Hello all,

I have just had my mysql database 'hacked': actually it was rolled back about 3 weeks or so.

I know very little about security, and to be honest hope that my webhost maintains proper security. I run a VERY small site (like 100 unique visitors a month at best).

At any rate, this has me puzzled, and since I seen to be getting limited support from my host on this, maybe someone here can help me out.

From what I can tell, no files have been modified, deleted or added to my directories.
My host uses linux (redhat I believe), apache, any mysql (with phpmyadmin).

Like I said above, I don't kmow much about security, but I did think I should look through the weblogs, and in the 404 file not found sections, I came across the following:


617 0 143144 | /scripts/..%5c../winnt/system32/cmd.exe
425 372 87125 | /default.ida
398 361 83580 | /scripts/root.exe
377 1 78416 | /MSADC/root.exe
363 0 79134 | /c/winnt/system32/cmd.exe
349 0 76082 | /d/winnt/system32/cmd.exe
327 0 81423 | /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
323 1 80427 | /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
316 0 83740 | /msadc/..%5c../..%5c../..%5c/..^
^\../..^
^\../..^
^\../winnt/system32/cmd.exe
308 0 71148 | /scripts/..^
^\../winnt/system32/cmd.exe
300 1 69300 | /scripts/..^/../winnt/system32/cmd.exe
300 1 69300 | /scripts/..^^ï../winnt/system32/cmd.exe
291 0 67221 | /scripts/..^
^Ü../winnt/system32/cmd.exe
278 0 64496 | /scripts/..%2f../winnt/system32/cmd.exe


(hmm I hope that pasted well ;-)

At any rate that looks really strange to me as it seems like someone is attempting to access WindowsNT core files directly...which don't exist on a linux box ;-)

Anyhow, this seemed odd to me, and seems to have been going on for a few months now (acording to the logs).

Any input on this would be appreciated...

thanks ;-)

Eric

All those 404's are the result of Code Red and since you're on a Linux system, you've got no need to worry. I'd ask your host why your database was rolled back by 3 weeks. My guess would be something went wrong on the server and some databases got corrupted.

I have similar log entries but was advised by that there is nothing to worry about, it's just a pain in the ....

I would recommend that you do a mysql dump to your own PC on a regular basis - it's so easy to do and it's a good habit to get into.


Lats...

Hey all

Thanks for the input. It did turn out to be a server failure of some sort...all my host said was " a lot of the database on serverxxx was lost": very helpful that. Guess its hiding out behind some little bush someplace :D

Thanks for the info on code red too.

Can't believe how many hits it is responsible for! Even so many months after it was 'found'. Wonder if they count it against my monthly transfer allowance? :stickout

On my small site seems like it is = to about 1/4 of my total hits/month lol

Ahhh well....

Thanks for the info and help.

Actually, I think that's Nimbda, not Code Red. Code Red tends to have lots of Xs after the request (for Code Red II).

In any case, the leason here is to backup your mysql database using mysqldump. If you don't have telnet/ssh access to the server use phpmyadmin to create a mysql dump which file which you can then ftp download to your local pc.

Back up everything!!!

Hello,

Is there any way to automate this kind of backup to my local computer?

thanks!

Originally posted by mynetjob
Can't believe how many hits it is responsible for! Even so many months after it was 'found'.

Ahhh well....

Thanks for the info and help.

You won't believe how many "MILLION" times we have this every month in the server logs. Sometimes we have hourly logfiles of Snort ascending to 500k's. Complaints to the server administrators AND our upstream provider don't seem to be very helpful. They don't care it seems :angry:
We have now more than 500 different hacked (compromised)windows boxes to block in our ipchains rules of every server!