Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
O
O
ozzzi2015-08-28 10:19:08
linux
ozzzi, 2015-08-28 10:19:08

Hosting hack, how to find source of SQL queries?

What we have: Debian-based VDS
Banners were found on the site. Viewing the logs showed that the penetration occurred via SSH: Accepted publickey. This is a separate issue, how the attacker logged in using the key. Access from third-party IPs was closed, no one else entered via SSH or FTP. As a result of searches (by eval, base64, etc.), shell scripts were found (even links to authors in Github). They were successfully deleted, but despite this, SQL queries began to pour into one of the databases, inserting JS code with redirects. The search for some other "left" scripts did not lead to anything, scanners like ai-bolit and Manul did not show anything sensible, studying the access logs did not give anything either. Requests come from a local user: [email protected] (remote access from the left ip is closed to the database).
Question: is it possible to find out the source of SQL queries, some variation of mysql-proxy or something else? Or in what to dig?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
D
DrunkMaster, 2015-08-28
@DrunkMaster

There may not be left scripts, one of your scripts can be modified in which the insert function into the database was added.
You need to look at the logs, the modification dates of your files, ideally clean everything, temporarily disable ssh files, clean the database with regulars.
Most likely, either an error in closing, or too large a range is open, or hypothetically, if you go through the VPN, the hacker has taken over access to the VPN and entered the server with his ip, which is unlikely.

Report
O
Oleg Kleshchuk, 2015-08-28
@xenozauros

It's better to reset the whole system.
If the server is compromised, you can hide in such a way that you can no longer find the ends.

Report
S
StrongServer, 2015-08-30
@StrongServer

There is a possibility that a web shell remained in the system (that's why a connection goes to the database from [email protected]), which the aibolit and manul did not find, say, an encoded web shell.
Try to search the system for new files that have appeared in the system recently / since the alleged hack, and then look inside these files.

Similar questions
A
Alexander2019-01-08 01:55:52
Double execution of a task in Gulp 4, what's the trouble? 3Reply
O
OKNOZA2015-06-21 23:31:05
Can I not use NodeJS templating engine? 7Reply
S
santavits2019-11-13 14:43:29
How to fix the link when sending? 7Reply
A
Alexander2017-06-23 20:13:44
Accepting cookies. Why is it returning an array? 2Reply
W
WebDev2016-07-27 12:48:52
What does the TIME+ field in htop mean? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question