troubleshooting Question

Server Hacking Attempts?

Avatar of Katixa
KatixaFlag for Spain asked on
Linux Security
8 Comments1 Solution735 ViewsLast Modified:
Hi there,

We've got a server to host the sites we develop for customers at our company. I have a script integrated in each SQL query the server receives, so in case it returns an error, I receive a mail.

Today I received 490 mails in around 5 minutes, and there was something strange about them. Usually, in other cases, the errors are the normal "id missing" ones, when a bot or something opens a page without passing a parameter (.php?id=x), or maybe an error on the code. But today it was like this (this is the result report I created to be mailed, and that I receive):

---------------
Error in script: /reservas2.php
Referer:
IP: 85.86.18.191
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Date: 12/12/2006 13:07:17
SQL string: SELECT * FROM pr_habitaciones_establecimientos WHERE idestablecimiento = 1 AND idtipo = ..\..\..\..\..\..\..\..\etc/passwd
----------------

There were similar strange strings, like this one:

SELECT * FROM pr_habitaciones_tipos WHERE idtipo = <img src="JaVaS&#99;RiPt:alert(1259674107);"> AND borrado = 0

SELECT * FROM pr_habitaciones_tipos WHERE idtipo = /./././././././etc/passwd AND borrado = 0

SELECT * FROM pr_habitaciones_establecimientos WHERE idestablecimiento = 1 AND idtipo = \"

SELECT * FROM pr_habitaciones_tipos WHERE idtipo = [img]JaVaScRiPt:alert(1578226035);[/img] AND borrado = 0

SELECT * FROM pr_pyd_precios WHERE idestablecimiento = 1 AND (idtipo = ../.../.././../.../.././../.../.././../.../.././../.../.././../.../.././etc/passwd OR idtipo = -1) AND  fechainicio =

SELECT * FROM pr_habitaciones_establecimientos WHERE idestablecimiento = 1 AND idtipo = ../.../.././../.../.././../.../.././../.../.././../.../.././../.../.././etc/passwd

SELECT * FROM pr_habitaciones_tipos WHERE idtipo = <scrip<script>t>alert(1047690885);</scrip</script>t> AND borrado = 0



The first strange thing is that there is no "referer", when that page (reservas2.php) MUST come from reservas.php, as it sends a Form. There is no link or direct link from anywhere (not even in Google I think). And if it was from within the site, I would get the referer.

The second strange thing are all those etc/passwd references. Of course I do not use none of them on my site. And same with that "JaVaScRiPt" thing.

I'm not worried at all because I guess it did nothing. But at same time, I'm a bit worried because exploits can work in any unexpected way, and I'm thinkin if someone could have read the passed file and poped it up in a javascript alert() window.

Thanks in advance.
Regards.
ASKER CERTIFIED SOLUTION
mr_egyptian

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 8 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros