Server Hacking Attempts?
Hi there,
We've got a server to host the sites we develop for customers at our company. I have a script integrated in each SQL query the server receives, so in case it returns an error, I receive a mail.
Today I received 490 mails in around 5 minutes, and there was something strange about them. Usually, in other cases, the errors are the normal "id missing" ones, when a bot or something opens a page without passing a parameter (.php?id=x), or maybe an error on the code. But today it was like this (this is the result report I created to be mailed, and that I receive):
---------------
Error in script: /reservas2.php
Referer:
IP: 85.86.18.191
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Date: 12/12/2006 13:07:17
SQL string: SELECT * FROM pr_habitaciones_establecim
----------------
There were similar strange strings, like this one:
SELECT * FROM pr_habitaciones_tipos WHERE idtipo = <img src="JaVaScRiPt:alert(
SELECT * FROM pr_habitaciones_tipos WHERE idtipo = /./././././././etc/passwd AND borrado = 0
SELECT * FROM pr_habitaciones_establecim
SELECT * FROM pr_habitaciones_tipos WHERE idtipo = [img]JaVaScRiPt:alert(1578
SELECT * FROM pr_pyd_precios WHERE idestablecimiento = 1 AND (idtipo = ../.../.././../.../.././..
SELECT * FROM pr_habitaciones_establecim
SELECT * FROM pr_habitaciones_tipos WHERE idtipo = <scrip<script>t>alert(1047
The first strange thing is that there is no "referer", when that page (reservas2.php) MUST come from reservas.php, as it sends a Form. There is no link or direct link from anywhere (not even in Google I think). And if it was from within the site, I would get the referer.
The second strange thing are all those etc/passwd references. Of course I do not use none of them on my site. And same with that "JaVaScRiPt" thing.
I'm not worried at all because I guess it did nothing. But at same time, I'm a bit worried because exploits can work in any unexpected way, and I'm thinkin if someone could have read the passed file and poped it up in a javascript alert() window.
Thanks in advance.
Regards.
We've got a server to host the sites we develop for customers at our company. I have a script integrated in each SQL query the server receives, so in case it returns an error, I receive a mail.
Today I received 490 mails in around 5 minutes, and there was something strange about them. Usually, in other cases, the errors are the normal "id missing" ones, when a bot or something opens a page without passing a parameter (.php?id=x), or maybe an error on the code. But today it was like this (this is the result report I created to be mailed, and that I receive):
---------------
Error in script: /reservas2.php
Referer:
IP: 85.86.18.191
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Date: 12/12/2006 13:07:17
SQL string: SELECT * FROM pr_habitaciones_establecim
----------------
There were similar strange strings, like this one:
SELECT * FROM pr_habitaciones_tipos WHERE idtipo = <img src="JaVaScRiPt:alert(
SELECT * FROM pr_habitaciones_tipos WHERE idtipo = /./././././././etc/passwd AND borrado = 0
SELECT * FROM pr_habitaciones_establecim
SELECT * FROM pr_habitaciones_tipos WHERE idtipo = [img]JaVaScRiPt:alert(1578
SELECT * FROM pr_pyd_precios WHERE idestablecimiento = 1 AND (idtipo = ../.../.././../.../.././..
SELECT * FROM pr_habitaciones_establecim
SELECT * FROM pr_habitaciones_tipos WHERE idtipo = <scrip<script>t>alert(1047
The first strange thing is that there is no "referer", when that page (reservas2.php) MUST come from reservas.php, as it sends a Form. There is no link or direct link from anywhere (not even in Google I think). And if it was from within the site, I would get the referer.
The second strange thing are all those etc/passwd references. Of course I do not use none of them on my site. And same with that "JaVaScRiPt" thing.
I'm not worried at all because I guess it did nothing. But at same time, I'm a bit worried because exploits can work in any unexpected way, and I'm thinkin if someone could have read the passed file and poped it up in a javascript alert() window.
Thanks in advance.
Regards.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Thanks for replying, and sorry for not clarify this better.
My question was not exactly if this was a hacking attemp (well it's the subject, but not exactly the main question). First I wanted to confirm it, and second I wanted to know if I should be worried. I wanted to know if someone knew something about this specific issue and had an answer like "oh yes, thats a very common web-form hack attempt, blabla, don't worry if you don't have this and this, they have nothing to do", or just "you should be sure to enable this and disable that in order to keep /etc/passwd safe", etc...
I don't know a lot about linux security, so I don't know either about ways that people or bots try to enter systems :-)
Now let me clarify a bit more. We have a dedicated server runing Fedora Core 3 with Apache 2, and we host around 70 sites. These are sites that we develop for our customers. We do not sell hosting, we just develop web pages, and then host them there.
The script mentioned above (reservas2.php) is a page on a domain that is for hotel bookings. This script confirms the availability, etc, performing some queries on the database, base on some parameters (hotel, room type, etc.).
At same time, each SQL query runs a function that I developed to email me after any error, passing all the information you saw above.
