Hello, I was attempting to edit a mysql table using phpmyadmin on a system I have an OSSEC agent installed. I got the following alert:
OSSEC HIDS Notification. 2007 May 09 09:11:36 Received From: ubuntu-dev->/var/log/apache2/access.log Rule: 31106 fired (level 12) -> "A web attack returned code 200 (success)." Portion of the log(s): 10.1.1.182 - - [09/May/2007:09:11:36 -0400] "GET /phpmyadmin/ tbl_change.php? db=mbintranetdb&table=wp_options&token=b34a8a55beeb46c2d936f8d9300a6aa6&pos=0&session_max_rows=30&disp_direction=horizontal&repeat_cells=100&dontlimitchars=0&primary_key= +%60wp_options%60.%60option_id%60+%3D+1+AND+%60wp_options%60.%60blog_id %60+%3D+0+AND+CONVERT%28%60wp_options%60.%60option_name%60+USING +utf8%29+%3D+%27siteurl%27&sql_query=SELECT+%2A+FROM+%60wp_options %60&goto=sql.php HTTP/1.1" 200 4660 "http://10.1.1.80/phpmyadmin/ sql.php? db=wordpress&table=wp_options&token=b34a8a55beeb46c2d936f8d9300a6aa6&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&pos=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)" The active response kicked in and blocked all traffic from my machine, so I added it to the white list on the OSSEC server by FQDN and IP, and restarted OSSEC on the server. Hoever every time I try to edit with phpmyadmin I still get the alert and active response. Do I need to add a whitelist in the agent config? Or something else?
