Got this email, what is he doing?

Posted: Thu Jul 24, 2008 8:06 pm

Quote:

Date & Time: 2008-07-24 14:54:58 CDT GMT -0500
Blocked IP: 213.138.226.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
Referer: none
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; UGA6P)
HTTP Host: www.clanfga.com
Script Name: /index.php
Query String: \';DECLARE @S CHAR(4000);SET @S=CAST(*load of numbers removed by admin* AS CHAR(4000));EXEC(@S);
Get String: ';DECLARE_@S_CHAR(4000);SET_@S=CAST( *load of numbers removed by admin* AS CHAR(4000));EXEC(@S);
Post String: Not Available
Forwarded For: 213.138.226.101
Client IP: none
Remote Address: 213.190.195.104
Remote Port: 10256
Request Method: GET

registered · Posted: Thu Jul 24, 2008 9:33 pm

I've gotten some of those also over the last two days. Just got two of them as I type this. It looks like he is using the CAST function to obscure some kind of shell command and then trying to EXEC it. However I was not aware that MySQL had an EXEC command. Perhaps he is confused and thinking we are using a different database backend. I'm no MySQL expert but the whole thing doesn't look right. Maybe it is targeted against a different backend than MySQL.

registered · Posted: Thu Jul 24, 2008 10:18 pm

This seems to be an explaination
http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-ASCII
CAST is used in MSSQL

Posted: Fri Jul 25, 2008 6:58 am

Thanks for the link evaders99. There is a CAST in MySQL but the syntax is a little different. There is no EXEC function in MySQL that I know of. Anyway, the mysql PHP bindings only allow you to execute 1 MySQL statement at a time for safety. It sounded like that is normally the case in Cold Fusion, but it could be disabled for "performance".

Posted: Sat Aug 09, 2008 1:50 pm

I don't know about you guys, but in the last 30 or so hours I have gotten about 100 of these all of a sudden. This is the most I have been attacked ever. He/they keeps trying the same thing, even though its aimed at the wrong database. Morons.

Posted: Sat Aug 09, 2008 3:51 pm

And on and on and on. I'm getting about 4 of these every hour for the past 36 hours or so.

Posted: Sat Aug 09, 2008 4:12 pm

Yep ditto. Also Bob send an email of the same thing

Posted: Sat Aug 09, 2008 4:45 pm

Gremmie I quess you could also use .htaccess something like the rules here:

Scroll down.

http://treyford.wordpress.com/2008/04/30/scary-mass-sql-attack/

Posted: Sat Aug 09, 2008 6:35 pm

Thanks Susann.

Here is what someone suggested:

Code:




RewriteCond %{QUERY_STRING} ^(.+)declare(.+)$ [NC]


RewriteRule ^.* - [F,L]

I think I'll beef it up a bit, maybe make it DECLARE @S, as declare by itself is too common and may block legitimate queries?

Posted: Sat Aug 09, 2008 8:01 pm

I decided to trigger on "DECLARE @" which seems less likely in "normal" query strings.

This is what I came up with. I tested it too.

Code:




RewriteCond %{QUERY_STRING} ^.+DECLARE(%20)+@ [NC]


Rewriterule ^.* - [F,L]

Hopefully this should stop the hundreds of emails I am getting from Sentinel. Smile

Posted: Sun Aug 10, 2008 1:48 pm

Will test it but still no attacks.

registered · Posted: Mon Aug 18, 2008 5:56 pm

I did what Gremmie did but pushed it back to local host. Completely stopped the hundreds of emails.

Posted: Mon Aug 18, 2008 7:17 pm

It stopped my avalanche of emails also. One could also add "DECLARE @S" to the string blocker in sentinel.

registered · Posted: Mon Aug 25, 2008 10:45 am

Wow! That helps! Thanks, guys! Smile

Posted: Mon Aug 25, 2008 10:58 am

I'll let you know how the .htaccess works as I've been getting hundreds daily on 4 domains.

Cheers, Jay

Posted: Mon Aug 25, 2008 2:40 pm

Well now .. many hours have passed and not one single filter hack. And believe me, during these last few hours since the htaccess edit, I would have had at least 20 to 30 attempts logged by now.

Cheers

Regular Joined: Mar 03, 2005 Posts: 94 Location: OZ

Accessorize your Denial of Service or SQL Injection Attack

http://www.bloggapedia.com/blog_post.php?p=Accessorize-your-Denial-of-Service-or-SQL-Injection-Attack-313313
URLScan from Microsoft.
http://technet.microsoft.com/en-us/security/cc242650.aspx

Posted: Tue Aug 26, 2008 8:19 am

Thanks, but URL Scan only works on IIs servers and not on *nix OS's. But ANY information provided can be put to good use, so thanks for that.

Also, the htaccess hack included above is working very well as I haven't received any block emails in almost 24 hrs since I edited all my domain's htaccess files.

Cheers

Posted: Tue Aug 26, 2008 8:22 am

NOTE: Somebody with admin/moderator ability to edit posts needs to edit the first post in this thread to edit out the waaaayyyyy too long line that's causing the entire thread to be the same width as the loonnngggg line ... Thanks

Posted: Tue Aug 26, 2008 8:22 am

God Bless You.....I run a BUNCH of RN sites and it was filling up my log files and E-mail box about as fast I could delete them.

Dave

Posted: Tue Aug 26, 2008 9:18 am

Thank you very much after talking via e-mail with montego I have applied the htaccess hack seems to be working well also added "DECLARE @S" to the string blocker in sentinel to but as we can see in the link as not only affecting nix OS's but IIs servers as well so any information provided can be put to good yes it can

It's really disheartening to see this sort of waste of energy - on both ends for those perpetrating these attacks as well as the hassle of having to prevent it or at least fend it off. We live in shitty times when this is somebody's way to amuse themselves

Posted: Tue Aug 26, 2008 11:25 am

Most of us Nuke people are probably using MySQL. The above SQL injection attack seems to be aimed at MSSQL and would not work on MySQL. Furthermore, the PHP MySQL bindings only allow one SQL statement per query, so this would FAIL again on Nuke.

Posted: Tue Aug 26, 2008 12:06 pm

Thanks, I was wondering about that when I saw a breakdown on the script code itself. The best thing is now with the htaccess hack we don't have to be annoyed any longer by the hundreds of daily NS block emails .. Wink

Cheers

Posted: Tue Aug 26, 2008 1:45 pm

I am a Nuke person myself. The purpose of the post was to let people know there were other fixes for people running other than MySQL and Nuke. And what a wide range this particular vunerability/exploit, whatever you want to call it, is affecting web masters in general. And hopefully the information helps someone, and not to argue the point from which it is being attacked.

chips-ahoy

Posted: Tue Aug 26, 2008 3:17 pm

Well this is a Nuke forum. I doubt if anyone running ColdFusion is going to be reading this forum, unless they do a google search. I was just trying to say that it was totally ridiculous to aim this attack at a Nuke site. But the bad guys don't know that. They are just spraying this attack everywhere shotgun style and seeing what breaks. If we didn't run Sentinel we would never know about this attack unless we looked in our server logs because it would fail.