Possible Undetected UNION SELECT command?

New Member Joined: Jul 16, 2006 Posts: 6

Hi there, I am in the process of updating and maintaining a small community website running RavenNuke76 v2.02.02 - Version 2.4.2pl5 of Sentinel.
Today I was looking through the sentinal logs I noticed 5 hits from turkey and they were each a diffrent UNION SELECT hack attempt - The details are as follows:

88.224.75.139 (tr) Turkey 2006-07-24 @ 12:22:10 1
81.213.163.113 (tr) Turkey 2006-07-18 @ 23:39:14 2
81.213.68.249 (tr) Turkey 2006-07-24 @ 03:15:12 1
85.107.32.221 (tr) Turkey 2006-07-24 @ 08:59:53 3
85.106.180.86 (tr) Turkey 2006-07-24 @ 14:03:41 3

The hack attempts are as follows:

/modules.php?query=p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/* 2006-07-24 @ 12:22:10
/modules.php?query=p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/* 2006-07-18 @ 23:39:14
/modules.php?query=p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/* 2006-07-18 @ 23:36:55
/modules.php?query=p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/* 2006-07-24 @ 03:15:12
/modules.php?query=s%\')/**/UNION/**/SELECT/**/0,aid,0,pwd,0,0,0,0,0,0/**/FROM/**/nuke_authors/*&topic=&category=0&author=&days=0&type=stories 2006-07-24 @ 08:59:52
/modules.php?query=s%\')/**/UNION/**/SELECT/**/0,aid,0,pwd,0,0,0,0,0,0/**/FROM/**/nuke_authors/*&topic=&category=0&author=&days=0&type=stories 2006-07-24 @ 14:03:41

My problem is no hack attempt was reported - no email recieved - no blocked IP added to the .htaccess file.

I attempted to visit /modules.php?query=s%\')/**/UNION/**/SELECT/**/0,aid,0,pwd,0,0,0,0,0,0/**/FROM/**/nuke_authors/*&topic=&category=0&author=&days=0&type=stories and it did indeed detect a hack attempt and fire off an email and attempt a ban - however I was logged on as an admin so it was ignored as expected.

Could someone advise on why no hack attempt was specified here please?

On another note - Where could I find updated versions of NukeSentinel? - I believe 2.4.2pl5 is a bit out of date?

Thanks very much.

Posted: Mon Jul 24, 2006 2:32 pm

I've tried to replicate the hacks on two systems (one test, one production) that I run. I don't get anywhere with them, one generates a 406 not acceptable and another can't find a module with the name in the hack. So they don't get as far as Sentinel. Do you have any evidence that the hacks worked on your site?

The latest Sentinel is on Nukescripts.net. It's 2.5.0 or something like that.

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

What was the result of that attempt? If it's already blocked at the server level (i.e. in htaccess, it won't trigger another message, but you will see a different result code.

Posted: Mon Jul 24, 2006 2:50 pm

The result of My attempt with the /modules.php?query=s%\')/**/UNION/**/SELECT/**/0,aid,0,pwd,0,0,0,0,0,0/**/FROM/**/nuke_authors/*&topic=&category=0&author=&days=0&type=stories was a redirection to the You have been blocked from entering this site. You have attempted a Union attack on this site page - An email was sent to me however as I am logged on as an admin no block was added.

I did the same from a proxy and same page / email and deny from <ip> was added to the .htaccess folder - then access was no longer possible.

The script seems to be working with well when I test it - however it was just those 5 attacks that made me think something is wrong..

I then attempted the [/modules.php?query=p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/*][/i] and was given the same hack detected message.

I may attempt to upgrade to 2.5.0 & possibly ban turkey from accessing the website..