If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

 
Go Back  dBforums > Database Server Software > MySQL > Help Decoding SQL - Hack Attempt?

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old
Registered User
 
Join Date: Jan 2013
Posts: 3
Help Decoding SQL - Hack Attempt?

In my mysql_slow_queries logs I am getting data like this, and I fear I am getting hacked... Can anyone explain what the code means?

Code:
# Thu Jan 31 01:49:42 2013
# Query_time: 4.551053  Lock_time: 0.003295 Rows_sent: 1  Rows_examined: 1
use mysite_wrd1;
SET timestamp=1359622182;
SHOW columns from customers LIKE 'guest_account'



# Thu Jan 31 01:41:46 2013
# Query_time: 1.161772  Lock_time: 0.032310 Rows_sent: 1  Rows_examined: 307589
use mysite_php1;
SET timestamp=1359621706;
SELECT user_id
  FROM WWH_TABLE
  WHERE user_ip = '220.200.49.12'
 LIMIT 1



# Thu Jan 31 01:41:35 2013
# Query_time: 18.222432  Lock_time: 4.215960 Rows_sent: 1  Rows_examined: 1
use mysite_php1;
SET timestamp=1359621695;
SELECT u.*, s.*
  FROM phpbb_sessions s, phpbb_users u
  WHERE s.session_id = 'def72a54e16508d34a1d02161318a0e9'
  AND u.user_id = s.session_user_id



# Thu Jan 31 01:41:35 2013
# Query_time: 13.815010  Lock_time: 2.111738 Rows_sent: 0  Rows_examined: 1
use mysite_php1;
SET timestamp=1359621695;
UPDATE phpbb_config
		SET config_value = '1359621681'
		WHERE config_name = 'rand_seed_last_update'
Reply With Quote
  #2 (permalink)  
Old
Registered User
 
Join Date: Sep 2009
Location: San Sebastian, Spain
Posts: 860
The slow query log captures SQL statements that take longer than a certain threshold to return results. Looking at your queries they all seem to be related to a bulletin board that you most probably have on your website. Though the set timestamp can be used to hide SQL statements from the slow query log, this could have been done intentionally by the application developers. If you are worried enable the general query log which logs all queries, keep an eye on this file as it can quickly grow very large.
__________________
Ronan Cashell
Certified Oracle DBA/Certified MySQL Expert (DBA & Cluster DBA)
http://www.it-iss.com
Reply With Quote
  #3 (permalink)  
Old
Registered User
 
Join Date: Jan 2013
Posts: 3
I was not worried, but my web host keeps suspending the site. This has happened 4-5 times in the last 2 days. I am getting tired of it because I cannot fix it if I cannot access it. I was also in the middle of re-indexing the bulletin board when this happened. It takes hours and the site is taken down before it finishes. VERY frustrating.
Reply With Quote
  #4 (permalink)  
Old
Jaded Developer
 
Join Date: Nov 2004
Location: out on a limb
Posts: 12,079
have you EXPLAINed the queries

do you know what columns are indexed

I#'d expect your ISP to want to work with you on fixing this
__________________
I'd rather be riding my Versys or my Tiger 800 let alone the Norton
Reply With Quote
  #5 (permalink)  
Old
Registered User
 
Join Date: Jan 2013
Posts: 3
I would think the same thing, but they want the bulletin board moved from the public directory - meaning it will not be accessible.

I do not know how to do an EXPLAIN or what the results would mean if I did. I think that the Bluehost did one that returned this:

mysite_php1 454.5043 1,532.1377 0.2966
344,662,606 78,926,053 0.0944 14,949 5,967 4,008 NULL
NULL NULL NULL NULL NULL NULL

+---------------+------------------------------------+-----------+--------------+------------------------+

| TABLE_SCHEMA | TABLE_NAME | ROWS_READ | ROWS_CHANGED
| ROWS_CHANGED_X_INDEXES |
+---------------+------------------------------------+-----------+--------------+------------------------+

| mysite_php1 | WWH_TABLE | 60693880 | 19
| 19 |
| mysite_php1 | phpbb_wwh | 144783 | 24
| 48 |
| mysite_php1 | phpbb_sessions | 26425 | 61
| 244 |
| mysite_php1 | phpbb_posts | 18224 | 0
| 0 |
| mysite_znc2 | znc_banners_history | 17148 | 0
| 0 |


Obviously, I replaced the actual server name with "mysite" - so the php1 is the discussion board and the znc2 is our store.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On