SQl Injection?

Portal Home > Knowledgebase > Articles Database > SQl Injection?

Posted by vps_noob, 03-15-2014, 06:59 PM
Guys and People Smarter Than Me, I am running Cent OS. in var/lib/mysql/USER_db folders I have some Botnet data and reports. See screenshot I attached. Was I infected by Botnet or is this some form of protection definition? I ran ClamAv and AVG Linux and their clean. But If i'm infected what do I do? Thanks VPS Noob Attached Thumbnails
Posted by Truman, 03-17-2014, 01:42 PM
Which version of mysql are you running?
Posted by lenaPS, 03-18-2014, 03:48 AM
FRM files are basically how MySQL stores information about the tables you or your users create. MYI are index files for those tables. Those files are stored in MySQL datadir/database_name. You can run the following SQL on MySQL to get the datadir on your setup: show variables like 'datadir' (will probably return /var/lib/mysql). Based on the attach snapshot, I would say that you have a database named hiimbob_db which contains several tables named bot_reports. I am not familiar with a product that crates such tables, but I would say that based on the information you've provided, there's no sign of infection.
Posted by tuxandrew, 03-18-2014, 01:31 PM
Did you checked the related url with any online scanning tools? like, sucuri[dot]net probably they may provide more information regarding these types of SQL injections.
Posted by edigest, 03-18-2014, 02:07 PM
Find out who owns the website that DB was created for (if not you) and ask about the DB and what apps they're running. If you are the only user on the VPS, check your config files and see what app that DB is attached to. If you didn't install it, you're infected in some way.
Posted by lenaPS, 03-18-2014, 02:19 PM
I believe that unless you or any of your users have created the tables intentionally, it seems that you're infected with Zeus. The following tables are used by Zeus C&C (on MySQL) botnet_list – A list of bots and botnets. botnet_reports – A list of botnet reports. botnet_reports_YYMMDD – Botnet reports created on a certain date. botnet_scripts – A list of additional tasks to be sent to bots. botnet_scripts_stat – A status of additional tasks to be sent to bots. cp_users – Botnet master user account information. ipv4toc – IP address to country mappings If you need further information on the steps necessary to clean your server from Zeus, post here. Source: Symantec's Report on Zeus Last edited by Chris_M; 03-18-2014 at 03:36 PM. Reason: Added source of Zeus C&C tables
Posted by khunj, 03-18-2014, 11:41 PM
Indeed, it looks pretty much like Zeus or Citadel bot.
Posted by vps_noob, 04-04-2014, 06:47 PM
Guys, How do I clean my Server from ZEUS or Citadel bot. I have been going crazy for the past 2 weeks. I manually deleted the Botnet folders. I own the website that got infected, the other ones are Wordpress that I manage myself for 2 businesses and my relatives. Even after I deleted the files, I kept getting phishing junk uploaded. Cpanel logins are off, FTP server is off. I keep manually checking the modified times of my Home directories. Added Commodo Rules to modsecurity. Maldect, AVG Linux, Ckroot, ClamAv and other Free tools can't find anything. No timthumbs, even added .htaccess protection to Wordpress Upload folders, .htaccess to wp-login by IP. Changed root password multiple times. I bought Cxs Scanner from Configserver and I added all the md5sum and file name as additional bugs. Their Dameon quarantines before they are uploaded again. But that is Only if the md5sums are entered. Thanks,
Posted by WebHostingNeeds, 04-25-2014, 04:32 PM
wordpress web sites and its plugins are updated ? Make sure all php scripts are updated on your server. Try running rkhunter/chkrootkit.
Posted by HSN-Saman, 04-26-2014, 12:02 PM
It shouldn't be related to SQL injection , your server has been hacked and it has a Botnet installed which has created tables on your MySQL server . That doesn't mean for sure your server has been injected via SQL Injection bugs as there are many other vulnerabilities , I'd suggest to search for that vulnerability and patch it before you clean the Bot .
Posted by sannin, 04-27-2014, 05:43 PM
Hello I got a notification yesterday that my shared server's IP got listed in CBL blacklist. The info i got from the list was: So they detected a tcp connection to that address. I don' t think that it is possible from that information alone to pinpoint the problem. I searched all the databases for the tables that are mentioned in the first posts but i did not find anything. I have installed mod_security with -not very recent- gotroot rules, and cxs scanning every night but it did not pick up anything.
