vicidial.org

[alo]

We have been having a suspicious looking query locking our user tables lately. My assumption is this is someone trying to lock the tables and confuse the system into giving user passwords, but I am not sure.

Code: Select all

SELECT 1/**/AND/**/(SELECT/**/4570/**/FROM/**/(SELECT(SLEEP(13-(IF(ORD(MID((SELECT/**/IFNULL(CAST(`user`/**/AS/**/NCHAR),0x20)/**/FROM/**/asterisk.vicidial_users/**/ORDER/**/BY/**/pass/**/LIMIT/**/87,1),1,1))>32,0,13)))))hqjf) FROM vicidial_list where lead_id='1'

Has anyone seen this and now if its some vicidial action or if it is indeed someone trying to do something nefarious?

SVN: 3750

Thanks!

[carpenox]

What os are you using? What type of security do you have in place?

[alo]

Port 80 and 443 are exposed, everything else blocked and whitelisted. If I shut down 80 and 443 these queries stop. Thats what makes me think its some sort of attack. I just don't know whats executing it and how. and if it can execute that why not just select all of the users table.

[kashyapking]

I think you have issues with port 80 or 443, and you need to check your /tmp directory, it must be having some files which are doing this suspicious stuff, you also need to check cronjob if it is set too.
you can remove that suspicious files from /tmp and remove cronjob too if it is set. you need to also check process if it is running in background via top command on server.
I hope this helps.

[alo]

This is incoming traffic...

[kashyapking]

Yes, you need to block those ip which are executing this kind of suspicious queries via some port connection or script. and also make sure you dont have any script loaded by third party which is executing this.

[carpenox]

User the dynamic portal and block 80 and 443 to public and only allow trusted. Follow my article it will help: https://dialer.one/how-to-use-the-built ... r-vicibox/

[martinch]

That does not look good. I've never seen an ORDER BY pass in the ViCi codebase. Here is a grep from ViCiBox11 over the entire ViCi codebase;

Code: Select all

vicibox11:~ # grep -n -iR "order by pass" /usr/src/astguiclient/
vicibox11:~ #


Seems like a bad actor to me and you should try to secure the system. The guys here are suggesting network troubleshooting as a good place to start.