A web server running Apache 2 and PostgreSQL was successfully compromised using a SQL injection vulnerability. I first noticed there was a new table in one of our PostgreSQL databases named ‘t_jiaozhu’.
public t\_jiaozhu table postgres
The table wasn not something that myself or our developer had created so I immediately went into WTF mode. First I googled for the term ‘t_jiazhu’ and found that there was only one English result that mentioned SQL injection attacks with the previously mentioned table name. At this point we searched the PostgreSQL log files but did not turn up much but with the advice of our local security engineer. We checked out the Apache web server log files and found the attack.
# grep t\_jiaozhu \*fred-access\_log:126.96.36.199 - - [25/Mar/2007:11:59:32 -0400] "HEAD /showemploymentopportunity.php?id=38;create%20table%20t\_jiaozhu(jiaozhu%20varchar(200)) HTTP/1.1" 200 - "-" "Mozilla/3.0 (compatible; Indy Library)"
The engineer also came up with a possibility that the IP in which the attack came from may have been a bot using an IDS.
“After the table was created, there were several hits from that IP that had the following user agent “Mozilla/3.0 (compatible; Indy Library)”. A little digging shows that it might be a Chinese spambot.”
Our developer quickly discovered that we were not checking variables that were being passed. A quick addition of code fixed the problem.
if (!is\_numeric($id)) $id = 0;