Find the answer to your Linux question:
Results 1 to 6 of 6
I have been told by my server provider that my IP has been reported as making SQL injection attacks in multiple different websites. I am trying to find this in ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! apot's Avatar
    Join Date
    Sep 2010
    Posts
    6

    [SOLVED] My Server making SQL injection requests


    I have been told by my server provider that my IP has been reported as making SQL injection attacks in multiple different websites. I am trying to find this in the logs but I don't know where to find outgoing http requests.

    I have looked through database fields in case there was some html inserted into a string field.
    I have looked through code of websites to see if there was any added javascript or html.

    Does anyone know where I could find this activity on logs? I can't it in any of the access.log files.
    Can this be done by some modified SQL injection attack on my site.

    I'm searching desperately here, any help would be appreciated

  2. #2
    Just Joined! hunter_thom's Avatar
    Join Date
    Apr 2010
    Posts
    89
    They're saying that your IP is initiating SQL injection attacks to other sites, correct?

    Might want to check over all your files on the apache root, and just check over the file system in general. Perhaps there are new scripts/webapps that you are not familiar with? Or perhaps there are new cronjobs that reference scripts that you are unaware of? Just a couple thoughts of places to look.

    I doubt you'd see log messages saying that an SQL injection attack was initiated...If so, whoever wrote that code was wanting it to be found.

    If your server is initiating those kind of attacks, my guess is that the box is compromised and someone planted code somewhere that would spin off injection attacks. So, if you search around the file system you might find 'new' apps, scripts, executables, etc, that might point you towards the source of those attacks.

    Hope that helps.

  3. #3
    Just Joined! apot's Avatar
    Join Date
    Sep 2010
    Posts
    6
    Ye I am looking around

    here is my syslog with the CRON jobs showing a lot of munin activity. Does this look like too much activity for munin?


    Code:
    Apr 11 12:15:01 localhost /USR/SBIN/CRON[6925]: (munin) CMD (if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi)
    Apr 11 12:15:01 localhost /USR/SBIN/CRON[6926]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
    Apr 11 12:17:01 localhost /USR/SBIN/CRON[7106]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
    Apr 11 12:18:01 localhost /USR/SBIN/CRON[7113]: (amavis) CMD (test -e /usr/sbin/amavisd-new-cronjob && /usr/sbin/amavisd-new-cronjob sa-sync)
    Apr 11 12:20:01 localhost /USR/SBIN/CRON[7118]: (munin) CMD (if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi)
    Apr 11 12:20:01 localhost /USR/SBIN/CRON[7119]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
    Apr 11 12:25:01 localhost /USR/SBIN/CRON[7301]: (munin) CMD (if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi)
    Apr 11 12:25:01 localhost /USR/SBIN/CRON[7302]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
    Apr 11 12:30:01 localhost /USR/SBIN/CRON[7486]: (munin) CMD (if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi)
    Apr 11 12:30:01 localhost /USR/SBIN/CRON[7487]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
    Apr 11 12:35:01 localhost /USR/SBIN/CRON[7687]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
    Apr 11 12:35:01 localhost /USR/SBIN/CRON[7686]: (munin) CMD (if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi)
    Apr 11 12:39:01 localhost /USR/SBIN/CRON[32495]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm)
    Apr 11 12:40:01 localhost /USR/SBIN/CRON[22442]: (munin) CMD (if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi)
    Apr 11 12:40:01 localhost /USR/SBIN/CRON[22441]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
    Apr 11 12:45:01 localhost /USR/SBIN/CRON[26891]: (munin) CMD (if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi)
    Apr 11 12:45:01 localhost /USR/SBIN/CRON[26892]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
    Apr 11 12:50:01 localhost /USR/SBIN/CRON[27080]: (munin) CMD (if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi)
    Apr 11 12:50:01 localhost /USR/SBIN/CRON[27079]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
    Apr 11 12:55:01 localhost /USR/SBIN/CRON[27288]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
    Apr 11 12:55:01 localhost /USR/SBIN/CRON[27287]: (munin) CMD (if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi)

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined! hunter_thom's Avatar
    Join Date
    Apr 2010
    Posts
    89
    Possibly, hard to say just from the output.

