Home / server / Questions / 498246
Accepted
Frank Martin
Asked: 2013-04-11 18:58:45 +0800 CST

How to check web server logs for SQL injection?

  • 772

If I have a PHP site hosted on Apache and someone hacks it using SQL injection, is there a way I can find out exactly which script caused this by looking at my web server logs?
Or using some other way?

apache-2.2

3 Answers

  1. I've been using this Linux command string to identify possible SQL injections:

    egrep -i '\bUNION\b|\bSELECT\b|\bCHAR\b' $access_log

    You could add in other key terms as well, but those were the ones I was finding in my logs.

    To generate a list of offending IP addresses, get a little fancier:

    egrep -i '\bUNION\b|\bSELECT\b|\bCHAR\b' $access_log | sed -n 's/\([0-9\.]\+\).*/\1/p' | sort | uniq -c

    Which tallies up the offending IPs by the number of instances: 

        335 160.153.153.31
   1197 175.138.67.67
    508 76.72.165.79
    208 92.60.66.184
    111 95.143.64.185
    • 2
  2. Best Answer

    If your web server logs are logging the query parameters, then search for known SQL (e.g. SELECT) through the logs.

    If they're not logging query parameters, then you're unlikely to find anything by searching the logs, rather you'll have to look for patterns - for example a repeated URL that wouldn't normally be repeated.

    • 1

  3. I use a similar approach to Ken, but I prefer awk.

    $ access_logs='/var/log/httpd/*access*log*'
$ grep -E -hi '\bUNION\b|\bSELECT\b|\bCHAR\b' $access_logs | awk '{print $1}' | sort | uniq -c | sort -nr | head

    To get a top 10 IP list. This will also search any old access logs which were gzipped with logrotate.

    • 0