---
id: 6939edca-5e8f-483b-9cce-ec82f9d4d7ab
---

# Apache SQL Injection Attempts in URI Incident
---

This incident type refers to the detection of SQL injection attempts in Apache web server logs. SQL injection is a type of cyber attack that exploits vulnerabilities in web applications allowing attackers to execute malicious SQL statements. In this incident, attackers are attempting to inject SQL code into the URI (Uniform Resource Identifier) of an Apache web server, potentially compromising the server's security and exposing sensitive information.

### Parameters
```shell
export MODSECURITY_RULESET_FILE="PLACEHOLDER"

export MODSECURITY_RULE_ID="PLACEHOLDER"

export REGEX_PATTERN_TO_MATCH_SQL_INJECTION="PLACEHOLDER"
```

## Debug

### Show the last 100 lines of Apache access log
```shell
tail -n 100 /var/log/apache/access.log
```

### Show all unique IP addresses that accessed the server in the last 24 hours
```shell
grep "\[`date -d '24 hours ago' '+%d/%b/%Y:%H:%M'`\:" /var/log/apache/access.log | awk '{print $1}' | sort | uniq
```

### Show all GET requests with SQL injection attempts
```shell
grep -E "GET /.*\b(union|select|drop|insert|update)\b.*HTTP" /var/log/apache/access.log
```

### Show all POST requests with SQL injection attempts
```shell
grep -E "POST /.*\b(union|select|drop|insert|update)\b.*HTTP" /var/log/apache/access.log
```

### Show the Apache configuration file
```shell
cat /etc/apache2/apache2.conf
```

### Show all enabled Apache modules
```shell
apache2ctl -M
```

### Show all Apache virtual hosts
```shell
apache2ctl -S
```

### Show the Apache error log
```shell
tail -f /var/log/apache/error.log
```

## Repair

### Update and patch the Apache server to the latest stable version to prevent the exploitation of known vulnerabilities.
```shell


#!/bin/bash



# Update package list

sudo apt-get update



# Upgrade Apache server to the latest stable version

sudo apt-get install apache2



# Restart Apache server

sudo systemctl restart apache2



echo "Apache server has been updated and patched to the latest stable version."


```

### Create or Modify ModSecurity Rule to prevent SQL injection attacks.
```shell


#!/bin/bash



# Define variables

RULE_ID=${MODSECURITY_RULE_ID}

RULE_SET_FILE=${MODSECURITY_RULESET_FILE}

SQL_INJECTION_PATTERN=${REGEX_PATTERN_TO_MATCH_SQL_INJECTION}



# Check if ModSecurity is installed

if [[ $(which modsecurity-crs) ]]; then

  # Create or modify ModSecurity rule to prevent SQL injection attacks

  echo "Creating/modifying ModSecurity rule to prevent SQL injection attacks"

  echo "SecRule ARGS \"$SQL_INJECTION_PATTERN\" \"id:$RULE_ID,deny,status:400,msg:'SQL injection attempt detected'\"" >> $RULE_SET_FILE



  # Restart Apache web server to apply changes

  echo "Restarting Apache web server"

  systemctl restart apache2

else

  echo "ModSecurity is not installed. Please install ModSecurity before running this script."

  exit 1

fi


```

This incident type refers to the detection of SQL injection attempts in Apache web server logs. SQL injection is a type of cyber attack that exploits vulnerabilities in web applications allowing attackers to execute malicious SQL statements. In this incident, attackers are attempting to inject SQL code into the URI (Uniform Resource Identifier) of an Apache web server, potentially compromising the server's security and exposing sensitive information.


This incident type refers to frequent mismatches between the virtual hosts configured on an Apache server. This can cause issues with routing traffic to the intended web application or website, resulting in downtime or other problems. It is important to address these mismatches promptly to ensure the proper functioning of the server and any associated applications.


Virtual Host Mismatches on Apache Server.

This incident type refers to an unauthorized access to directories in Apache HTTPD, which is a widely used web server software. It means that someone was able to access files or directories that they were not supposed to, without having proper authorization. This type of incident can potentially lead to sensitive data being exposed or even stolen, and can compromise the security of the server and the applications running on it.


Unauthorized Directory Access in Apache HTTPD.

The Slowloris Attack is a type of Denial of Service (DoS) attack that exploits a vulnerability in the Apache web server. It works by sending HTTP requests to the server and keeping those connections open for as long as possible, thereby using up all the available resources of the server and rendering it unresponsive to legitimate requests. As a result, the server becomes slow or unresponsive, causing downtime for the affected website or service. This type of attack can be detected and mitigated by implementing specific security measures and tools.


