Clarification on IIS reported sql-injection exploits

My post will not get as much press as Slashdot, but here is some postings from sources at MS, including Bill Staples on the SQL Injection attacks that help clarify things.



Here is a post on forums.iis.net about this topic
http://forums.iis.net/t/1148917.aspx?PageIndex=1


For those who want to use Log parser to detect in your IISLogs if you’ve been hit, here are a few log parser examples.


‘This will find all webpages that had sql injection.  You can change the wording between the %% to look for a different string
logparser -i:iisw3c “select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like ‘%CAST%'” -o:csv

‘This will give you the first time your site was hit, if applicable. 
logparser -i:iisw3c “select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like ‘%1.js%'” -o:csv

‘Download Log Parser 2.2
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1287

Hope this helps,


Steve Schofield
Microsoft MVP – IIS

Script to pull Windows Server 2008 servers AD and log to a text file

Here is a script to pull all Windows Server 2008 servers out of your Active Directory and log to a text file.  Just change the LDAP string.


Const ADS_SCOPE_SUBTREE = 2
Set fso = Wscript.CreateObject(“Scripting.FileSystemObject”)
Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand = CreateObject(“ADODB.Command”)
objConnection.Provider = “ADsDSOObject”
objConnection.Open “Active Directory Provider”


Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
    “SELECT Name FROM ‘LDAP://DC=example,DC=com’ WHERE objectClass=’computer’ ” & _
        “and operatingSystemVersion = ‘6.0 (6001)'” 
objCommand.Properties(“Page Size”) = 1000
objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst


Do Until objRecordSet.EOF
    Wscript.Echo “Computer Name: ” & objRecordSet.Fields(“Name”).Value
    LogInfo objRecordSet.Fields(“Name”).Value
    objRecordSet.MoveNext
Loop


set objCommand = Nothing
set objRecordset = Nothing
set objConnection = Nothing



‘ —————————————————————————————
‘ |                                 Loginfo     |
‘ —————————————————————————————


Sub LogInfo(strResult)
 dim objFile, fso2
 objFile = “output.txt”
 If fso.FileExists(objFile) Then
  Set objFile = fso.OpenTextFile(objFile, 8)
  objFile.WriteLine strResult
 Else
  Set objFile = fso.CreateTextFile(objFile, True)
  objFile.WriteLine strResult
 End If
 objFile.close
 Err.clear
End Sub


 

IIS7 – post #65 – IIS Manager extensibility experiences

I’m attempting to write a plugin for the product I developed to handle IIS and related log files.  http://www.iislogs.com   Right now, the way you manage IISLogs is using a Winforms application or updating the config file directly.   Microsoft has made it so you can extend IIS Manager.  The winforms tool that you use to manage IIS 7.0.  While I’m still in the research phase, I wanted to pass along a couple links and one bit of advice.  I must say, once I get all the moving pieces down, this should be pretty neat.  I have no timeline for when the tool will be done, but I’m betting it’ll be an adventure.  Stay tuned.


Here are a couple articles on IIS 7 extensibility



One tip to pass along from Thomas Deml


http://blogs.iis.net/thomad


When adding your declaration in %windir%\system32\inetsrv\config\administration.config.  Make sure to format it like 
“type=”<namespace>.<classname>,<assemblyname> …”

Here is an example
<add name=”imageCopyrightUI” type=”IIS7Demos.imageCopyrightUIProvider, IIS7Demos, Version=1.0.0.0, Culture=neutral, PublicKeyToken=3fd9bd5e992ee757″/>


The namespace and file name would be IIS7Demos.  The class name would be imageCopyrightUIProvider


For those looking for further assistance about IIS 7.0 extensibility, check out the forum at
http://forums.iis.net/1042.aspx


Cheers,


Steve Schofield
Microsoft MVP – IIS