I know someone whose server with cPanel/WHM and phpBB 3.0.x was victimized by a MySQL injection attack against phpBB (or a plugin thereof). Certain information was leaked, but we do not know the extent of the leak. Is it possible to determine what information was leaked by examining logs? Thank you!
Asked
Active
Viewed 283 times
1 Answers
3
Can you determine if any relevant data was stolen?
Potentially, yes.
If an attacker only used SQL injection and wasn't able to escalate privileges further, odds are that the system logs are still reliable. That may allow you to trace some of the attackers steps.
The thing is that for instance by default most web servers do log requested URL's and although those typically include GET request parameters, they do not contain the values of parameters for POST requests.
The same holds for a MySQL database server, on production systems it is very uncommon to log all queries, as you'd potentially collect huge numbers of MySQL events, and the more commonly used transaction log only records queries that update the database and not SELECT statements that may have been used to Steal your data.
You may be "lucky" and find scripts/binaries etc that were up- or downloaded by the attacker.
In practice, probably not
HBruijn
- 84,206
- 24
- 145
- 224