View Single Post
  #1  
Old 13th April 2011, 17:13
acecjh acecjh is offline
Junior Member
 
Join Date: Mar 2010
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Compromised Host

Hello everyone!

Thanks for all of the useful content that is already out there!

I have just recieved an email forwarded from my ISP, regarding a box I am hosting which is running ISP Config 2. The focus of the email was as follows:

__
Dear Administrator(s),

We have detected an attack attempt from an IP address of your responsibility (xxx.xxx.xxx.xxx) !

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Sample:
Timestamp: 2011-04-13 04:55:36 (GMT)
Alert: COSED [CSG-GOP-007] WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection
Source: 194.28.139.111 (46684)
Destination: 200.189.113.212 (80)
Content:
GET /modules/noticias/article.php?storyid=408'/**/And/**/(SELECT/**/1)='2 HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.cultura.pr.gov.br
User-Agent: libwww-perl/5.834
__

It appears that one of the sites on my box has been compromised. I am interested in trying to find ways to identify which site it is that has been compromised. Can anyone please suggest any methods which I can use to do this?

Many thanks,

Chris
Reply With Quote
Sponsored Links