Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
alfonsomg
Starting Member
2 Posts |
 Posted - 2010-06-14 : 09:03:45
|
| Hi guys, this is my first post, sorry for being so direct, but I'm in a real hurry. Please let's leave presentations for later (please). I'm not a very experienced dba btw. I tried the search and google but I can't find exactly what I need.This weekend some information disappeared from the database (Sql Server 2005). I have a backup from before of the incident an I have a backup from after the incident. I restored and unfortunately I lost a couple of days of info but it could have been worst (I have to learn how to backup automatically btw). Two tables were emptied completely (two many-to-many tables) so the rest of the info was not available.Now in my local I have both backups so maybe I can know what happened. It can't be a failure of the server, it must be a hack but it's strange that only two tables were deleted (not droped) as far as I know.I have to find what happened to try to prevent another attack(?). For the momment I deactivated some parts of the web in case there is a potential sql-injection there (I didn't create this web, I'm replacing the developer that left the job).Is it possible to consult when and how some records were deleted having the pre and post backup?Thanks in advance,Alfonso |
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
|
|
Kristen
Test
22859 Posts |
Posted - 2010-06-14 : 11:33:50
|
| If you are running FULL Recovery Model you can restore to various points-in-time between the two backups and thereby a) discover when the data went and b) re-instate it if you need toUse a new, temporary, database to restore to - don't restore over the live one!(Re-instate by restoring to the temporary database and then copying over any required data to the Live database) |
 |
|
|
alfonsomg
Starting Member
2 Posts |
Posted - 2010-06-14 : 12:19:14
|
quote:
Originally posted by GilaMonster
Also asked here: http://www.sqlservercentral.com/Forums/Topic936815-146-1.aspx
Yes, I wrote in that other forum. I do apologize if I broke some rule but I was almost panicking. Suddenly the information was gone and here in the company people was asking for answers. If you think this thread must be deleted please feel free.quote:
Originally posted by Kristen
If you are running FULL Recovery Model you can restore to various points-in-time between the two backups and thereby a) discover when the data went and b) re-instate it if you need toUse a new, temporary, database to restore to - don't restore over the live one!(Re-instate by restoring to the temporary database and then copying over any required data to the Live database)
Mate I'm afraid I broke that rule, I tried to restore the live db, but I wasn't able so I deleted the db and create again to restore the backup... I know, I suck, but I'm not a real dba, I'm a developer that's forced to be a dba. The positive point is that I'm learning a lot  |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2010-06-14 : 13:09:36
|
| The fact that you restored over LIVE is not relevant to this exercise, you can still restore the backups to a TEMP database to point-in-time to investigate what happened, and retrieve data that hackers deleted etc.But it does require that your database is using FULL Recovery model |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2010-06-14 : 14:20:08
|
quote:
Originally posted by alfonsomg
quote:
Originally posted by GilaMonster
Also asked here: http://www.sqlservercentral.com/Forums/Topic936815-146-1.aspx
Yes, I wrote in that other forum. I do apologize if I broke some rule but I was almost panicking. Suddenly the information was gone and here in the company people was asking for answers. If you think this thread must be deleted please feel free.
No worries. I posted that so that people could see what's been said already and not repeat things already said.--Gail ShawSQL Server MVP |
|
|
|
X002548
Not Just a Number
15586 Posts |
|
|
|
|
|
|
|
Data is gone, how can I know what happened?