Hello everyone!
Thanks for all of the useful content that is already out there!
I have just recieved an email forwarded from my ISP, regarding a box I am hosting which is running ISP Config 2. The focus of the email was as follows:
__
Dear Administrator(s),
We have detected an attack attempt from an IP address of your responsibility (xxx.xxx.xxx.xxx) !
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sample:
Timestamp: 2011-04-13 04:55:36 (GMT)
Alert: COSED [CSG-GOP-007] WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection
Source: 194.28.139.111 (46684)
Destination: 200.189.113.212 (80)
Content:
GET /modules/noticias/article.php?storyid=408'/**/And/**/(SELECT/**/1)='2 HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host:
www.cultura.pr.gov.br
User-Agent: libwww-perl/5.834
__
It appears that one of the sites on my box has been compromised. I am interested in trying to find ways to identify which site it is that has been compromised. Can anyone please suggest any methods which I can use to do this?
Many thanks,
Chris