A little over a year ago we started getting hit with sql injection attacks. We have hundreds of sites so we ended up spending weeks patching any holes we could find. Then a few weeks ago we started getting hit again. We've gone through everything we can think of and we can't find anywhere where the person is getting in. Does anyone know if there's a way to write a script for IIS that will allow me to record every url or posted data that IIS encounters? And because we've got so many sites I'm looking to set up something that doesn't have to be set up for each individual site but that I can set up at the root of the IIS tree. Thanks.
+1
A:
You don't need a script for URL data it can logged in the regular IIS logs.
See this article about setting up the logs.
Oded
2010-01-07 13:55:04
+1
A:
The first place too look is the Log files (Assuming you are using IIS 6.0, see here for a tutorial how to find them)
The IIS log does not store posted Data though. Look here for a discussion regarding logging post data.
Manu
2010-01-07 13:56:47
Yes that's a start but again we have to go through each site's log files. It'd be ideal if we could set up something to log all requests so that we only have 1 table of data to search through.
geoff
2010-01-07 13:58:37
You would use logparser to interrogate the files see http://www.securityfocus.com/infocus/1712 for some suggested queries.
blowdart
2010-01-07 14:05:34
Thanks for the link, I'll check that out!
geoff
2010-01-07 14:15:45
+1
A:
As mentioned above, IIS logs all requests to a web site, unless you have unchecked "Enable Logging". You might want to look in to UrlScan 3.0, which also handles possible SQL injection scenarios, see the section entitled "Rule to Block SQL injection Signatures"
RandomNoob
2010-01-07 13:59:58
They also have a data mining section http://learn.iis.net/page.aspx/513/data-mining-urlscan-3x-logs-using-logparser-22/
RandomNoob
2010-01-07 14:04:34