Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Security question - php/mysql  - hack

Posted on 2011-09-22
6
456 Views
Last Modified: 2012-05-12
A chinese company has been trying to hack our site.  I have recorded all activity and would appreciate advice to ensure our security integrity is maintained.

They are trying to run the following scripts (this is just a sample, there are lots more they are trying to run).  

They started off with

/muieblackcat

then tried lots of others including
//_myadmin/scripts/setup.php
//phpmya/scripts/setup.php
//admin/my/scripts/setup.php
//mysql2/scripts/setup.php
//phpmyadm/scripts/setup.php
//php1/scripts/setup.php
//webmail2/scripts/setup.php
//pma_mydb/scripts/setup.php

Any ideas exactly what they are after, and the best way to protect ourselves.

We just want to get on with business and it's really frustrating having to deal with idiots like this.

We don't have anything in there of value, it's just a nuisance and costs time.

I would appreciate advice from people who are really strong in security (ideally reformed hackers).  It seems they are after database and trying to setup

I am just wanting to make sure we are as best protected as possible.  We have non standard naming conventions for files and path, use form validation, etc.

I am particularly interested what motivates these people and what I can do to prevent them getting access.
0
Comment
Question by:debbieau1
  • 3
  • 2
6 Comments
 
LVL 3

Accepted Solution

by:
dkellner earned 300 total points
ID: 36584540
It's a standard scan for well known administration programs and their usual names/urls, like phpMyAdmin.  Once they have a valid response for one of these requests (like something else than 404) they'll try to go for the specific thing and its weak spots.  Check all the file/directory rights and owners, make VERY sure that no one is able to write any important directory as www-data, watch out for scripts dealing with passwords (disable error messages that could possibly reveal passwords - redirect all error messages to a logfile outside the web document tree), etc.

95% of these attacks go for known open-source scripts security holes; maybe get some fresh updates for whatever you use.  AND!  If you have a chance, log all mysql queries containing comment signs, coded character strings or the UNION keyword.  Many attacks rely on these.  You can find lots of sites about "mysql injection", read them to know what's out there.

Nothing happened so far - at least I hope so -, don't panic.
0
 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 200 total points
ID: 36590751
Probably script kiddies.  Do these attacks all come from the same IP address?  You might ask your hosting company to block that address.
0
 
LVL 1

Author Comment

by:debbieau1
ID: 36590757
Yes, they do.

Thanks to both of you for the feedback.  What is a script kiddie?  Are these just automated scripts.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 1

Author Closing Comment

by:debbieau1
ID: 36590764
Both feedback very useful thanks
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 36590782
0
 
LVL 1

Author Comment

by:debbieau1
ID: 36590827
Thanks very much.  Interesting reading
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question