#1  
Old 13th April 2011, 17:13
acecjh acecjh is offline
Junior Member
 
Join Date: Mar 2010
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Compromised Host

Hello everyone!

Thanks for all of the useful content that is already out there!

I have just recieved an email forwarded from my ISP, regarding a box I am hosting which is running ISP Config 2. The focus of the email was as follows:

__
Dear Administrator(s),

We have detected an attack attempt from an IP address of your responsibility (xxx.xxx.xxx.xxx) !

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Sample:
Timestamp: 2011-04-13 04:55:36 (GMT)
Alert: COSED [CSG-GOP-007] WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection
Source: 194.28.139.111 (46684)
Destination: 200.189.113.212 (80)
Content:
GET /modules/noticias/article.php?storyid=408'/**/And/**/(SELECT/**/1)='2 HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.cultura.pr.gov.br
User-Agent: libwww-perl/5.834
__

It appears that one of the sites on my box has been compromised. I am interested in trying to find ways to identify which site it is that has been compromised. Can anyone please suggest any methods which I can use to do this?

Many thanks,

Chris
Reply With Quote
Sponsored Links
  #2  
Old 13th April 2011, 17:18
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,340
Thanks: 810
Thanked 5,173 Times in 4,055 Posts
Default

Is the site in the Host line the one where the problem occurred?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 13th April 2011, 17:33
acecjh acecjh is offline
Junior Member
 
Join Date: Mar 2010
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Till,

The site in the host line is the one that we apparently attacked? It is not a website that we host. I don't really understand what kind of attack our webserver has made - I was hoping that someone might be able to tell me from the email!

Chris
Reply With Quote
  #4  
Old 13th April 2011, 18:44
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,340
Thanks: 810
Thanked 5,173 Times in 4,055 Posts
Default

The attacker tried to inject data into the sql database of the target server by using sqlinjection.

You should scan your server with rkhunter and chkrootkit.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 13th April 2011, 19:01
acecjh acecjh is offline
Junior Member
 
Join Date: Mar 2010
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hiya! Neither of those tools through up any obvious leads....

Quote:
[17:55:22] System checks summary
[17:55:22] =====================
[17:55:22]
[17:55:22] File properties checks...
[17:55:22] Required commands check failed
[17:55:22] Files checked: 134
[17:55:23] Suspect files: 0
[17:55:23]
[17:55:23] Rootkit checks...
[17:55:23] Rootkits checked : 250
[17:55:23] Possible rootkits: 0
[17:55:23]
[17:55:23] Applications checks...
[17:55:23] All checks skipped
[17:55:23]
[17:55:23] The system checks took: 2 minutes and 48 seconds
[17:55:23]
[17:55:23] Info: End date is Wed Apr 13 17:55:23 BST 2011

Quote:
chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not found
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth2: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... => possibly 1 deletion(s) detected in /var/run/utmp !
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
Reply With Quote
  #6  
Old 14th April 2011, 09:40
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,340
Thanks: 810
Thanked 5,173 Times in 4,055 Posts
Default

Ok. So your server has not been hacked, at least not at the system / root level and it is really just a infected site. Do you see any unusual perl processes with ps or top?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 22nd April 2011, 08:35
createch createch is offline
Senior Member
 
Join Date: Aug 2007
Posts: 118
Thanks: 24
Thanked 16 Times in 13 Posts
 
Default

From your sever admin message, you should fix your SQL command in the following php file:

/modules/noticias/article.php

the usual solution is to add "addslashes" to your command.

For example, it following command is vulnerable to SQL injection:

$command ="select * from users where username='" . $_REQUEST["username"] . "' and password='" . $_REQUEST["password"] . "'";

but the following one will be ok:

$command ="select * from users where username='" . addslashes($_REQUEST["username"]) . "' and password='" . addslashes($_REQUEST["password"]) . "'";
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix queue problem? murunix Server Operation 7 2nd May 2011 01:55
E-mail server receive and send spams Mole Installation/Configuration 12 19th April 2010 11:03
Is my postfix is hacked? bzzik Server Operation 21 15th July 2009 14:13
smtp is error!!! fhawk Installation/Configuration 2 7th April 2009 13:17
This is %#@*&^$# embarrassing! domino Smalltalk 34 5th February 2007 21:57


All times are GMT +2. The time now is 02:23.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.