As I see that all the strange values are after "idtipo", I guess that the bot (or person) doing that, uses that parameter so send that strings. Something like:
reservas2.php?idtipo=../..
So then the SQL query crashes and I receive this error.
So basically I don't ask about avoiding this or how to fix. I ask about something that never happened before and I'm curious to know if I should worry or not. Maybe, also, I should replace any /etc or passwd strings with blanks, for safety... but that's another topic :-)
Thanks again.
Thanks for replying, and sorry for not clarify this better.
My question was not exactly if this was a hacking attemp (well it's the subject, but not exactly the main question). First I wanted to confirm it, and second I wanted to know if I should be worried. I wanted to know if someone knew something about this specific issue and had an answer like "oh yes, thats a very common web-form hack attempt, blabla, don't worry if you don't have this and this, they have nothing to do", or just "you should be sure to enable this and disable that in order to keep /etc/passwd safe", etc...
I don't know a lot about linux security, so I don't know either about ways that people or bots try to enter systems :-)
Now let me clarify a bit more. We have a dedicated server runing Fedora Core 3 with Apache 2, and we host around 70 sites. These are sites that we develop for our customers. We do not sell hosting, we just develop web pages, and then host them there.
The script mentioned above (reservas2.php) is a page on a domain that is for hotel bookings. This script confirms the availability, etc, performing some queries on the database, base on some parameters (hotel, room type, etc.).
At same time, each SQL query runs a function that I developed to email me after any error, passing all the information you saw above.
As I see that all the strange values are after "idtipo", I guess that the bot (or person) doing that, uses that parameter so send that strings. Something like:
reservas2.php?idtipo=../..
So then the SQL query crashes and I receive this error.
So basically I don't ask about avoiding this or how to fix. I ask about something that never happened before and I'm curious to know if I should worry or not. Maybe, also, I should replace any /etc or passwd strings with blanks, for safety... but that's another topic :-)
Thanks again.
Well, you should always worry...
Yes, this is a fairly common type of exploit script. It is designed to attempt an upward traversal of the directory structure in order to access files that you don't want people to have access to (outside your document root). In this case the target is your passwd file, which they would then attempt to decrypt in order to gain shell level access to your box. This is not likely to happen through your database system.
These types of attacks, including many others mot likely hit your box many times per day, without your being aware of it. You just noticed this one because your script emails you query errors. If you want to see 'most' of the attacks against your machine, look into an IDS of some sort, as mentioned above ie Snort. You can also perform penetration testing against your network/servers using a myriad of tools. Nessus would be a good place to start, as they have many plugins available for testing various for types of exploits.
I hope that was a better answer. I guess it boils down to how worried you want to be. For the sql errors you posted, I wouldn't be too worried, though that's not to say there aren't other forms/scripts on your server that are vulnerable.
Yes, this is a fairly common type of exploit script. It is designed to attempt an upward traversal of the directory structure in order to access files that you don't want people to have access to (outside your document root). In this case the target is your passwd file, which they would then attempt to decrypt in order to gain shell level access to your box. This is not likely to happen through your database system.
These types of attacks, including many others mot likely hit your box many times per day, without your being aware of it. You just noticed this one because your script emails you query errors. If you want to see 'most' of the attacks against your machine, look into an IDS of some sort, as mentioned above ie Snort. You can also perform penetration testing against your network/servers using a myriad of tools. Nessus would be a good place to start, as they have many plugins available for testing various for types of exploits.
I hope that was a better answer. I guess it boils down to how worried you want to be. For the sql errors you posted, I wouldn't be too worried, though that's not to say there aren't other forms/scripts on your server that are vulnerable.
ASKER
Hi again,
Thanks for your reply. Well I think I'll give this as accepted answer, but before that I would like to discuss a bit more about this issue, if there is no problem. Today a customer called telling that received around 500 emails, and wanting to know if we were performing some test or anything. We downloaded the emails here.
This time were emails sent from the contact form, and not SQL errors. The customer receives a PHP generated mail once a visitor fills the contact form. This emails contained also those ../../../../../../../etc/p
One of those emails poped up a javascript alert when opened, displaying the following:
acunetix-xss-test
I searched and found out that it's an application for testing server security. The source code of the message is the following (the part of interest):
Name: 111-222-1933emails@address
Phone: 111-222-1933emails@address
E-Mail: 111-222-1933emails@address
Comments: <ScRiPt bad=">" src="http://testphp.acunetix.com/xss.js?509138174"></ScRiPt>
Is the same pattern as the "JaVaScRiPt" I posted yesterday. Unfortunatelly I don't have a contact log for checking IPs (in this case... usually I store all contact forms in a table in the database). I'm thinking on contacting Acunetix, as I'm pretty sure that their license says, somewhere, that the test should be performed against a machine that authorized it.
Maybe I'm wrong but I guess that someone is running this tests agains our IP, or maybe against single domains hosted by us, I'm not sure now.
