Persistent SQL injection attempts

Networking/Security Forums -> Databases

Author: markosaurus PostPosted: Thu Jul 29, 2010 6:22 pm    Post subject: Persistent SQL injection attempts
    ----
Hi there,

This is my first time in here, so hi to everyone, and sorry for my first post being to ask for help Embarassed

I ama professional PHP developer and as such I can get by coding. What I'm not the best at is server admin.

I have a dedicated server which I use for clients, it got hacked a few months back via some little **** using an SQL injection attack on a site we had taken over from another company , stupidly we had not gone through and checked the code.

This meant we had to implement our hacking contingency plan, which includes nuking the server completely and rebuilding everything on it. (We had obviously backed everything up first so we could check logs/re-install sites afterwards)

We then re-installed our sites, and pored over the logs until we found the point-of-entry, which turned out to be an escalation of privileges attack. This was sorted out immediately and everything was scanned for other vulnerabilities. We also hardened up security by putting in place a script which searches for injection attempts and emails the admin when an injection attempt is detected.

This was months ago, we still get some 50-1000 of these emails a day, which is obviously a ridiculous situation to be in. Looking at the queries which are being run (they get emailed also), they're all very similar attacks (which fail BTW). My main concern now is that it can only be a matter of time before they discover another way in and we start all over again.

Is there a logical procedure to follow to stop what is obviously an automated and systematic attack on our server, or to track down the culprit (we think we may have already done so, but would like confirmation of this through other means.)

Any help would be massively appreciated.

TIA

Author: krugger PostPosted: Fri Sep 03, 2010 6:02 pm    Post subject:
    ----
The first thing you might want to look at is mod_security, that removes most of the garbage being thrown at your server. But it needs some custom tweaking for each of your sites.

If it is possible to ban the whole network of repetting offenders helps to keep the mod_security log small. Smile

Author: Fire AntLocation: London PostPosted: Tue Sep 07, 2010 9:09 am    Post subject:
    ----
markosaurus,

I agree with Krugger, Mod Security is a great Web Application Firewall if you have the resources to put it together. I think however you that emailing the sysadmin every time someone tries a SQL injection is a little overboard. I certainly wouldn't want an email every time someone port scanned me. You will never stop people performing SQL injection the only you can do is put controls in to protect against it, like Mod Security, code reviews, IPS and controls to detect it like good log management and analysis, IDS.

Fire Ant

Author: krugger PostPosted: Thu Sep 09, 2010 5:28 pm    Post subject:
    ----
Another interesting thing you might be interested as a PHP developer and hoster is nginx + PHP-FPM.

When you start hosting applications that are poorly written or you don't have time to model the mod_security rules or the developers are constantly changing the parameters, you need something different. With PHP-FPM you will be able to have each virtual host running as a different user with its own php.ini and chroot.

So you assume the poorly written PHP sites will be compromised, but at least it will not compromise up the remaining ones. At least in theory, have to actually deploy the solution to get a better understanding of the benefits and problems.



Networking/Security Forums -> Databases


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group