23

In our Apache server we have received around 200 HTTP GET requests from the same IP and a common string in each request is "md5", e.g.

index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/md5(3.1415),222--%20- HTTP/1.1

What kind of attack hacker had tried over here, and should I worry about it?

Pawan Patil
  • 387
  • 3
  • 11

1 Answers1

40

The attacker is trying to exploit Joomla component called com_s5clanroster which is vulnerable to SQL Injection.

An SQL injection vulnerability has been reported in Joomla Com S5clanroster. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.

https://www.checkpoint.com/defense/advisories/public/2014/cpai-2014-2169.html

That same component was also vulnerable to LFI:

  [o] Exploit

       http://localhost/[path]/index.php?option=com_s5clanroster&view=[LFI]
       http://localhost/[path]/index.php?option=com_s5clanroster&controller=[LFI]

http://www.securityfocus.com/bid/39503

Maybe you don't have that component installed or maybe you are running different CMS, but make sure that you check your website is up-to-date. And not only that, also check if different plugins are still maintained by author, because I saw vulnerable plugins with no updates available from author - and that is consider as a big problem.

Here is another example which can lead to another problem: Expired Domain Leads to WordPress Plugin Redirects

Consider to use ModSecurity (Open Source Web Application Firewall). How to?

Mirsad
  • 10,005
  • 8
  • 33
  • 53
  • 1
    Thank you for the valuable answer! I have crosschecked on the server and there is no com_s5clanroster component installed. – Pawan Patil Sep 11 '17 at 05:04
  • 1
    please also tell me about md5 string in the request? – Pawan Patil Sep 11 '17 at 05:10
  • 11
    You don't need to worry about that. – Mirsad Sep 11 '17 at 05:12
  • 2
    The MD5 might be a time based attack? It would take some time to compute the MD5 which might be detectable client side? – Silver Sep 11 '17 at 09:15
  • 16
    In order for the attacker to know that the SQL injection is successful, they want to call a function on the database that has a known result and see if that result is in the output generated. The choice of md5() specifically is largely irrelevant to the attack. – GrandOpener Sep 11 '17 at 17:28
  • And they picked the start of PI as the string to query. – sha1 Sep 11 '17 at 23:45