Am I being hacked?
in [General]
|
From: "julian haffegee" on 8 Apr 2009 09:15 I set up a simple form to save comments on my webpage, and after just one day of going live, i'm getting weird comments up like this declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) I don't recognise this code - is this an attempt to do something nefarious, or nothing I should worry about? Anybody know what this means? Thanks so much for reading Jules
From: Richard Heyes on 8 Apr 2009 09:23 > I set up a simple form to save comments on my webpage, and after just one > day of going live, i'm getting weird comments up like this > > declare @q varchar(8000) select @q = > 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) > > > I don't recognise this code - is this an attempt to do something nefarious, > or nothing I should worry about? Looks like it may be. As long as you escape you SQL correctly using mysql_real_escape_string() or the equivalent, you should be OK. -- Richard Heyes HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: http://www.rgraph.net (Updated March 28th)
From: Andrew Ballard on 8 Apr 2009 09:39 On Wed, Apr 8, 2009 at 9:23 AM, Richard Heyes <richard(a)php.net> wrote: >> I set up a simple form to save comments on my webpage, and after just one >> day of going live, i'm getting weird comments up like this >> >> declare @q varchar(8000) select @q = >> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) >> >> >> I don't recognise this code - is this an attempt to do something nefarious, >> or nothing I should worry about? > > Looks like it may be. As long as you escape you SQL correctly using > mysql_real_escape_string() or the equivalent, you should be OK. > > -- > Richard Heyes > > HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: > http://www.rgraph.net (Updated March 28th) > It's probably someone testing to see if your site is running SQL Server and is vulnerable to SQL injection. Effectively all it does is issue the command WAITFOR DELAY '00:00:10', telling the server to wait for 10 seconds before allowing the connection to continue. Andrew
From: "Bob McConnell" on 8 Apr 2009 10:04 On Behalf Of Richard Heyes >> I set up a simple form to save comments on my webpage, and after just one >> day of going live, i'm getting weird comments up like this >> >> declare @q varchar(8000) select @q = >> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) >> >> >> I don't recognise this code - is this an attempt to do something nefarious, >> or nothing I should worry about? > > Looks like it may be. As long as you escape you SQL correctly using > mysql_real_escape_string() or the equivalent, you should be OK. Let me see if I got this right. The data you got from the form tries to set up a local variable, assigns it a hex string as a value, then tries to execute it. That definitely looks like an attempt to crack your server. It looks like the semi-colons were removed somewhere, so none of it actually runs. But you would probably need a set of dis-assemblers to find out what CPU that code was written for and what it actually does. Next question: You said there are multiple comments like this. How do they differ, if they do? Possibly they are trying code for different CPUs. Did you trace these back to the logs to see if they all come from one IP or subnet? Is there anywhere to report these attempts that would actually do any good, or should you just ban that IP. But this one goes into my journal as something to be prepared for. Bob McConnell
From: 9el on 8 Apr 2009 10:48
On Wed, Apr 8, 2009 at 8:04 PM, Bob McConnell <rvm(a)cbord.com> wrote: > On Behalf Of Richard Heyes > >> I set up a simple form to save comments on my webpage, and after just > one > >> day of going live, i'm getting weird comments up like this > >> > >> declare @q varchar(8000) select @q = > >> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) > >> > >> > >> I don't recognise this code - is this an attempt to do something > nefarious, > >> or nothing I should worry about? > > > > Looks like it may be. As long as you escape you SQL correctly using > > mysql_real_escape_string() or the equivalent, you should be OK. > > Let me see if I got this right. The data you got from the form tries to > set up a local variable, assigns it a hex string as a value, then tries > to execute it. That definitely looks like an attempt to crack your > server. It looks like the semi-colons were removed somewhere, so none of > it actually runs. But you would probably need a set of dis-assemblers to > find out what CPU that code was written for and what it actually does. > > Next question: You said there are multiple comments like this. How do > they differ, if they do? Possibly they are trying code for different > CPUs. > > Did you trace these back to the logs to see if they all come from one IP > or subnet? Is there anywhere to report these attempts that would > actually do any good, or should you just ban that IP. > > But this one goes into my journal as something to be prepared for. > > I think the danger these codes have should be discussed well. And how to resist such attacks in your server and apps should also be discussed in greater depth. regards Lenin www.twitter.com/nine_L |