Posted by vps_noob, 04-27-2014, 06:06 PM
Sanin, I own all the domains on my VPS except for one of them. I backed up the Cpanel and copied all the Accounts to my Windows Desktop. I manually scanned them with Nod32, SuperAntiSpyware, and several other antivirus and spyware scanners. Found some junk, cleaned them. I manually looked and inspected all the Account folders looked for anything named Botnet, I found an index2.php. You might found non malicious phishing scripts. I had my Tech reinstall the VPS Os. In my case the exploit was my friends Joomla site that I converted to Wordpress. After everything was restored I added what junk I found to the CXS extra file. I personally use the Commodo WAF mod sec rules. My FTP server is off and I turned off Cpanel logins. I also have Cron jobs that updates everything and runs scans. Then I installed WordFence plugin for all my Wordpress sites. Ran it to compare my core install to WP repo. I will Post some other notes when I'm home with ideas.
Posted by vps_noob, 04-28-2014, 11:34 PM
Here are my notes on clearing some junk and phishing subdomains. If its works, awesome. If you keep getting hacked. Your only solution is to wait for ClamAv, Maldet to pick up the bugs or re-install the server OS. ------------------------------ I am running CentOs 64 bit. Maybe someone smarter than me can update my notes if they see errors. FYI, I am not an admin rather a user. ------------------------------------------------------- HACKED WITH Subdomains Used For Phising: *NOTE, I am not responsible if you brick your system. Backup files before modding them. If you are missing the domain names from the apache conf file, try to rebuild apache using the script /scripts/rebuildhttpdconf. If the domain is not back in the apache conf even after rebuilding httpd conf, check if the domain name is present in the folder /var/cpanel/userdata/. If not, the userdata may not be updated. To update the userdata folder, perform the following: check the following locations: /etc/localdomains (file) /usr/local/apache/conf/http.conf (ApacheConfig and clean out, reboot) *Check included file paths, might link to additional confs. var/cpanel/users (Clean up) Take the backup of /var/cpanel/userdata delete bad entries, cache, check them out Run /usr/local/cpanel/bin/userdata_update (rebuilds userdata) *Its a reset so that /var/cpanel/userdata can be regenerated. Check out work done. run /scripts/updateuserdatacache check the file /etc/userdatadomains and confirm that bad domains have not been added Rebuild Apache conf as /usr/local/cpanel/bin/build_apache_conf Restart Apache /etc/init.d/httpd stop ; /etc/init.d/httpd start Clear OLD files.. Home and Doms /usr/local/apache/domlogs/ and var/cpanel/bandwidth Possible Error: Sorry, you do not control the domain domain2.com while removing the addon domain “domain2.com” from cPanel If you are getting the above mentioned error, follow the below steps: 1. Check whether any main domain is created with the same name 2. Else follow the below steps: # /scripts/killdns # grep -ir /var/cpanel/users remove the domain name from the listed files. # grep -r /var/cpanel/userdata remove the domain name from the listed files. #/scripts/updateuserdomains Also, remove the domain entry from apache configuration file. Restart apache. /etc/init.d/httpd restart Alternate ReBuild Apache Conf APACHE CONFIG /usr/local/apache/conf/http.conf rebulits with /scripts/rebuildhttpdconf. CHECK FOR SUBDOMAINS IN Named.conf etc/named.conf Check var/named/ domain.db To rebuild Named Zone, requires a script: http://www.ndchost.com/wiki/cpanel/rebuild_named_zones Create and run it. service named restart SOME SECURITY HARDENING: http://www.whmsecurity.com/whm/how-t...ecurity-basics *Harden named.conf for external queries *Harden tmp folder *Update or delete old themes & plugins, ie Wordpress,Drupal, Joomla. *Buy and install Cxs Scanner from ConfigServer *Install ModSecurity, I use the Commodo WAF Free rules. *Search for file names botnet, index2, php.ini,php5.ini(Go Daddy), *Get a copy of the BotNet Zeus or whatever phishing scripts are available and use them as a reference to search for file names. *Youtube video's on Botnet *Csf Firewall run all the security checks. *Add those file names and MD5sum to Cxs Scanner *Most IMPORTANTLY make sure your user & passwords are STRONG.. Also search on WHT for advice. Maybe someone else can share some info.. Last edited by vps_noob; 04-28-2014 at 11:38 PM. Reason: forgot disclaimer

Add to Favourites Print this Article