| View previous topic :: View next topic |
| Author |
Message |
oldnavy23
Tux's lil' helper
Joined: 09 Jul 2007
Posts: 86
Location: USA
|
 Posted: Wed Jan 09, 2013 6:19 pm Post subject: Bash or Cron Script to check for sql injection |
 |
|
Is there any way i can make a cron script or bash script to run the following and alert me right away or by email me at the end of the day.
also have the date piece change so its always running yesterday's logged info.
sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*vchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*bchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*char" /var/log/apache2/access_log
sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*=-" /var/log/apache2/access_log
sudo grep -iw "08/jan.*1=1" /var/log/apache2/access_log
sudo grep -iw "08/jan.*exec" /var/log/apache2/access_log
sudo grep -iw "08/jan.*declare" /var/log/apache2/access_log
thanks
oldnavy23 |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21607
|
| Posted: Thu Jan 10, 2013 2:14 am Post subject: |
|
|
| Why you would do this instead of fixing the vulnerability in your web application? Cron automatically e-mails output to a specified address, and can run the command as a user of your choosing. |
|
| Back to top |
|
|
dataking
Apprentice
Joined: 20 Apr 2005
Posts: 251
|
| Posted: Thu Jan 10, 2013 2:43 am Post subject: Re: Bash or Cron Script to check for sql injection |
|
|
| Code: |
#!/bin/bash
sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*vchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*bchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*char" /var/log/apache2/access_log
sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*=-" /var/log/apache2/access_log
sudo grep -iw "08/jan.*1=1" /var/log/apache2/access_log
sudo grep -iw "08/jan.*exec" /var/log/apache2/access_log
sudo grep -iw "08/jan.*declare" /var/log/apache2/access_log
|
Simple as that (note the "shabang" line at the top). As far as the email part, basically what Hu said, except that it goes to local system mail, not gmail or hotmail or whatever (unless the local mail system is configured to forward to external addresses -- IIRC, this can be done via the /etc/mail/aliases file).
| Hu wrote: | | Why you would do this instead of fixing the vulnerability in your web application? |
Maybe he just wants to check for SQL Injection attempts, and there is no vulnerability in the application? Or he doesn't know about the vulnerability and wants to know when/if he gets pwned?
_________________
-= the D@7@k|n& =- |
|
| Back to top |
|
|
oldnavy23
Tux's lil' helper
Joined: 09 Jul 2007
Posts: 86
Location: USA
|
| Posted: Thu Jan 10, 2013 8:08 pm Post subject: |
|
|
| Well its a 3rd Party app on my server and also how could i also make it so it just shows the day before or do i need to keep editing the file from 08/jan to 09/jan |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21607
|
| Posted: Fri Jan 11, 2013 3:22 am Post subject: Re: Bash or Cron Script to check for sql injection |
|
|
| dataking wrote: | | Code: | #!/bin/bash
sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*vchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*bchar" /var/log/apache2/access_log
sudo grep -iw "08/jan.*char" /var/log/apache2/access_log
sudo grep -iw "08/jan.*select" /var/log/apache2/access_log
sudo grep -iw "08/jan.*=-" /var/log/apache2/access_log
sudo grep -iw "08/jan.*1=1" /var/log/apache2/access_log
sudo grep -iw "08/jan.*exec" /var/log/apache2/access_log
sudo grep -iw "08/jan.*declare" /var/log/apache2/access_log
|
|
Please do not advocate something so ugly. First, cron can run the command as a user of sufficient privilege. Second, sudo may require a password, in which case the job would fail with no user around. Third, unless the OP specifically needs to have each search run separately, it would be far better to perform all the searches using a single grep.
| dataking wrote: | | As far as the email part, basically what Hu said, except that it goes to local system mail, not gmail or hotmail or whatever (unless the local mail system is configured to forward to external addresses -- IIRC, this can be done via the /etc/mail/aliases file). |
It goes where you tell it to go. By default, it goes to the local mailbox of the user who owns the crontab. If your crontab specifies to mail the result offsite, and your MDA is configured to support this, then it will happen.
| dataking wrote: | | Hu wrote: | | Why you would do this instead of fixing the vulnerability in your web application? |
Maybe he just wants to check for SQL Injection attempts, and there is no vulnerability in the application? Or he doesn't know about the vulnerability and wants to know when/if he gets pwned? |
Searching for specific blacklisted strings, although marginally effective in detecting canned exploits, is a terrible way to run a security system.
| oldnavy23 wrote: | | also how could i also make it so it just shows the day before or do i need to keep editing the file from 08/jan to 09/jan |
Derive the grep expression from the preceding date. You may find date useful for this.
You may also wish to add -n to your grep call. |
|
| Back to top |
|
|
Mad Merlin
Veteran
Joined: 09 May 2005
Posts: 1155
|
| Posted: Fri Jan 11, 2013 3:44 am Post subject: Re: Bash or Cron Script to check for sql injection |
|
|
| Hu wrote: | | dataking wrote: | | Hu wrote: | | Why you would do this instead of fixing the vulnerability in your web application? |
Maybe he just wants to check for SQL Injection attempts, and there is no vulnerability in the application? Or he doesn't know about the vulnerability and wants to know when/if he gets pwned? |
Searching for specific blacklisted strings, although marginally effective in detecting canned exploits, is a terrible way to run a security system. |
I just want to reiterate this point. Using a naive approach like the above will miss POSTed injections as well as urlencoded injections and other obfuscated attempts, at the very least. Not to mention the fact that you won't be able to tell from the request alone whether or not you were actually exploited, and experience suggests that you will see a lot of noise, even on software you don't have installed. Additionally, it will probably do more harm than good by instilling a false sense of security.
_________________
Game! - Where the stick is mightier than the sword! |
|
| Back to top |
|
|
|
Portage & Programming