    The munin stuff looks like it's running every 5 minutes. There are other things in there, too, including run-parts on /etc/cron.hourly/ which is normal. Might want to peek into the /etc/cron.*/ directories and cat the scripts there. It's always possible that if someone compromised root on that box, they injected some arbitrary code into a normal script, like logrotate or anacron, depending on your box.

    Also, did you check your apache Document Root for new items? Again, if root is compromised, anything could be changed. If you host php apps, someone might have dropped a php script into a directory and edited your php files to utilize the php script to initiate an attack, but who knows.

    At this point, the best solution in my mind is to start searching around for new or modified scripts or executables. New cronjobs, new apps (webapps, java apps, etc, depending on what the box hosts), modified scripts, etc.


    EDIT: Also, do you have aide enabled on that box, per chance? That might give you a clue as to what has changed...

  6. #5
    Just Joined! apot's Avatar
    Join Date
    Sep 2010
    Posts
    6
    Thanks for the suggestions hunter.

    I was able to find it. In one of the web folders i found a file start.py that was running at 4am last night and using a lot of the CPU. I found it using ps -aux command.

    In my excitement of finding it I deleted but i really wanted to look at it to see exactly what it was doing. tried recovering using lsof but I guess its gone for good. Oh well

    at 5 am I found someone came back I assume to clean up leftover files

    Code:
    xxx.xxx.xxx.xxx - - [12/Apr/2011:05:40:52 -0400] "GET /blahblah/Spry-UI-1.7/includes/plugins/threads.tar.gz HTTP/1.0" 404 413 "-" "Wget/1.12 (linux-gnu)"
    xxx.xxx.xxx.xxx - - [12/Apr/2011:05:41:17 -0400] "GET /blahblah/Spry-UI-1.7/includes/plugins/old/threads.tar.gz HTTP/1.0" 200 3876465 "-" "Wget/1.12 (linux-gnu)"
    One of the other websites I allow on this server the guy uses dreamweaver and therefore Spry. I can't find where they actually put the file on. maybe with Wput but I don't think the security levels allow that. And they deleted file threads.tar.gz with Wget. I tried doing this after making a file in that folder and trying wget --delete-after but it didn't have permission.

    The file threads.tar.gz is gone. Any idea how he erased that file. Can't get it on lsof.

    checked vsftpd.log to find if someone had broken into the FTP access but only one access of that folder for a few months

    Code:
    Fri Apr  1 11:09:13 2011 [pid 24720] [blahblah] OK LOGIN: Client "xxx.xxx.xxx.xxx"
    Fri Apr  1 11:09:14 2011 [pid 24722] [blahblah] OK MKDIR: Client "xxx.xxx.xxx.xxx", "/MM_CASETEST4291"
    Fri Apr  1 11:09:14 2011 [pid 24722] [blahblah] OK RMDIR: Client "xxx.xxx.xxx.xxx", "/MM_CASETEST4291"
    Fri Apr  1 11:09:26 2011 [pid 24722] [blahblah] OK UPLOAD: Client "xxx.xxx.xxx.xxx", "/index.php", 8314 bytes, 13.53Kbyte/sec
    Looks standard Dreamweaver upload process. Contacted the guy who runs the site and it is his IP so that is safe.

    Any idea how he got that file on the server?

  7. #6
    Just Joined! hunter_thom's Avatar
    Join Date
    Apr 2010
    Posts
    89
    It is difficult to say how he got on the box.

    Might want to check out /var/log/audit/audit.log (and all subsequent logs) to see if you can find anything interesting. You may not, but it may point you to who got in.

    Are those directories owned by root? Are the permissions set to allow other users to post files? If not, your root login may be compromised, or someone who has sudo rights.

    There are many other ways. Might want to check what services are running on the box, and if they are patched. And it would also be good to look into what users can use sudo, and it may be good to cycle your root password.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •