How to detect hack attempt?

Last Post 14 Apr 2007 04:45 PM by dog_dev. 6 Replies.
AddThis - Bookmarking and Sharing Button
Author Messages
dog_dev
New Member
New Member

--
09 Apr 2007 03:55 PM
I have had some weirdness in my database. One of my id's jumped from a six digit number to a 10 digit number overnight. I don't see anything in the server log files that looks unusual. What could have caused this?

Also a company recently copied one of our services and has claimed credit for inventing it. There were all over the site during the same time period we experienced the unexplained jump in the id. I have downloaded my transaction logs - is there anything there that might be able to tell me what, if anything, happened?

How can you tell if someone has hacked into your database?

Any help would be greatly appreciated.
SwePeso
New Member
New Member

--
10 Apr 2007 04:37 AM
For the table with the "ID jump", get the maximum identity value

SELECT MAX(Col1) FROM Table1

to see which is still the largest value. The company might have done only some test (self-insert) and used SET IDENTITY_INSERT Table1 ON momentarily, and forgot to reset the identity value.

Is the MAX value still 6 digit, or 10 digits?
SQLUSA
New Member
New Member

--
10 Apr 2007 04:02 PM
You should setup SQL Profiler.

1. Monitor ServerX into a table on ServerY
2. Monitor 24/7
3. Include all events which maybe helpful
4. Block out what you think is safe

Kalman Toth
SQL Server 2005 Training - http://www.sqlusa.com
SwePeso
New Member
New Member

--
10 Apr 2007 10:07 PM
3) Which events are they?
4) I have no idea what you mean... Block safe things?

And I don't think this is going to help what HAS happened.
This helps you for future happenings only.
dog_dev
New Member
New Member

--
14 Apr 2007 04:45 PM
I do not have the SQL logs from that date. I do have the transaction log but don't know where or what to look for in a transaction log.

Id is still 10 digits it auto increments and I have people registering constantly.

Merge replication is disabled.

They monitored for 24 hours after it happened and nothing.

Server guys have no clue. I had them block all the IPs from the database server and web server.

I found another disturbing incident in my server logs - another company that copied me, redirected traffic to their site from one of my domains and created fake registrations on my site a year or so ago, is at it again apparently - they have been all over my site. They were on my site that same day and somehow got access to my directory structure then the weirdness with the database happened. Still have no idea what the jump in id means.

The idiot did all of this from work - I'll be speaking with his employer on Monday.
SQLUSA
New Member
New Member

--
17 Apr 2007 01:06 AM
Microsoft recommends to use only stored procedures for server access. No direct queries.

Are you following this?

This is how you would reseed identity:

DBCC CHECKIDENT ('dbo.TableNameX', RESEED, 10000000)


Kalman Toth, Database Architect
SQL Server Training - http://www.sqlusa.com
SwePeso
New Member
New Member

--
17 Apr 2007 02:07 AM
quote:

Originally posted by: SQLUSA
Microsoft recommends to use only stored procedures for server access. No direct queries.

Are you following this?

What about VIEWs then? Are they not allowed nor encouraged?




Acceptable Use Policy
---