Slowloris Attack Detected on Apache server.

This incident type refers to a security vulnerability in the SSL/TLS configuration of the Apache HTTP Server, which can leave the server and its users vulnerable to attacks. The SSL/TLS configuration is responsible for encrypting the communication between the server and its clients, and if it is not configured properly, it can be exploited by hackers to intercept or modify sensitive data. This type of incident requires immediate attention from software engineers to ensure that the SSL/TLS configuration is properly configured to prevent any potential security threats.


Inadequate SSL/TLS Configuration for Apache HTTP Server.

This incident type refers to a situation where the number of child processes created by an Apache server reaches a high threshold, causing performance issues and potentially leading to server crashes. This can occur due to factors such as high traffic volume or misconfigured server settings. The incident requires investigation and mitigation to restore normal server functioning and prevent future occurrences.


High Number of Apache Child Processes Incident

```shell
export MODSECURITY_RULESET_FILE="PLACEHOLDER"

export MODSECURITY_RULE_ID="PLACEHOLDER"

export REGEX_PATTERN_TO_MATCH_SQL_INJECTION="PLACEHOLDER"
```


### Show the last 100 lines of Apache access log

```shell
tail -n 100 /var/log/apache/access.log
```

### Show all unique IP addresses that accessed the server in the last 24 hours

```shell
grep "\[`date -d '24 hours ago' '+%d/%b/%Y:%H:%M'`\:" /var/log/apache/access.log | awk '{print $1}' | sort | uniq
```

### Show all GET requests with SQL injection attempts

```shell
grep -E "GET /.*\b(union|select|drop|insert|update)\b.*HTTP" /var/log/apache/access.log
```

### Show all POST requests with SQL injection attempts

```shell
grep -E "POST /.*\b(union|select|drop|insert|update)\b.*HTTP" /var/log/apache/access.log
```

### Show the Apache configuration file

```shell
cat /etc/apache2/apache2.conf
```

### Show all enabled Apache modules

```shell
apache2ctl -M
```

### Show all Apache virtual hosts

```shell
apache2ctl -S
```

### Show the Apache error log

```shell
tail -f /var/log/apache/error.log
```


### Update and patch the Apache server to the latest stable version to prevent the exploitation of known vulnerabilities.

```shell


#!/bin/bash



# Update package list

sudo apt-get update



# Upgrade Apache server to the latest stable version

sudo apt-get install apache2



# Restart Apache server

sudo systemctl restart apache2



echo "Apache server has been updated and patched to the latest stable version."


```

### Create or Modify ModSecurity Rule to prevent SQL injection attacks.

```shell


#!/bin/bash



# Define variables

RULE_ID=${MODSECURITY_RULE_ID}

RULE_SET_FILE=${MODSECURITY_RULESET_FILE}

SQL_INJECTION_PATTERN=${REGEX_PATTERN_TO_MATCH_SQL_INJECTION}



# Check if ModSecurity is installed

if [[ $(which modsecurity-crs) ]]; then

  # Create or modify ModSecurity rule to prevent SQL injection attacks

  echo "Creating/modifying ModSecurity rule to prevent SQL injection attacks"

  echo "SecRule ARGS \"$SQL_INJECTION_PATTERN\" \"id:$RULE_ID,deny,status:400,msg:'SQL injection attempt detected'\"" >> $RULE_SET_FILE



  # Restart Apache web server to apply changes

  echo "Restarting Apache web server"

  systemctl restart apache2

else

  echo "ModSecurity is not installed. Please install ModSecurity before running this script."

  exit 1

fi


```


Apache SQL Injection Attempts in URI Incident

Overview

Parameters

Debug

Show the last 100 lines of Apache access log

Show all unique IP addresses that accessed the server in the last 24 hours

Show all GET requests with SQL injection attempts

Show all POST requests with SQL injection attempts

Show the Apache configuration file

Show all enabled Apache modules

Show all Apache virtual hosts

Show the Apache error log

Repair

Update and patch the Apache server to the latest stable version to prevent the exploitation of known vulnerabilities.

Create or Modify ModSecurity Rule to prevent SQL injection attacks.

Learn more

Related Runbooks

Virtual Host Mismatches on Apache Server.

Unauthorized Directory Access in Apache HTTPD.

Slowloris Attack Detected on Apache server.

Inadequate SSL/TLS Configuration for Apache HTTP Server.

Product

Resources

Support

Company