Help Decoding SQL - Hack Attempt?

Rick5150 · #1 (**permalink**) 01-31-13, 05:28

In my mysql_slow_queries logs I am getting data like this, and I fear I am getting hacked... Can anyone explain what the code means?

Code:

# Thu Jan 31 01:49:42 2013
# Query_time: 4.551053  Lock_time: 0.003295 Rows_sent: 1  Rows_examined: 1
use mysite_wrd1;
SET timestamp=1359622182;
SHOW columns from customers LIKE 'guest_account'



# Thu Jan 31 01:41:46 2013
# Query_time: 1.161772  Lock_time: 0.032310 Rows_sent: 1  Rows_examined: 307589
use mysite_php1;
SET timestamp=1359621706;
SELECT user_id
  FROM WWH_TABLE
  WHERE user_ip = '220.200.49.12'
 LIMIT 1



# Thu Jan 31 01:41:35 2013
# Query_time: 18.222432  Lock_time: 4.215960 Rows_sent: 1  Rows_examined: 1
use mysite_php1;
SET timestamp=1359621695;
SELECT u.*, s.*
  FROM phpbb_sessions s, phpbb_users u
  WHERE s.session_id = 'def72a54e16508d34a1d02161318a0e9'
  AND u.user_id = s.session_user_id



# Thu Jan 31 01:41:35 2013
# Query_time: 13.815010  Lock_time: 2.111738 Rows_sent: 0  Rows_examined: 1
use mysite_php1;
SET timestamp=1359621695;
UPDATE phpbb_config
		SET config_value = '1359621681'
		WHERE config_name = 'rand_seed_last_update'

it-iss.com · #2 (**permalink**) 01-31-13, 13:02

The slow query log captures SQL statements that take longer than a certain threshold to return results. Looking at your queries they all seem to be related to a bulletin board that you most probably have on your website. Though the set timestamp can be used to hide SQL statements from the slow query log, this could have been done intentionally by the application developers. If you are worried enable the general query log which logs all queries, keep an eye on this file as it can quickly grow very large.

Rick5150 · #3 (**permalink**) 01-31-13, 13:43

I was not worried, but my web host keeps suspending the site. This has happened 4-5 times in the last 2 days. I am getting tired of it because I cannot fix it if I cannot access it. I was also in the middle of re-indexing the bulletin board when this happened. It takes hours and the site is taken down before it finishes. VERY frustrating.

healdem · #4 (**permalink**) 01-31-13, 13:52

have you EXPLAINed the queries

do you know what columns are indexed

I#'d expect your ISP to want to work with you on fixing this

Rick5150 · #5 (**permalink**) 01-31-13, 14:23

I would think the same thing, but they want the bulletin board moved from the public directory - meaning it will not be accessible.

I do not know how to do an EXPLAIN or what the results would mean if I did. I think that the Bluehost did one that returned this:

mysite_php1 454.5043 1,532.1377 0.2966
344,662,606 78,926,053 0.0944 14,949 5,967 4,008 NULL
NULL NULL NULL NULL NULL NULL

+---------------+------------------------------------+-----------+--------------+------------------------+

| TABLE_SCHEMA | TABLE_NAME | ROWS_READ | ROWS_CHANGED
| ROWS_CHANGED_X_INDEXES |
+---------------+------------------------------------+-----------+--------------+------------------------+

| mysite_php1 | WWH_TABLE | 60693880 | 19
| 19 |
| mysite_php1 | phpbb_wwh | 144783 | 24
| 48 |
| mysite_php1 | phpbb_sessions | 26425 | 61
| 244 |
| mysite_php1 | phpbb_posts | 18224 | 0
| 0 |
| mysite_znc2 | znc_banners_history | 17148 | 0
| 0 |

Obviously, I replaced the actual server name with "mysite" - so the php1 is the discussion board and the znc2 is our store.

Internet Services

Web Development

Digital Marketing

Consumer Tech