic
For those who want to use Log parser to detect in your IISLogs if you’ve been hit, here are a few log parser examples.
‘This will find all webpages that had sql injection. You can change the wording between the %% to look for a different string
logparser -i:iisw3c “select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like ‘%CAST%'” -o:csv
‘This will give you the first time your site was hit, if applicable.
logparser -i:iisw3c “select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like ‘%1.js%'” -o:csv
‘Download Log Parser 2.2
Hope this helps,
Microsoft MVP – IIS
4 thoughts on “Clarification on IIS reported sql-injection exploits”
Thanks Steve! This is really useful information. I was beginning to get worried that this massive SQL Injection attack was not a wake up call for developers because I was not finding much discussion about it in the blogs and nobody was providing any resources or tips.
My pleasure. The sql injection is bad coding and Classic ASP was a quick and dirty way of coding. MS has posted some sample error coding people should look at.
This worked great for me to help figure out the sql injection attack that I have been getting everyday now for a week. I fixed it by making sure there was no “;” or “cast” inside of the variable that is passed in. But is there a way to universally protect again this form of attack, without me having to change hundreds of SQL statements?
I’m glad this was helpful. About changing hundreds of sql statements. The best advice I can offer is have your sql statements and parameters in code check for bad statements before being submitted to your database. If you are still unsure, I would check on http://aspadvice.com/lists about techniques to prevent this, I’m not a seasoned enough coder to have to change an application being exploited like this.