Compromised Host

Hello everyone!

Thanks for all of the useful content that is already out there!

I have just recieved an email forwarded from my ISP, regarding a box I am hosting which is running ISP Config 2. The focus of the email was as follows:

__
Dear Administrator(s),

We have detected an attack attempt from an IP address of your responsibility (xxx.xxx.xxx.xxx) !

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Sample:
Timestamp: 2011-04-13 04:55:36 (GMT)
Alert: COSED [CSG-GOP-007] WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection
Source: 194.28.139.111 (46684)
Destination: 200.189.113.212 (80)
Content:
GET /modules/noticias/article.php?storyid=408'/**/And/**/(SELECT/**/1)='2 HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.cultura.pr.gov.br
User-Agent: libwww-perl/5.834
__

It appears that one of the sites on my box has been compromised. I am interested in trying to find ways to identify which site it is that has been compromised. Can anyone please suggest any methods which I can use to do this?

Many thanks,

Chris

 

Hi Till,

The site in the host line is the one that we apparently attacked? It is not a website that we host. I don't really understand what kind of attack our webserver has made - I was hoping that someone might be able to tell me from the email!

Chris

 

Hiya! Neither of those tools through up any obvious leads....

 

From your sever admin message, you should fix your SQL command in the following php file:

/modules/noticias/article.php

the usual solution is to add "addslashes" to your command.

For example, it following command is vulnerable to SQL injection:

$command ="select * from users where username='" . $_REQUEST["username"] . "' and password='" . $_REQUEST["password"] . "'";

but the following one will be ok:

$command ="select * from users where username='" . addslashes($_REQUEST["username"]) . "' and password='" . addslashes($_REQUEST["password"]) . "'";