Compromised Host

Discussion in 'General' started by acecjh, Apr 13, 2011.

  1. acecjh

    acecjh New Member

    Hello everyone!

    Thanks for all of the useful content that is already out there!

    I have just recieved an email forwarded from my ISP, regarding a box I am hosting which is running ISP Config 2. The focus of the email was as follows:

    __
    Dear Administrator(s),

    We have detected an attack attempt from an IP address of your responsibility (xxx.xxx.xxx.xxx) !

    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    Sample:
    Timestamp: 2011-04-13 04:55:36 (GMT)
    Alert: COSED [CSG-GOP-007] WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection
    Source: 194.28.139.111 (46684)
    Destination: 200.189.113.212 (80)
    Content:
    GET /modules/noticias/article.php?storyid=408'/**/And/**/(SELECT/**/1)='2 HTTP/1.1
    TE: deflate,gzip;q=0.3
    Connection: TE, close
    Host: www.cultura.pr.gov.br
    User-Agent: libwww-perl/5.834
    __

    It appears that one of the sites on my box has been compromised. I am interested in trying to find ways to identify which site it is that has been compromised. Can anyone please suggest any methods which I can use to do this?

    Many thanks,

    Chris
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Is the site in the Host line the one where the problem occurred?
     
  3. acecjh

    acecjh New Member

    Hi Till,

    The site in the host line is the one that we apparently attacked? It is not a website that we host. I don't really understand what kind of attack our webserver has made - I was hoping that someone might be able to tell me from the email!

    Chris
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The attacker tried to inject data into the sql database of the target server by using sqlinjection.

    You should scan your server with rkhunter and chkrootkit.
     
  5. acecjh

    acecjh New Member

    Hiya! Neither of those tools through up any obvious leads....


     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok. So your server has not been hacked, at least not at the system / root level and it is really just a infected site. Do you see any unusual perl processes with ps or top?
     
  7. createch

    createch New Member

    From your sever admin message, you should fix your SQL command in the following php file:

    /modules/noticias/article.php

    the usual solution is to add "addslashes" to your command.

    For example, it following command is vulnerable to SQL injection:

    $command ="select * from users where username='" . $_REQUEST["username"] . "' and password='" . $_REQUEST["password"] . "'";

    but the following one will be ok:

    $command ="select * from users where username='" . addslashes($_REQUEST["username"]) . "' and password='" . addslashes($_REQUEST["password"]) . "'";
     

Share This Page