Record MS SQL Transactions

The constant threat: viruses, trojans, spyware, ... the list goes on

Record MS SQL Transactions

Post by gauravweb on Thu Apr 19, 2012 1:47 pm
([msg=65790]see Record MS SQL Transactions[/msg])

Hello All,
I need to track all the transactions made by an application in MS SQL Server. I think there is some application running in my background which modifies my data. So I want to record every SQL Query sent to server by any program.
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)


Re: Record MS SQL Transactions

Post by LoGiCaL__ on Thu Apr 19, 2012 1:55 pm
([msg=65792]see Re: Record MS SQL Transactions[/msg])

Any way you can create a function for the application to send the query as well as send the info being passed to a log file? If your going to log important things like passwords I would hash them.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1060
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: Record MS SQL Transactions

Post by gauravweb on Thu Apr 19, 2012 2:05 pm
([msg=65794]see Re: Record MS SQL Transactions[/msg])

I cant create a function for the application as I dont know which application is causing it. It may be a malware or something like that.
LoGiCaL__ wrote:Any way you can create a function for the application to send the query as well as send the info being passed to a log file?
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)


Re: Record MS SQL Transactions

Post by LoGiCaL__ on Thu Apr 19, 2012 2:11 pm
([msg=65795]see Re: Record MS SQL Transactions[/msg])

Ah, I got you. I read it wrong. Just out of curiosity what symptoms are you experiencing that would lead you to believe this? Also, it may not be modifying data. It may be stealing it. I wouldn't get to worried just yet. Run some scans on the server. Start with malwarebytes, then try super anti-spyware. If your not running a windows yyyy server version you can also use combofix. Also to test your theory, make some test queries and pre-record the data you enter then check to see if it was modified it any way once it's in the database.

Note: while running the scans it may be beneficial to run updated in safemode.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1060
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: Record MS SQL Transactions

Post by gauravweb on Thu Apr 19, 2012 3:59 pm
([msg=65798]see Re: Record MS SQL Transactions[/msg])

I am running Windows 2003 server with MS SQL Server 2000.
There is a software package which I use for my office. We have several systems running on LAN which access the same server. Every now and then I found some bills and vouchers being missed and also I suspect being modified. So I want to make sure that by which process or application or malware it is being done. I want to record every move. Every query ever being made to the server whether by my software or by any other means. Please suggest me some software based on windows or any other way by which I can record every query.
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)


Re: Record MS SQL Transactions

Post by centip3de on Thu Apr 19, 2012 7:24 pm
([msg=65801]see Re: Record MS SQL Transactions[/msg])

gauravweb wrote:I am running Windows 2003 server with MS SQL Server 2000.
There is a software package which I use for my office. We have several systems running on LAN which access the same server. Every now and then I found some bills and vouchers being missed and also I suspect being modified. So I want to make sure that by which process or application or malware it is being done. I want to record every move. Every query ever being made to the server whether by my software or by any other means. Please suggest me some software based on windows or any other way by which I can record every query.


It'd be easier to switch to a Linux server, as the 'malware' most likely is Windows only. Also, there is quite a performance increase using Linux, and it's a more supported server type.
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1412
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: Record MS SQL Transactions

Post by gauravweb on Fri Apr 20, 2012 1:59 am
([msg=65808]see Re: Record MS SQL Transactions[/msg])

I cant switch to Linux for now because of several reasons and also this is not a solution for my problem. I think there is someone within in the LAN premises intentionally doing it. So even if I switch to Linux it will still happen.

centip3de wrote:
gauravweb wrote:I am running Windows 2003 server with MS SQL Server 2000.
There is a software package which I use for my office. We have several systems running on LAN which access the same server. Every now and then I found some bills and vouchers being missed and also I suspect being modified. So I want to make sure that by which process or application or malware it is being done. I want to record every move. Every query ever being made to the server whether by my software or by any other means. Please suggest me some software based on windows or any other way by which I can record every query.


It'd be easier to switch to a Linux server, as the 'malware' most likely is Windows only. Also, there is quite a performance increase using Linux, and it's a more supported server type.
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)


Re: Record MS SQL Transactions

Post by ghost107 on Fri Apr 20, 2012 9:35 am
([msg=65813]see Re: Record MS SQL Transactions[/msg])

If the information goes outside your computer you could just configure your firewall to block all other ports, except the ones your using.

Use a network capturing tool like wireshark, windump(linux -> tcpdump) to log all your communication, or create your own tool using winpcap(this tools and library don't support local loopback, if the application is on your computer this will not work).
ghost107
Poster
Poster
 
Posts: 132
Joined: Wed Jul 02, 2008 7:57 am
Blog: View Blog (0)


Re: Record MS SQL Transactions

Post by gauravweb on Fri Apr 20, 2012 11:02 am
([msg=65816]see Re: Record MS SQL Transactions[/msg])

I am not sure whether these modifications are from a client or the server machine itself. So I need to record every query ever made to server.
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)


Re: Record MS SQL Transactions

Post by ghost107 on Fri Apr 20, 2012 1:04 pm
([msg=65823]see Re: Record MS SQL Transactions[/msg])

Then I think this might help MS SQL Profiler:
http://msdn.microsoft.com/en-us/library/ms187929.aspx

To start tracing you could just use File->New Trace
ghost107
Poster
Poster
 
Posts: 132
Joined: Wed Jul 02, 2008 7:57 am
Blog: View Blog (0)



Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests