Page 1 of 1
Suspicious query locking users tables
Posted:
Mon Aug 21, 2023 9:09 am
by alo
We have been having a suspicious looking query locking our user tables lately. My assumption is this is someone trying to lock the tables and confuse the system into giving user passwords, but I am not sure.
- Code: Select all
SELECT 1/**/AND/**/(SELECT/**/4570/**/FROM/**/(SELECT(SLEEP(13-(IF(ORD(MID((SELECT/**/IFNULL(CAST(`user`/**/AS/**/NCHAR),0x20)/**/FROM/**/asterisk.vicidial_users/**/ORDER/**/BY/**/pass/**/LIMIT/**/87,1),1,1))>32,0,13)))))hqjf) FROM vicidial_list where lead_id='1'
Has anyone seen this and now if its some vicidial action or if it is indeed someone trying to do something nefarious?
SVN: 3750
Thanks!
Re: Suspicious query locking users tables
Posted:
Mon Aug 21, 2023 6:49 pm
by carpenox
What os are you using? What type of security do you have in place?
Re: Suspicious query locking users tables
Posted:
Tue Aug 22, 2023 1:59 am
by alo
Port 80 and 443 are exposed, everything else blocked and whitelisted. If I shut down 80 and 443 these queries stop. Thats what makes me think its some sort of attack. I just don't know whats executing it and how. and if it can execute that why not just select all of the users table.
Re: Suspicious query locking users tables
Posted:
Tue Aug 22, 2023 5:43 am
by kashyapking
I think you have issues with port 80 or 443, and you need to check your /tmp directory, it must be having some files which are doing this suspicious stuff, you also need to check cronjob if it is set too.
you can remove that suspicious files from /tmp and remove cronjob too if it is set. you need to also check process if it is running in background via top command on server.
I hope this helps.
Re: Suspicious query locking users tables
Posted:
Tue Aug 22, 2023 11:57 am
by alo
This is incoming traffic...
Re: Suspicious query locking users tables
Posted:
Wed Aug 23, 2023 5:23 am
by kashyapking
Yes, you need to block those ip which are executing this kind of suspicious queries via some port connection or script. and also make sure you dont have any script loaded by third party which is executing this.
Re: Suspicious query locking users tables
Posted:
Wed Aug 23, 2023 1:59 pm
by carpenox
User the dynamic portal and block 80 and 443 to public and only allow trusted. Follow my article it will help:
https://dialer.one/how-to-use-the-built ... r-vicibox/
Re: Suspicious query locking users tables
Posted:
Wed Aug 23, 2023 3:52 pm
by martinch
That does not look good. I've never seen an ORDER BY pass in the ViCi codebase. Here is a grep from ViCiBox11 over the entire ViCi codebase;
- Code: Select all
vicibox11:~ # grep -n -iR "order by pass" /usr/src/astguiclient/
vicibox11:~ #
Seems like a bad actor to me and you should try to secure the system. The guys here are suggesting network troubleshooting as a good place to start.