2

I have recently switched my hosting server to AWS. and in initial all was working fine but recently I am facing issues with my server that its get down several time.

I have monitor it closely and get to know that CPU utilization goes to 100% several times and every-time I need to restart my instance.

So I have checked access log and error logs and seems some hacking activities going on my server. Please have a look below logs of my error log file:

[Wed Sep 23 14:25:56.081268 2015] [:error] [pid 18791] [client 193.0.***.***:59940] script '/var/www/html/includes/custom.php' not found or unable to stat, referer: -1' OR 2+20-20-1=0+0+0+1 or 'Q2fRfUkq'='

[Wed Sep 23 14:25:56.122526 2015] [:error] [pid 18780] [client 193.0.***.***:59939] script '/var/www/html/includes/custom.php' not found or unable to stat, referer: @@EKtcl

[Wed Sep 23 14:25:56.365583 2015] [:error] [pid 18788] [client 193.0.***.***:59930] script '/var/www/html/includes/custom.php' not found or unable to stat, referer: -1" OR 2+392-392-1=0+0+0+1 --

[Wed Sep 23 14:25:56.663520 2015] [:error] [pid 18786] [client 193.0.***.***:59908] script '/var/www/html/includes/custom.php' not found or unable to stat, referer: if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/


[Wed Sep 23 14:25:56.994941 2015] [:error] [pid 18791] [client 193.0.***.***:59940] script '/var/www/html/includes/custom.php' not found or unable to stat, referer: (select(0)from(select(sleep(9)))v)/*'+(select(0)from(select(sleep(9)))v)+'"+(select(0)from(select(sleep(9)))v)+"*/

Now here I can see that its trying to access non existing file and adding sql injections, and unbelievable things is its working, its using my CPU utilization to 100% and mysql service uses 90% here.

So how to prevent this, please help me on the same.

Its taking mysql access here so that happening ? As we can see there is no any custom.php available then how they are running mysql queries on the server ?

And most important thing is hacker hacking through curl or post script but not using my machine atall

Er.KT
  • 129
  • 3

1 Answers1

2

given this code, it seems to be and automated attempt to try common patterns for sql injection. that is why there is an intensive use of the cpu. Its not means that the attack is successful at this level.

Did you noticed corrupted datas in your DB or did you noticed strange behavior of your php app ?

For avoiding this :

  • check in your php app how the sql is managed in your php code. NEVER permit php code to manipulate directly SQL commands. Use functions, and clean your urls and form POST. If it s the case you can relax.

  • Find a way to blacklist this kind of activity. I mean a soft that check your logs and block the IP. Install an IDS like SNORT for example.

A simple solution would be to install artillery. It is a simple honeypot that blacklist automated attempts based on faked ports. You can find a good tuto at https://www.digitalocean.com/community/tutorials/how-to-set-up-an-artillery-honeypot-on-an-ubuntu-vps and the artillery repo at https://github.com/trustedsec/artillery . I used this solution for some customers it is effective and simple.

LScarpinati
  • 71
  • 3