You might consider restoring a copy of a recent backup, then comparing against known records that shouldn't have changed (for example comment records)
On Wed, Oct 21, 2009 at 4:04 PM, Mosh Teitelbaum <mosh.teitelb...@evoch.com>wrote: > > Andy: > > Unfortunately, I don't have the SQL Injection code. From what I can > gather, > the attack resulted in a whole bunch of copies of some PHP code that > essentially gives the user access to both the file system and the database. > I'm still working on getting the log files from the web host (FTP is down > for some reason) but with the PHP files, they could have changed the > database without having to do so via the URL. > > -- > Mosh Teitelbaum > evoch, LLC > Tel: (301) 942-5378 > Fax: (301) 933-3651 > Email: mosh.teitelb...@evoch.com > WWW: http://www.evoch.com/ > > > > -----Original Message----- > > From: Andy Matthews [mailto:li...@commadelimited.com] > > Sent: Wednesday, October 21, 2009 3:49 PM > > To: cf-talk > > Subject: RE: After the fact: SQL Injection Scanner > > > > > > Mark's right. If you have the SQL injection code, you can essentially > > reverse engineer it and use it as a blueprint to fix the problems. > > > > > > andy > > > > -----Original Message----- > > From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] > > Sent: Wednesday, October 21, 2009 2:10 PM > > To: cf-talk > > Subject: After the fact: SQL Injection Scanner > > > > > > All: > > > > > > > > A client called today letting me know that their server had been > > breached > > and that some malicious code had been uploaded to the site. After > > doing > > some research into the particular files that were uploaded, it turns > > out > > that the attack is also usually accompanied by a SQL Injection attack. > > Their database is huge and, instead of manually going through the > > database > > looking for altered records, I thought to write some code that would > > scan > > the records and report any potential problems. Before doing that, does > > anyone know of any existing code that does that? > > > > > > > > Thanks in advance. > > > > > > > > -- > > > > Mosh Teitelbaum > > > > evoch, LLC > > > > Tel: (301) 942-5378 > > > > Fax: (301) 933-3651 > > > > WWW: http://www.evoch.com/ > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327470 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
