Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Need help on a web server. The webserver is a static one with apache,php and mysql and as manager there is etomite to change page text or create new docuements in website.
Now in feedback form of ours anonymous one posted that he/she knows the database name and also gave a sample table name. Now my question is how come it can be known?
All the urls of the website is like http://www.site.com/index.php?id=xxx
Is there any way to find out the basckend database name from web or the table name?
Look at http://secunia.com/advisories/produc...ask=advisories, then check your webserver and database logs for "odd" queries? You might want to severely restrict access in the meanwhile if the data is worth anything to you.
On a quick check I found 4 vulnerabilities that may apply, but they all refer to a version of etomite which is like 3 years old.
Also Secunia doesn't show anything that seems relevant and more recent than that.
Are you maybe running an ancient version? Or are there maybe any other scripts which may have been targeted?
The below one is the one which I faced earlier around three months back.
PHP Code:
Etomite rfiles.php File Upload Vulnerability
Then I updated the etomite to latest version and removed that from etomite.
I have .htaccess in place to a very restricted people in the manager folder which is etomite.
All pages are given a index as created by etomite and just the id changes. And there are only two forms where users can submit their suggesstions and feedbacks. Are they the target?
Are there any security sites which can scan my site for these sql injections or vulnerability?
Also have a look at installing modsecurity for apache, this is a intrusion detection application designed to look for various types of scan made against your server. It will look for sql injection attacks, and block them immediately.
Are there any security sites which can scan my site for these sql injections or vulnerability?
The "good guys" have vulnerability-scanning software so there's little reason to suspect that script kiddies don't. And of course if the site's being attacked in a targeted way, the attacker wouldn't need to use automation.
As suggested above, you really ought to look at your web access logs. If you can pull together the last few months' worth of web access logs into one file, it should be fairly simple to use awk and grep to search through the file for requests that don't follow this pattern:
Code:
GET /index.php?id=<numeric id within reasonable range here>
If you're not already monitoring your web access logs on a routine schedule or by means of some sort of IDS software, you might want to start.
I am going to find him out. I have done a perl script to entry last 2 months apache access log in a mysql database. Now will search if find any unusual url and if find then I have the IP too from log.
It would be better if mysql log was also enabled but unfortunately I disabled it after running for 1 month on test basis. Found no reason to enable that actually.
In web folder I have two manager folder which are protected by .htaccess to very restricted IPs. So no way he did anything from there.
There are no login or authentication page in my website.Only two form page one for giving feedback and for contact info. He used the feedback one to declare his findings.
So there are two ways he did it; one by doing something through URL or by manipulating the 2 forms by sql injection.
Let me find out which one it is.
I am also thinking of implementing greensql for further security.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.