Topic on Project:Support desk

Help with hacking issue

6
Mitzzzz (talkcontribs)

Hi,

MediaWiki 1.25.1 PHP 5.3.24 MySQL Software version: 5.5.35-33.0 - Percona Server (GPL), Release rel33.0, Revision 611

Please redirect me to the appropriate place to find out about this if this is not that place!

I have several entries in the server error log like this:

[Mon Jul 06 22:15:08 2015] [error] [client 32.210.12.43] File does not exist: /home/xxx.org/html/wiki/skins/common, referer: http://xxx.org/wiki/load.php?debug=false&lang=en&modules=mediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.sectionAnchor%7Cmediawiki.skinning.content.externallinks%7Cmediawiki.skinning.interface%7Cmediawiki.ui.button%7Cskins.monobook.styles&only=styles&skin=monobook&*

and also:

[Sun Jul 12 21:46:48 2015] [error] [client 32.210.12.43] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 15 at TX:sql_injection_score. [file "/etc/httpd/modsecurity.d/modsecurity_crs_49_inbound_blocking.conf"] [line "51"] [id "4049002"] [msg "SQL Injection Detected (score 28): IE XSS Filters - Attack Detected."] [hostname "xxx.org"] [uri "/wiki/index.php"] [unique_id "VaMYiMDwsHkAAF6jhHEAAAA0"]

Obviously, someone/something at this server IP address is up to no good. I password protected our wiki for now using .htaccess (it's only for internal use, anyway).

Where can I find out more about this exploit(s) and what to do about it?

Thanks, mitzzzz

88.130.100.7 (talkcontribs)

The message

File does not exist: /home/xxx.org/html/wiki/skins/common

is irrelevant. This folder has been removed in MediaWiki 1.24 - if it does not exist in your 1.25 installation, this is ok.

The second entry,

ModSecurity: Access denied with code 403 (phase 2).
Operator GT matched 15 at TX:sql_injection_score.
[file "/etc/httpd/modsecurity.d/modsecurity_crs_49_inbound_blocking.conf"] [line "51"] [id "4049002"]
[msg "SQL Injection Detected (score 28): IE XSS Filters - Attack Detected

sounds like it might be security relevant. However, I do not know how exactly ModSecurity is scoring things. Maybe that is only a false positive? Anyway, the message makes me think that ModSecurity blocked that request - whether it was harmful or not.

If you want to investigate that further, it would be relevant to know, what the attacker posted in order to trigger the SQL injection rule.

Mitzzzz (talkcontribs)

Thank you.

I was thinking that that particular client [32.210.12.43] was probing for a vulnerability since both requests came from the same IP, over and over.

Would I find what they posted in the transfer log? Or is that not possible after the fact?

mitzzzz

88.130.114.132 (talkcontribs)

Yes, it might well be that the attacker is probing for a vulnerability.

The information from the Apache error_log, which you posted above, already are nice. Maybe ModSecurity has the possibility to write a more detailed log.

Another option would be to enable the debug log in MediaWiki; see Manual:How to debug. This will slow down the system and should only be done ... well, for debugging, but I guess it might also log the stuff, which people are trying to post to your server.

Mitzzzz (talkcontribs)

Sounds good. I'll try it, thanks.

Ciencia Al Poder (talkcontribs)

Apache access_log should provide the full URL that triggered the mod_security block, and check if the URL is really a malicious one or just a false positive.

Reply to "Help with hacking issue"