Results 1 to 5 of 5
  1. #1
    Join Date
    Jan 2013
    Posts
    3

    Help Decoding SQL - Hack Attempt?

    In my mysql_slow_queries logs I am getting data like this, and I fear I am getting hacked... Can anyone explain what the code means?

    Code:
    # Thu Jan 31 01:49:42 2013
    # Query_time: 4.551053  Lock_time: 0.003295 Rows_sent: 1  Rows_examined: 1
    use mysite_wrd1;
    SET timestamp=1359622182;
    SHOW columns from customers LIKE 'guest_account'
    
    
    
    # Thu Jan 31 01:41:46 2013
    # Query_time: 1.161772  Lock_time: 0.032310 Rows_sent: 1  Rows_examined: 307589
    use mysite_php1;
    SET timestamp=1359621706;
    SELECT user_id
      FROM WWH_TABLE
      WHERE user_ip = '220.200.49.12'
     LIMIT 1
    
    
    
    # Thu Jan 31 01:41:35 2013
    # Query_time: 18.222432  Lock_time: 4.215960 Rows_sent: 1  Rows_examined: 1
    use mysite_php1;
    SET timestamp=1359621695;
    SELECT u.*, s.*
      FROM phpbb_sessions s, phpbb_users u
      WHERE s.session_id = 'def72a54e16508d34a1d02161318a0e9'
      AND u.user_id = s.session_user_id
    
    
    
    # Thu Jan 31 01:41:35 2013
    # Query_time: 13.815010  Lock_time: 2.111738 Rows_sent: 0  Rows_examined: 1
    use mysite_php1;
    SET timestamp=1359621695;
    UPDATE phpbb_config
    		SET config_value = '1359621681'
    		WHERE config_name = 'rand_seed_last_update'

  2. #2
    Join Date
    Sep 2009
    Location
    San Sebastian, Spain
    Posts
    860
    The slow query log captures SQL statements that take longer than a certain threshold to return results. Looking at your queries they all seem to be related to a bulletin board that you most probably have on your website. Though the set timestamp can be used to hide SQL statements from the slow query log, this could have been done intentionally by the application developers. If you are worried enable the general query log which logs all queries, keep an eye on this file as it can quickly grow very large.
    Ronan Cashell
    Certified Oracle DBA/Certified MySQL Expert (DBA & Cluster DBA)
    http://www.it-iss.com

  3. #3
    Join Date
    Jan 2013
    Posts
    3
    I was not worried, but my web host keeps suspending the site. This has happened 4-5 times in the last 2 days. I am getting tired of it because I cannot fix it if I cannot access it. I was also in the middle of re-indexing the bulletin board when this happened. It takes hours and the site is taken down before it finishes. VERY frustrating.

  4. #4
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    12,417
    have you EXPLAINed the queries

    do you know what columns are indexed

    I#'d expect your ISP to want to work with you on fixing this
    I'd rather be riding on the Tiger 800 or the Norton

  5. #5
    Join Date
    Jan 2013
    Posts
    3
    I would think the same thing, but they want the bulletin board moved from the public directory - meaning it will not be accessible.

    I do not know how to do an EXPLAIN or what the results would mean if I did. I think that the Bluehost did one that returned this:

    mysite_php1 454.5043 1,532.1377 0.2966
    344,662,606 78,926,053 0.0944 14,949 5,967 4,008 NULL
    NULL NULL NULL NULL NULL NULL

    +---------------+------------------------------------+-----------+--------------+------------------------+

    | TABLE_SCHEMA | TABLE_NAME | ROWS_READ | ROWS_CHANGED
    | ROWS_CHANGED_X_INDEXES |
    +---------------+------------------------------------+-----------+--------------+------------------------+

    | mysite_php1 | WWH_TABLE | 60693880 | 19
    | 19 |
    | mysite_php1 | phpbb_wwh | 144783 | 24
    | 48 |
    | mysite_php1 | phpbb_sessions | 26425 | 61
    | 244 |
    | mysite_php1 | phpbb_posts | 18224 | 0
    | 0 |
    | mysite_znc2 | znc_banners_history | 17148 | 0
    | 0 |


    Obviously, I replaced the actual server name with "mysite" - so the php1 is the discussion board and the znc2 is our store.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •