All installation and configuration problems and questions
Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
by alo » Mon Aug 21, 2023 9:09 am
We have been having a suspicious looking query locking our user tables lately. My assumption is this is someone trying to lock the tables and confuse the system into giving user passwords, but I am not sure.
- Code: Select all
SELECT 1/**/AND/**/(SELECT/**/4570/**/FROM/**/(SELECT(SLEEP(13-(IF(ORD(MID((SELECT/**/IFNULL(CAST(`user`/**/AS/**/NCHAR),0x20)/**/FROM/**/asterisk.vicidial_users/**/ORDER/**/BY/**/pass/**/LIMIT/**/87,1),1,1))>32,0,13)))))hqjf) FROM vicidial_list where lead_id='1'
Has anyone seen this and now if its some vicidial action or if it is indeed someone trying to do something nefarious?
SVN: 3750
Thanks!
-
alo
-
- Posts: 197
- Joined: Wed Jun 20, 2012 10:21 am
by carpenox » Mon Aug 21, 2023 6:49 pm
What os are you using? What type of security do you have in place?
Alma Linux 9.4 | SVN Version: 3890 | DB Schema Version: 1721 | Asterisk 18.21.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
-
carpenox
-
- Posts: 2426
- Joined: Wed Apr 08, 2020 2:02 am
- Location: St Petersburg, FL
-
by alo » Tue Aug 22, 2023 1:59 am
Port 80 and 443 are exposed, everything else blocked and whitelisted. If I shut down 80 and 443 these queries stop. Thats what makes me think its some sort of attack. I just don't know whats executing it and how. and if it can execute that why not just select all of the users table.
-
alo
-
- Posts: 197
- Joined: Wed Jun 20, 2012 10:21 am
by kashyapking » Tue Aug 22, 2023 5:43 am
I think you have issues with port 80 or 443, and you need to check your /tmp directory, it must be having some files which are doing this suspicious stuff, you also need to check cronjob if it is set too.
you can remove that suspicious files from /tmp and remove cronjob too if it is set. you need to also check process if it is running in background via top command on server.
I hope this helps.
Vicibox10 | Version: 2.14b0.5 | SVN Version: 3743 | DB Schema Version: 1690 | Asterisk Version: 13.38.2-vici
visit us @ https://www.kingasterisk.com | skype: kingasterisk | wa @ +17864142610
-
kashyapking
-
- Posts: 22
- Joined: Fri Aug 18, 2023 11:32 am
-
by alo » Tue Aug 22, 2023 11:57 am
This is incoming traffic...
-
alo
-
- Posts: 197
- Joined: Wed Jun 20, 2012 10:21 am
by kashyapking » Wed Aug 23, 2023 5:23 am
Yes, you need to block those ip which are executing this kind of suspicious queries via some port connection or script. and also make sure you dont have any script loaded by third party which is executing this.
Vicibox10 | Version: 2.14b0.5 | SVN Version: 3743 | DB Schema Version: 1690 | Asterisk Version: 13.38.2-vici
visit us @ https://www.kingasterisk.com | skype: kingasterisk | wa @ +17864142610
-
kashyapking
-
- Posts: 22
- Joined: Fri Aug 18, 2023 11:32 am
-
by carpenox » Wed Aug 23, 2023 1:59 pm
User the dynamic portal and block 80 and 443 to public and only allow trusted. Follow my article it will help:
https://dialer.one/how-to-use-the-built ... r-vicibox/
Alma Linux 9.4 | SVN Version: 3890 | DB Schema Version: 1721 | Asterisk 18.21.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
-
carpenox
-
- Posts: 2426
- Joined: Wed Apr 08, 2020 2:02 am
- Location: St Petersburg, FL
-
by martinch » Wed Aug 23, 2023 3:52 pm
That does not look good. I've never seen an ORDER BY pass in the ViCi codebase. Here is a grep from ViCiBox11 over the entire ViCi codebase;
- Code: Select all
vicibox11:~ # grep -n -iR "order by pass" /usr/src/astguiclient/
vicibox11:~ #
Seems like a bad actor to me and you should try to secure the system. The guys here are suggesting network troubleshooting as a good place to start.
Project Lead @ mDial -> https://github.com/TheBlode/mDial
-
martinch
-
- Posts: 273
- Joined: Thu Nov 15, 2018 9:14 am
- Location: England, UK
-
Return to Support
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 45 guests