I will install Nessus on our old dedicated server and test it, because I don't feel really safe now. What I don't want is customers receiving mails. I hope the tests only focus on the system and no specific domains with SQL injections and such.
Thanks again for your time.
Thanks for your reply. Well I think I'll give this as accepted answer, but before that I would like to discuss a bit more about this issue, if there is no problem. Today a customer called telling that received around 500 emails, and wanting to know if we were performing some test or anything. We downloaded the emails here.
This time were emails sent from the contact form, and not SQL errors. The customer receives a PHP generated mail once a visitor fills the contact form. This emails contained also those ../../../../../../../etc/p
One of those emails poped up a javascript alert when opened, displaying the following:
acunetix-xss-test
I searched and found out that it's an application for testing server security. The source code of the message is the following (the part of interest):
Name: 111-222-1933emails@address
Phone: 111-222-1933emails@address
E-Mail: 111-222-1933emails@address
Comments: <ScRiPt bad=">" src="http://testphp.acunetix.com/xss.js?509138174"></ScRiPt>
Is the same pattern as the "JaVaScRiPt" I posted yesterday. Unfortunatelly I don't have a contact log for checking IPs (in this case... usually I store all contact forms in a table in the database). I'm thinking on contacting Acunetix, as I'm pretty sure that their license says, somewhere, that the test should be performed against a machine that authorized it.
Maybe I'm wrong but I guess that someone is running this tests agains our IP, or maybe against single domains hosted by us, I'm not sure now.
I will install Nessus on our old dedicated server and test it, because I don't feel really safe now. What I don't want is customers receiving mails. I hope the tests only focus on the system and no specific domains with SQL injections and such.
Thanks again for your time.
ASKER
OK, I installed Nessus 3.0.4 on my own computer, under Windows XP. The result was the following:
22 open ports, 88 Notes, 4 Warnings, 2 Holes.
About the notes... seem a lot. The warnings... well, are just warnings, but I did not like the "hole "word", and either so many open ports.
I still did not check it (I just printed the report, but I'm very busy on a project that should have been finished yesterday).
I also tried to search for the IP on the system logs, but I don't really know where to look for it. I did a more|grep on some access and bandwidth files, and found 4 entries in that IP, trying to connecto to "long-name-with-some-inexi
I did a traceroute to the IP and saw that it belongs to someone near us, as it uses an ISP that is only available in our area. At same time, the two sites "scaned" (or at least the two I know about) are about room booking.
I guess that maybe someone tried to check the server security launching a test agains those two (or more) domains. Nice...
22 open ports, 88 Notes, 4 Warnings, 2 Holes.
About the notes... seem a lot. The warnings... well, are just warnings, but I did not like the "hole "word", and either so many open ports.
I still did not check it (I just printed the report, but I'm very busy on a project that should have been finished yesterday).
I also tried to search for the IP on the system logs, but I don't really know where to look for it. I did a more|grep on some access and bandwidth files, and found 4 entries in that IP, trying to connecto to "long-name-with-some-inexi
I did a traceroute to the IP and saw that it belongs to someone near us, as it uses an ISP that is only available in our area. At same time, the two sites "scaned" (or at least the two I know about) are about room booking.
I guess that maybe someone tried to check the server security launching a test agains those two (or more) domains. Nice...
This was an attack as said before....,
the software (php scripts) should check credentials, and should sanitize fields BEFORE any use
an ascii only field should only contain ascii data etc.
Then if a referrer is required make it a requirement of your script... btw it's not a very good
security measure.
Making random queries is easy, don't assume only browsers can use the server.
Some pointers:
look into tools like curl (http://curl.haxx.se/), wget (http://wget.sunsite.dk/)
For securing your webserver: mod_security (http://www.modsecurity.org/)
for education: http://quiz.ngsec.com/
the software (php scripts) should check credentials, and should sanitize fields BEFORE any use
an ascii only field should only contain ascii data etc.
Then if a referrer is required make it a requirement of your script... btw it's not a very good
security measure.
Making random queries is easy, don't assume only browsers can use the server.
Some pointers:
look into tools like curl (http://curl.haxx.se/), wget (http://wget.sunsite.dk/)
For securing your webserver: mod_security (http://www.modsecurity.org/)
for education: http://quiz.ngsec.com/
your received an typical web application attack, someone trying XSS and directory traversal, file predictions etc..
As already said, you should improve your script to validate each and every input comming from the browser (including those from the HTTP header), reject anything which does violate your white list for each parameter.
The refer(r) is a unreliable variable and can be set to anything you want, including missing it.
As already said, you should improve your script to validate each and every input comming from the browser (including those from the HTTP header), reject anything which does violate your white list for each parameter.
The refer(r) is a unreliable variable and can be set to anything you want, including missing it.
ASKER
I understand this as a try of exploiting a web server using forms. I think that /etc/passwd is directly related to linux security, and I ask here in case some of the experts know something about an exploit like this one.
Thanks again.