Notice of Possible SQL Attack

Scott Greczkowski

Welcome HOME!
Original poster
Staff member
HERE TO HELP YOU!
Cutting Edge
Sep 7, 2003
103,360
28,253
Newington, CT
Just a heads up, about an hour ago I got a security notice from our server saying that it detected SQL Injection attacks. In the notice it says that these attacks were blocked.

The file that is said was doing the attacking is one of the xenforo (forum software) main files. I downloaded the full Xenforo package from Xenforo and extracted that file. to my local computer. I also renamed that file on the server and uploaded the pure file I just downloaded direct from Xenforo to the server.

With the possibly compromised file on my local machine and having the pure file direct from xenforo I ran a file compare on both of them and there were no differences in the files. In addition Xenforo has a built in security check of all files that Xenforo uses, and all files passed there as well. Finally I did a complete scan of all files on the server with ImunifyAV and no viruses or malware were found.

This appears to be a FALSE POSITIVE from Mod Security.

To be on the safe side I also submitted the file to Xenforo for their analysis as well. I am now waiting to hear back from them.

I take the security of our server seriously so when I got this email I immediately jumped into action to investigate the issue. To be transparent with our members I decided it was best to alert our members of the possible issue.

For those wondering here is what the error looked like... Just had about 20 of these errors in a row but I am only posting one. As I write this everything appears ok now. Again I believe this was a FALSE POSITIVE from Mod Security.

Code:
Jul 22 08:18:35 2021 systemd: Stopping Apache web server managed by cPanel EasyApache...
[Thu Jul 22 08:18:20.176258 2021] [:error] [pid 18666:tid 47171847317248] [client 197.156.107.248:0] [client 197.156.107.248] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection"] [tag "event-correlation"] [hostname "www.satelliteguys.us"] [uri "/xen/xxxxxxxxxxxxxx.js"] [unique_id "YPliDORkxj8IyDhL7Rd5NQAAAMM"]
 
Just a heads up, about an hour ago I got a security notice from our server saying that it detected SQL Injection attacks. In the notice it says that these attacks were blocked.

The file that is said was doing the attacking is one of the xenforo (forum software) main files. I downloaded the full Xenforo package from Xenforo and extracted that file. to my local computer. I also renamed that file on the server and uploaded the pure file I just downloaded direct from Xenforo to the server.

With the possibly compromised file on my local machine and having the pure file direct from xenforo I ran a file compare on both of them and there were no differences in the files. In addition Xenforo has a built in security check of all files that Xenforo uses, and all files passed there as well. Finally I did a complete scan of all files on the server with ImunifyAV and no viruses or malware were found.

This appears to be a FALSE POSITIVE from Mod Security.

To be on the safe side I also submitted the file to Xenforo for their analysis as well. I am now waiting to hear back from them.

I take the security of our server seriously so when I got this email I immediately jumped into action to investigate the issue. To be transparent with our members I decided it was best to alert our members of the possible issue.
Thanks for being proactive! :):thumbup
 
  • Like
Reactions: HiDefRev
Just a heads up, about an hour ago I got a security notice from our server saying that it detected SQL Injection attacks. In the notice it says that these attacks were blocked.

The file that is said was doing the attacking is one of the xenforo (forum software) main files. I downloaded the full Xenforo package from Xenforo and extracted that file. to my local computer. I also renamed that file on the server and uploaded the pure file I just downloaded direct from Xenforo to the server.

With the possibly compromised file on my local machine and having the pure file direct from xenforo I ran a file compare on both of them and there were no differences in the files. In addition Xenforo has a built in security check of all files that Xenforo uses, and all files passed there as well. Finally I did a complete scan of all files on the server with ImunifyAV and no viruses or malware were found.

This appears to be a FALSE POSITIVE from Mod Security.

To be on the safe side I also submitted the file to Xenforo for their analysis as well. I am now waiting to hear back from them.

I take the security of our server seriously so when I got this email I immediately jumped into action to investigate the issue. To be transparent with our members I decided it was best to alert our members of the possible issue.

For those wondering here is what the error looked like... Just had about 20 of these errors in a row but I am only posting one. As I write this everything appears ok now. Again I believe this was a FALSE POSITIVE from Mod Security.

Code:
Jul 22 08:18:35 2021 systemd: Stopping Apache web server managed by cPanel EasyApache...
[Thu Jul 22 08:18:20.176258 2021] [:error] [pid 18666:tid 47171847317248] [client 197.156.107.248:0] [client 197.156.107.248] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection"] [tag "event-correlation"] [hostname "www.satelliteguys.us"] [uri "/xen/xxxxxxxxxxxxxx.js"] [unique_id "YPliDORkxj8IyDhL7Rd5NQAAAMM"]
Do you have a lot of members from Ethiopia?
 
Do you have a lot of members from Ethiopia?
Nope... but just heard from support. There was no hack of the file everything on our server is fine... the email was to inform me that someone was trying to hack the site using that file and the messages were to let me know that our security caught it and stopped them.

Phew!
 

Users Who Are Viewing This Thread (Total: 0, Members: 0, Guests: 0)

Who Read This Thread (Total Members: 6)

Top