Is my website maliciously infiltrated?

Source: Internet
Author: User
My website was maliciously infiltrated. my website was written in php, and I applied for it on justhost. Today, I found that admin was used by others in the early morning, but I didn't access the internet at that time, and the IP address of the person who entered my admin was in the Middle East, and I automatically recorded the ip address in the background. Later, I checked the justhost log and recent visitor and found that this IP address has accessed many pages like this. is my website maliciously infiltrated?
I wrote it in php and applied for it on the server justhost.
Today, I found that admin was used by others in the early morning, but I didn't access the internet at that time, and the IP address of the person who entered my admin was in the Middle East, and I automatically recorded the ip address in the background.
Later, I checked the justhost log and recent visitor and found that this IP address accessed many pages similar to this:

/Au/shop. php? Dest_id = 3 & shop_id = 999999.9 + union + all + select + % 28 select + concat % 280x7e % 2C0x27% 2CCART. username % 2C0x27% 2C0x7e % 29 + from + % 60whimwin1_DB % 60. CART + Order + by + ip_address + limit + 40% 2C1% 29 + --

What should be the/au/shop. php page accessed by normal people? Dest_id = 3 and so on. is such a long access address maliciously tested? In addition, many similar addresses were accessed within one minute. are they automatically detected using hacking software ????

But I don't feel like it. this address contains my database name and some tables. How did they come out ???

I am sad...


------ Solution --------------------
Discussion

Reference:

It should be looking for your SQL injection point. some vulnerabilities may have been found. he knows that your database name and tables may be dangerous. of course, he may have injected other people and then got your data, but let's assume you have a good filter.

Check your code to carefully filter the key parts. It's okay, as long as you don't save the password in plain text, it's not a problem.
There are too many idle people on the Internet.


So I only know if there is a phase for filtering special characters ......

------ Solution --------------------
3 & shop_id = 999999.9 union all select (select concat (0x7e, 0x27, CART. username, 0x27, 0x7e) from 'whimwin1 _ db '. CART Order by ip_address limit 40, 1 )--

Let's analyze it. you originally inserted 3 and shop_id into the SQL statement to execute the query. The result is added to the union statement after shop_id = 99999.9, the result is that your SQL statement is original:

Select * from xxx where id = 3 and shop_id 9999.9 is changed:

Select * from xxx where id = 3 and shop_id 9999.9 union all select (select concat (0x7e, 0x27, CART. username, 0x27, 0x7e) from 'whimwin1 _ db '. CART Order by ip_address limit 40, 1 )--

The following -- comment out other clauses that may exist after the where clause of your original SQL statement, such as the orderby clause.

What is queried later does not know what whimwin1_DB is.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.