3

I am using an SQL Server 2012 on windows datacenter 2012

I have encountered a situation where i think some virus/sql injection had heart my database,

Some data on my table had changed to weird link's and it was 100% not coming from my system,

I wish to know what is the best way to track the origin of this change, Is there a way to look in the transactional logs and checek which ip/machine had changed a table ? and what were the changes ?

Thanks.

EDIT :

Maybe is there some software like fiddler\wireshark that can trace the sql queries that are being sent to a server ?

Matan L
  • 287
  • 1
  • 4
  • 10

3 Answers3

1

SQL Injection is hard to track from SQL Server side. If you want to find out who change what, then some sort of tracing should be running on your server.

If no tracing (custom one implemented by your company DBA or sysadmin) is running, then you can check

Above all are few areas to look into, but it will be difficult for you to corelate and find a pattern.

Best is to scan your web-server IIS error logs using tools like LogParser.

Additional References :

Kin Shah
  • 62,545
  • 6
  • 124
  • 245
0

Do you have the txn log backup file? There are several products on the market that facilitate the analysis of t-log - I don't believe the host name is included in this information.

Yes - you can run a trace or xevent (or use the Audit functionality) to capture hostname information..

JoeOBrien
  • 21
  • 2
0

You can use the SQL Server Auditing feature to track queries. Using the feature as the method for tracking execution of queries produces less impact on the server performance comparing to trace technology. However, depending on the database traffic, performance issues can occur. Therefore, be careful what Audit Action Type options you select when defining audit server/database specification(s).

Ivan Stankovic
  • 637
  • 6
  • 6