On Dec 16, 2008, at 5:53 AM, Adriel T. Desautels wrote:
If he's looking to stop attacks then he needs to remove the vector
through which he is being attacked. IPS devices do not remove the
vector, they make an attempt to prevent the vector from being
accessed. While I support the use of properly configured and
maintained IPS technologies, I'd never recommend using them as a
method for remediation because they are only a method for
mitigation. Sure mitigation is great, but its not a fix.
A lot of good advice has been offered, but in order to spot what
happened, somebody will have to examine the web server logs to look
for evidence of SQL injection or whatever method was used to exploit
With that in mind, here are some examples of SQL injection that might
be useful (from Apache logs):
atta.cker.ip.address www.vulnerableserver.com - [13/Apr/
2008:04:23:43-0800] "GET /index.php?go=detail&id=-99999/**/union/**/
??? HTTP/1.1" 200 63919 "-" "libwww-perl/5.811"
atta.cker.ip.address - - [13/Apr/2008:04:23:43 -0800] "GET /?
+1)HTTP/1.0" 200 53604 "-" "Opera/9.23 (Windows NT 5.1; U; en)"