• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Persistent SQL injection attempts

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases

View previous topic :: View next topic  
Author Message
markosaurus
Just Arrived
Just Arrived


Joined: 29 Jul 2010
Posts: 0


Offline

PostPosted: Thu Jul 29, 2010 6:22 pm    Post subject: Persistent SQL injection attempts Reply with quote

Hi there,

This is my first time in here, so hi to everyone, and sorry for my first post being to ask for help Embarassed

I ama professional PHP developer and as such I can get by coding. What I'm not the best at is server admin.

I have a dedicated server which I use for clients, it got hacked a few months back via some little **** using an SQL injection attack on a site we had taken over from another company , stupidly we had not gone through and checked the code.

This meant we had to implement our hacking contingency plan, which includes nuking the server completely and rebuilding everything on it. (We had obviously backed everything up first so we could check logs/re-install sites afterwards)

We then re-installed our sites, and pored over the logs until we found the point-of-entry, which turned out to be an escalation of privileges attack. This was sorted out immediately and everything was scanned for other vulnerabilities. We also hardened up security by putting in place a script which searches for injection attempts and emails the admin when an injection attempt is detected.

This was months ago, we still get some 50-1000 of these emails a day, which is obviously a ridiculous situation to be in. Looking at the queries which are being run (they get emailed also), they're all very similar attacks (which fail BTW). My main concern now is that it can only be a matter of time before they discover another way in and we start all over again.

Is there a logical procedure to follow to stop what is obviously an automated and systematic attack on our server, or to track down the culprit (we think we may have already done so, but would like confirmation of this through other means.)

Any help would be massively appreciated.

TIA
Back to top
View user's profile Send private message
krugger
SF Mod
SF Mod


Joined: 08 Jun 2006
Posts: 16777209


Offline

PostPosted: Fri Sep 03, 2010 6:02 pm    Post subject: Reply with quote

The first thing you might want to look at is mod_security, that removes most of the garbage being thrown at your server. But it needs some custom tweaking for each of your sites.

If it is possible to ban the whole network of repetting offenders helps to keep the mod_security log small. Smile
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Tue Sep 07, 2010 9:09 am    Post subject: Reply with quote

markosaurus,

I agree with Krugger, Mod Security is a great Web Application Firewall if you have the resources to put it together. I think however you that emailing the sysadmin every time someone tries a SQL injection is a little overboard. I certainly wouldn't want an email every time someone port scanned me. You will never stop people performing SQL injection the only you can do is put controls in to protect against it, like Mod Security, code reviews, IPS and controls to detect it like good log management and analysis, IDS.

Fire Ant
Back to top
View user's profile Send private message
krugger
SF Mod
SF Mod


Joined: 08 Jun 2006
Posts: 16777209


Offline

PostPosted: Thu Sep 09, 2010 5:28 pm    Post subject: Reply with quote

Another interesting thing you might be interested as a PHP developer and hoster is nginx + PHP-FPM.

When you start hosting applications that are poorly written or you don't have time to model the mod_security rules or the developers are constantly changing the parameters, you need something different. With PHP-FPM you will be able to have each virtual host running as a different user with its own php.ini and chroot.

So you assume the poorly written PHP sites will be compromised, but at least it will not compromise up the remaining ones. At least in theory, have to actually deploy the solution to get a better understanding of the benefits and problems.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter