Suspicious query locking users tables

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Suspicious query locking users tables

Postby alo » Mon Aug 21, 2023 9:09 am

We have been having a suspicious looking query locking our user tables lately. My assumption is this is someone trying to lock the tables and confuse the system into giving user passwords, but I am not sure.

Code: Select all
SELECT 1/**/AND/**/(SELECT/**/4570/**/FROM/**/(SELECT(SLEEP(13-(IF(ORD(MID((SELECT/**/IFNULL(CAST(`user`/**/AS/**/NCHAR),0x20)/**/FROM/**/asterisk.vicidial_users/**/ORDER/**/BY/**/pass/**/LIMIT/**/87,1),1,1))>32,0,13)))))hqjf) FROM vicidial_list where lead_id='1'


Has anyone seen this and now if its some vicidial action or if it is indeed someone trying to do something nefarious?

SVN: 3750

Thanks!
alo
 
Posts: 197
Joined: Wed Jun 20, 2012 10:21 am

Re: Suspicious query locking users tables

Postby carpenox » Mon Aug 21, 2023 6:49 pm

What os are you using? What type of security do you have in place?
Alma Linux 9.4 | SVN Version: 3890 | DB Schema Version: 1721 | Asterisk 18.21.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2426
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Suspicious query locking users tables

Postby alo » Tue Aug 22, 2023 1:59 am

Port 80 and 443 are exposed, everything else blocked and whitelisted. If I shut down 80 and 443 these queries stop. Thats what makes me think its some sort of attack. I just don't know whats executing it and how. and if it can execute that why not just select all of the users table.
alo
 
Posts: 197
Joined: Wed Jun 20, 2012 10:21 am

Re: Suspicious query locking users tables

Postby kashyapking » Tue Aug 22, 2023 5:43 am

I think you have issues with port 80 or 443, and you need to check your /tmp directory, it must be having some files which are doing this suspicious stuff, you also need to check cronjob if it is set too.
you can remove that suspicious files from /tmp and remove cronjob too if it is set. you need to also check process if it is running in background via top command on server.
I hope this helps.
Vicibox10 | Version: 2.14b0.5 | SVN Version: 3743 | DB Schema Version: 1690 | Asterisk Version: 13.38.2-vici
visit us @ https://www.kingasterisk.com | skype: kingasterisk | wa @ +17864142610
kashyapking
 
Posts: 22
Joined: Fri Aug 18, 2023 11:32 am

Re: Suspicious query locking users tables

Postby alo » Tue Aug 22, 2023 11:57 am

This is incoming traffic...
alo
 
Posts: 197
Joined: Wed Jun 20, 2012 10:21 am

Re: Suspicious query locking users tables

Postby kashyapking » Wed Aug 23, 2023 5:23 am

Yes, you need to block those ip which are executing this kind of suspicious queries via some port connection or script. and also make sure you dont have any script loaded by third party which is executing this.
Vicibox10 | Version: 2.14b0.5 | SVN Version: 3743 | DB Schema Version: 1690 | Asterisk Version: 13.38.2-vici
visit us @ https://www.kingasterisk.com | skype: kingasterisk | wa @ +17864142610
kashyapking
 
Posts: 22
Joined: Fri Aug 18, 2023 11:32 am

Re: Suspicious query locking users tables

Postby carpenox » Wed Aug 23, 2023 1:59 pm

User the dynamic portal and block 80 and 443 to public and only allow trusted. Follow my article it will help: https://dialer.one/how-to-use-the-built ... r-vicibox/
Alma Linux 9.4 | SVN Version: 3890 | DB Schema Version: 1721 | Asterisk 18.21.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2426
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL

Re: Suspicious query locking users tables

Postby martinch » Wed Aug 23, 2023 3:52 pm

That does not look good. I've never seen an ORDER BY pass in the ViCi codebase. Here is a grep from ViCiBox11 over the entire ViCi codebase;

Code: Select all
vicibox11:~ # grep -n -iR "order by pass" /usr/src/astguiclient/
vicibox11:~ #


Seems like a bad actor to me and you should try to secure the system. The guys here are suggesting network troubleshooting as a good place to start.
Project Lead @ mDial -> https://github.com/TheBlode/mDial
martinch
 
Posts: 273
Joined: Thu Nov 15, 2018 9:14 am
Location: England, UK


Return to Support

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 45 guests