I have a number of legacy sites written in Classic ASP using a SQL Server 2008 Database.
Recently they have been targetted with what I presume is an Injection attack - altering the script on the home page to show spam. Luckily this is the extent of the attack.
I set up a script to record the IP address, page name and query string (URL arguments) of each request.
When it last happened I reviewed the results and there is nothing out of the ordinary - I was expecting some SQL appended to the URL but there is nothing obvious.
The last time, I replaced all files andI have also checked and there isn't an extra file present.
What else can I monitor or investigate?