I know someone whose server with cPanel/WHM and phpBB 3.0.x was victimized by a MySQL injection attack against phpBB (or a plugin thereof). Certain information was leaked, but we do not know the extent of the leak. Is it possible to determine what information was leaked by examining logs? Thank you!
Asked
Active
Viewed 272 times
1
-
possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Feb 02 '15 at 18:42
-
@yoonix Yes, you need to nuke it from orbit, but that doesn't say anything about determining the extent of information leakage. – Michael Hampton Feb 02 '15 at 18:53
-
Cleaning up the issue is an entirely separate issue from assessing the damage. – Matt Eskridge Feb 02 '15 at 19:02
-
Fair enough, I've retracted the close vote. I think we would be far better served adding the answer to that question since they pretty much go hand in hand. While they're different steps of dealing with a compromised server, they're hardly 'entirely separate'. That's what the whole 'Understand the problem fully' piece really about. If you don't understand the problem fully, you can't possibly determine what was leaked. You should assume all of it was leaked until / unless you can prove otherwise. – Feb 02 '15 at 19:19
-
In short, not really. But usually those attacks are automated and just try to inject various things that do not require root privileges, like spambots, flood clients. Are you sure this one was a targeted attack and resulted in information leak? – Dan Feb 02 '15 at 19:56
-
How do you know that it was an SQL injection that led to the compromise? – 200_success Feb 02 '15 at 20:01
-
@Dan: We know that information was leaked. – Matt Eskridge Feb 02 '15 at 22:36
-
@200_success: The attacker claimed that it was an SQL vurnerability. We do not know for certain. – Matt Eskridge Feb 02 '15 at 22:38
-
[Administration panels are off topic](http://serverfault.com/help/on-topic). [Even the presence of an administration panel on a system,](http://meta.serverfault.com/q/6538/118258) because they [take over the systems in strange and non-standard ways, making it difficult or even impossible for actual system administrators to manage the servers normally](http://meta.serverfault.com/a/3924/118258), and tend to indicate low-quality questions from *users* with insufficient knowledge for this site. – HopelessN00b Mar 09 '15 at 08:53
1 Answers
3
Can you determine if any relevant data was stolen?
Potentially, yes.
If an attacker only used SQL injection and wasn't able to escalate privileges further, odds are that the system logs are still reliable. That may allow you to trace some of the attackers steps.
The thing is that for instance by default most web servers do log requested URL's and although those typically include GET request parameters, they do not contain the values of parameters for POST requests.
The same holds for a MySQL database server, on production systems it is very uncommon to log all queries, as you'd potentially collect huge numbers of MySQL events, and the more commonly used transaction log only records queries that update the database and not SELECT statements that may have been used to Steal your data.
You may be "lucky" and find scripts/binaries etc that were up- or downloaded by the attacker.
In practice, probably not
HBruijn
- 77,029
- 24
- 135
- 201
-
Thanks. I suspected this wasn't likely to be possible, but I will investigate the possibilities you mentioned. – Matt Eskridge Feb 02 '15 at 22:34