Ssh freeze whenever goes into mysql.

[frwa onto]

I have centos 6.5(Final) running. Lately I notice whenever I do anything in mysql after few minutes my ssh gets freeze. I dont know what is happening so looking to my /var/log/secure nothing is pointing there then I look into my ossec logs and I notice these lines.

In my /var/ossec/log/ossec-log I see this

2013/12/07 20:50:27 ossec-syscheckd: INFO: Ending syscheck scan.

2013/12/08 01:48:43 ossec-execd: INFO: Active response command not present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this system.

2013/12/08 14:20:27 ossec-rootcheck: INFO: Starting rootcheck scan.

2013/12/08 14:31:27 ossec-rootcheck: INFO: Ending rootcheck scan.

But in my /var/ossec/log/active-responses.log I see this 

Sun Dec  8 15:14:25 MYT 2013 /var/ossec/active-response/bin/host-deny.sh delete - 10.212.134.200 1386486234.11964 31106

Sun Dec  8 15:14:25 MYT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 10.212.134.200 1386486234.11964 31106

What can I do about this? 

[dan (ddp)]

These are related to web attacks. Is that the IP you are coming from?

> What can I do about this?
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[frwa onto]

Dear Dan,

              This log is showing " 2013/12/08 01:48:43 ossec-execd: INFO: Active response command not present: 

> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this 

> system. " That active response is not present right so then why does is deny the host. In fact that is my local ip where I am accessing the server locally not from eternal. I only do is that using phmyadmin to access my db and I always get denied and my ssh is broken? Does ossec sniff it as an attack is it?

Regards,

Frwa.

[dan (ddp)]

On Mon, Dec 9, 2013 at 9:54 PM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,
> This log is showing " 2013/12/08 01:48:43 ossec-execd: INFO:
> Active response command not present:
>
>> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this

That is a Windows command, it should not be present on a linux system.

>> system. " That active response is not present right so then why does is
>> deny the host. In fact that is my local ip where I am accessing the server

The hosts deny script is different than the restart-ossec.cmd command.

>> locally not from eternal. I only do is that using phmyadmin to access my db
>> and I always get denied and my ssh is broken? Does ossec sniff it as an
>> attack is it?
>

It looks like you are triggering rule 31106, and that is causing you
to be blocked. Find out why you are triggering this rule, and correct
that situation.

> Regards,
> Frwa.
>
> On Sunday, December 8, 2013 3:24:39 PM UTC+8, frwa onto wrote:
>>
>> I have centos 6.5(Final) running. Lately I notice whenever I do anything
>> in mysql after few minutes my ssh gets freeze. I dont know what is happening
>> so looking to my /var/log/secure nothing is pointing there then I look into
>> my ossec logs and I notice these lines.
>>
>> In my /var/ossec/log/ossec-log I see this
>>
>> 2013/12/07 20:50:27 ossec-syscheckd: INFO: Ending syscheck scan.
>> 2013/12/08 01:48:43 ossec-execd: INFO: Active response command not
>> present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on
>> this system.
>> 2013/12/08 14:20:27 ossec-rootcheck: INFO: Starting rootcheck scan.
>> 2013/12/08 14:31:27 ossec-rootcheck: INFO: Ending rootcheck scan.
>>
>> But in my /var/ossec/log/active-responses.log I see this
>>
>> Sun Dec 8 15:14:25 MYT 2013 /var/ossec/active-response/bin/host-deny.sh
>> delete - 10.212.134.200 1386486234.11964 31106
>> Sun Dec 8 15:14:25 MYT 2013
>> /var/ossec/active-response/bin/firewall-drop.sh delete - 10.212.134.200
>> 1386486234.11964 31106
>>
>> What can I do about this?
>

[Christian Beer]

I also had this problem some time ago. Make sure you either whitelist
your IP (if it doesn't change) or disable ossec before using phpmyadmin.
As it is now, some actions are detected by ossec as malicious
SQLInjection attacks and thus trigger the rule 31106. The firewall-drop
is triggered by the 31106 rule and thus you ssh freezes. I found (and
didn't really investigate) no other way to whitelist the phpmyadmin
installation.

Regards
Christian

[frwa onto]

Dear Christian,

                     Thank you for sharing your experience too. Hopefully some one can exactly confirm what is the main cause of this behavior? I am not sure if I off the active response should help?

Regards,

Frwa.

[dan (ddp)]

On Tue, Dec 10, 2013 at 9:08 AM, frwa onto <frwa...@gmail.com> wrote:
> Dear Christian,
> Thank you for sharing your experience too. Hopefully
> some one can exactly confirm what is the main cause of this behavior? I am
> not sure if I off the active response should help?
>

If the IP address being blocked in the active response log is your IP
address, then that is what is causing you to lose your ssh connection.

[frwa onto]

Dear Dan,

              Even if I am logged with other email is the same scenario I get locked. Its more got to do with phpmyadmin. Could it be that I am doing big select statement causing this behavior? Is it possible to pause the active response for temporary ? How can I further investigate the cause?

Regards,

Frwa.

[dan (ddp)]

On Tue, Dec 10, 2013 at 9:25 AM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,
> Even if I am logged with other email is the same scenario I
> get locked. Its more got to do with phpmyadmin. Could it be that I am doing
> big select statement causing this behavior? Is it possible to pause the
> active response for temporary ? How can I further investigate the cause?
>

Look at the alerts (rule ID 31106 specifically). They will provide
more information about what is happening.

[frwa onto]

Dear Dan,

              Ok I went into web_rules.xml and saw its says A web attack returned code 200 (success) . So what could be the problem I am just accessing data from my phpmyadmin what is the attack no description on this?

Regards,

Frwa.

