How to find out if an SQL-injection attacks happens

Forum Moderators: coopster

Message Too Old, No Replies

How to find out if an SQL-injection attacks happens

my website runs too slow...

guarriman

2:40 pm on Jul 12, 2007 (gmt 0)

Hi.

Using PHP+mySQL scripts, I'm suffering a severe slowness on my site.

Some months ago, I found out an SQL-injection vulnerability into my code, but I patched it.

How can I found out if another SQL-injection situation is happening right now?

Thank you very much.

bcolflesh

2:45 pm on Jul 12, 2007 (gmt 0)

Review your server logs.

Gian04

3:46 pm on Jul 12, 2007 (gmt 0)

May I know what part of server logs that would show that an injection happens?

guarriman

3:53 pm on Jul 12, 2007 (gmt 0)

I modified my '/etc/my.cnf' file and included:
-----
log=/usr/local/mysql/log/log-file.log
------

It's been loading with tons of queries :)

PHP_Chimp

4:25 pm on Jul 12, 2007 (gmt 0)

You would be looking at the requested url.

i.e.

if you get someone requesting a page like
yoursite.tld/somepage?id=hi' or 1=1--

anything that looks odd is something that you should look into. There are a lot of good articles on SQL injection on the web, just search for them and have a read.

jatar_k

4:58 pm on Jul 12, 2007 (gmt 0)

a slow site does not really mean injection, that would actually be pretty low on the list of things I would look at.

if you want to look for injection attempts log all user submitted data

Gian04

5:03 pm on Jul 12, 2007 (gmt 0)

I have seen this on my AWStats Search Keyphrases (Top 10)

ehruszo�8.7 gxovchalp�89%2h000%2p207%5e95 sovdotulj�bhuhvcxnf vyhlncfhqhbw�qx dkwnjoti�xoe a-kxdq-xbhr-rpbnhav�wcps-dphnv%4b pxcinvl oqplngcpu�ia_ftop axnuy�rjjz bhsuszo�gr0 3193960036128- ehruszo�8.7 cmejyqrg�h99e9d55c7395673d659m9955045m9b0 zl�81 ru�13 z-tocs-xsgb-iodmhru�ftou-dggxe pxcinvl$$a77f59762940353feafef220152d0938

Is this an injection?