PDA

View Full Version : SLES 10 SP2 Sql date entry modify by hacker



hoiyi88
01-Dec-2011, 14:46
Hi,

How can start to trace problem, sql date entry file modify by
hacker@hacker.org???

/var/log/messags only found many ftp testing Authentication failed .

Allow port
FTP : 21
HTTP: 80
HTTPS: 443
Domain : 53
VNC: 5901

Thanks.


--
hoiyi88
------------------------------------------------------------------------
hoiyi88's Profile: http://forums.novell.com/member.php?userid=107113
View this thread: http://forums.novell.com/showthread.php?t=448977

ab
01-Dec-2011, 14:51
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you had setup your machine to send log messages to another host then
you could check that host for messages which, unless it too was
compromised, would be intact and safer to read. How much damage was
done depends on how somebody gets in, but if they were able to get
'root' access then unless you were watching ahead of time in a very
verbose way with logs sent to another machine you're going to have a
hard time tracking this down because they would have had access to undo
anything that you did.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO14ZVAAoJEF+XTK08PnB5gXQP/2pthHzmUta7pALkQzD2FEQe
kqDmtekkrLgdvYogCCvLG3KkohAcDVjPblXX43NRYoa4UTFjnU yu2APqQk//oeSt
Ha25nA6Itq1Igvrb2tIuV57yRCUCxdS4JgUT2egZU9LAGTBWGW 27sLDU3luk/i/t
klmOS7618wiO2jBMgtMGFVQ5+LcybLiqtxQynb+TO+MI76P5dm DyIGuHIvGgtwQD
cgSbSNuSjUzwlMWZWaJ33Yb5PkophGu8HvECm7QgkTW1MsXl3M xuYcSMDjAVoCIc
ymvuM95IA/x82p9aDsDL8RoBJUeL+S7XqY3+F0WSJ8Pm/x9Bj13edb9QeYXM9H8C
RiYTo3jsaXd0Di33pbkAs8uf8WUmtS0gu29HYMaBmQPywr+F4w k+VFIWBKyr/kai
Cv2incqi8W9j/GpGSD/2glCr5VYXOl1+riRQVXwvxOvbw9lKLmIRVb1b1YNPCTHa
95pVv6c41recTGBqOvUxD15tbOpZ39WO3tDSzoAM+MzbXYLRSV LBXeItDdnBqNBi
7ie6E6eJxcENTB43mC+pcFiktdmgVa1Tx6Px3HrHA360uZEfgw XRpaElxe/U8PPI
KtQqK6O7znVc3RlCGD/wYH2YwoP/CXG/JqjuAHt0bgC1xHr7dsXcqXrSNahCfJvH
17pOiDMiwmSTPspXnQXo
=oHsN
-----END PGP SIGNATURE-----

hoiyi88
04-Dec-2011, 14:56
change all user password, stop ftp service. don't it work or not.


--
hoiyi88
------------------------------------------------------------------------
hoiyi88's Profile: http://forums.novell.com/member.php?userid=107113
View this thread: http://forums.novell.com/showthread.php?t=448977

Bob-O-Rama
04-Dec-2011, 21:56
Hi,

You don't need passwords is you have vulnerable scripts or malware php
scripts. If you don;t have an AV solution, you need one. Try AVG,
its free, it works. Once installed do a basic scan: *avgscan -x
/var/lib/ntp/proc -P -p -r ~/avgscan.log /* Evil will show up in the
logs as follows:


Code:
--------------------
/build/event/a.2/linux9 Virus identified Linux/Brk.B
/build/event/ijoo/bot/xh Virus identified Linux/ProcHider.C
/build/event/infected.surveys.businessOfficer.r57.php Trojan horse PHP/BackDoor.R57Shell
/build/event/infected.lib.ldd.so/tks Virus identified Linux/Sysniff.B
/build/event/infected.sbin.syslogd Virus identified Linux/Agent2.AA
/build/event/infected.usr.bin.slocate Virus identified Linux/Agent.V
--------------------


Any of that stuff means you have been infested with a backdoor that
lets them do whatever they like, whenever they like. If your full scan
comes up clean ( thats good! ) then its a poorly written script allowing
SQL injection, or whatever....

Please look at your HTTP logs ( e.g. /var/log/apache2/access_log and
error_log ) and look for SQL or Perl injection. Perl injection
typically have a lot of semicolons. For example:


Code:
--------------------
"GET /scgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|
"GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; ;echo%20YYY;echo|
"GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|
"GET /cgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|
"GET /main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
"GET /scgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|
"GET /phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
"GET /cgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|
"GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|

--------------------


SQL injection is similar. You'll see SQL statements being injected.

You can tell if these are being executed by comparing to the error_log
entries.

Google any of these topics, they are not, in any way SLES specific.

-- Bob


--
Bob Mahar -- Novell Knowledge Partner
Do you do what you do at a .EDU? http://novell.com/ttp
"Programming is like teaching a jellyfish to build a house."
More Bob: 'Twitter' (http://twitter.com/BobMahar) 'Blog'
(http://blog.trafficshaper.com) 'Vimeo' (http://vimeo.com/boborama) <--
Click And Be Amazed!
------------------------------------------------------------------------
Bob-O-Rama's Profile: http://forums.novell.com/member.php?userid=5269
View this thread: http://forums.novell.com/showthread.php?t=448977