[dan (ddp)]

On Thu, Dec 12, 2013 at 8:04 AM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> Ok I went into web_rules.xml and saw its says A web attack
> returned code 200 (success) . So what could be the problem I am just
> accessing data from my phpmyadmin what is the attack no description on this?
>

That's basically what you have to track down. Take a look at the alert
in alerts.log, it should contain the log message that triggered that
alert.
Rule 31106 looks at 3 other alerts, plus a 200 response from the web
server. Looking at 31103 (the first if_sid in 31106) you can see that
it looks for possible SQL injection attacks. Does any of the <url>
snippets exist in the log message that triggered the alert? If not, do
the same exercise with 31104 and 31105. When you've found the alert
that triggered 31106, it might be easier to create a rule to "white
list" your system (you could probably do this with 31106 as well, but
I like to stop the chain earlier if possible).

I'll only do so much of your work before I require a contract.

[frwa onto]

Dear Dan,

              You was right I saw this in my alerts.log. Actually I know what is the problem happens when I query for huge data for simple few hundred data its fine. So why this behaviour trigger this event?

** Alert 1386438523.563: - web,accesslog,attack,

2013 Dec 08 01:48:43 localhost->/var/log/httpd/access_log

Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).'

Src IP: 10.212.134.200

10.212.134.200 - - [08/Dec/2013:01:48:42 +0800] "GET /*****/get.php?db1=****&****=****&sql_query=SELE******&show_query=1&token=***** HTTP/1.1" 200 78927 "http://******/*****/*****.php?****=********=*****&token=**********" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/WDRGoRYLjp0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[dan (ddp)]

On Fri, Dec 13, 2013 at 8:00 AM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> You was right I saw this in my alerts.log. Actually I know
> what is the problem happens when I query for huge data for simple few
> hundred data its fine. So why this behaviour trigger this event?
>
> ** Alert 1386438523.563: - web,accesslog,attack,
> 2013 Dec 08 01:48:43 localhost->/var/log/httpd/access_log
> Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).'
> Src IP: 10.212.134.200
> 10.212.134.200 - - [08/Dec/2013:01:48:42 +0800] "GET
> /*****/get.php?db1=****&****=****&sql_query=SELE******&show_query=1&token=*****
> HTTP/1.1" 200 78927
> "http://******/*****/*****.php?****=********=*****&token=**********"
> "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/31.0.1650.63 Safari/537.36"
>

I'm going to assume the "*"s in the above log message are bad attempts
at obfuscating the log message. Hopefully they aren't important in
tracking this down.

So I explained how to figure things out in my last message, but you
don't pay much attention. So I'll break it down for anyone who does
care.

Rule 31103 has the following match parameters:
<url>=select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
<url>union+|where+|null,null|xp_cmdshell</url>

Each item (separated by the "|") is a different possible match. It's
hard to tell for sure (again, the obfuscation is horrendous), but I
think "sql_query=SELE******" from the log message may be a "SELECT[
+]" This matches the <url> above (the first option being "select " and
the second being "select+"). Without any other evidence I'll say
that's a match. At a quick glance, 3110[45] don't look like they'll
match this log message.

So to keep this from happening in the future, I'd probably write a
custom rule that looks for:
if_sid 31103
srcip IP_BEING_BANNED
url get.php

[frwa onto]

Dear Dan,

              Sorry for obfuscation. The select statement from the log is as following

SELECT+%2A+FROM+%60tblTemp1%60+order+by+temp1ID+desc+limit+0%2C10 . So it match the Select, From. But I have put the limit yet it still lock me down?

I have read about custom rule here http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf . So must I first create a group and then put in it? I am not too sure can be like below I just put 311011 and is it to be stored in local_rules.xml?

<rule id=“311011” level=“5”>

 <if_sid>311011</if_sid>

 <srcip>10.212.134.200</srcip>

 <description></description>

</rule>

Regards,

Frwa.

[dan (ddp)]

On Mon, Dec 16, 2013 at 9:52 AM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> Sorry for obfuscation. The select statement from the log is as
> following
>
> SELECT+%2A+FROM+%60tblTemp1%60+order+by+temp1ID+desc+limit+0%2C10 . So it
> match the Select, From. But I have put the limit yet it still lock me down?
>
> I have read about custom rule here
> http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf . So must I first create
> a group and then put in it? I am not too sure can be like below I just put
> 311011 and is it to be stored in local_rules.xml?
>
>
> <rule id=“311011” level=“5”>

You probably don't want this at level 5. You want to ignore this
traffic right? If so, drop the level (0-1 is probably best).

> <if_sid>311011</if_sid>

You shouldn't if_sid yourself. This basically says "if rule 311011 is
triggered, use this alert instead." Since 311011 will never trigger
(because 311011 will never trigger (because 311011 will never trigger
(because 311011 will never trigger (because 311011 will never
trigger...)))), 311011 will never trigger.
You want "<if_sid>31106</if_sid>

[frwa onto]

Dear Dan,

              Sorry very new to this custom rules. So is this the correct version now. Is there any special convention on how to set the rule id off course it cant be overlapping with existing rule ids ? Where to put the url get.php ?

<rule id=“311011” level=“5”>

 <if_sid>31106</if_sid>

 <srcip>10.212.134.200</srcip>

 <description></description>

</rule>

[dan (ddp)]

On Wed, Dec 18, 2013 at 8:27 AM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> Sorry very new to this custom rules. So is this the correct
> version now. Is there any special convention on how to set the rule id off
> course it cant be overlapping with existing rule ids ? Where to put the url
> get.php ?
>

I think we recommend rule IDs larger than 100000 for custom rules.
I think you can use <url>get.php</url>, but if that doesn't work try
<match>get.php</match>