Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
Doulos
Life Cycles Becoming CPU Cycles


Joined: Jun 06, 2005
Posts: 626

PostPosted: Thu Jul 24, 2008 8:06 pm Reply with quote

Quote:
Date & Time: 2008-07-24 14:54:58 CDT GMT -0500
Blocked IP: 213.138.226.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
Referer: none
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; UGA6P)
HTTP Host: Only registered users can see links on this board! Get registered or login!
Script Name: /index.php
Query String: \';DECLARE @S CHAR(4000);SET @S=CAST(*load of numbers removed by admin* AS CHAR(4000));EXEC(@S);
Get String: ';DECLARE_@S_CHAR(4000);SET_@S=CAST( *load of numbers removed by admin* AS CHAR(4000));EXEC(@S);
Post String: Not Available
Forwarded For: 213.138.226.101
Client IP: none
Remote Address: 213.190.195.104
Remote Port: 10256
Request Method: GET
 
View user's profile Send private message
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Thu Jul 24, 2008 9:33 pm Reply with quote

I've gotten some of those also over the last two days. Just got two of them as I type this. It looks like he is using the CAST function to obscure some kind of shell command and then trying to EXEC it. However I was not aware that MySQL had an EXEC command. Perhaps he is confused and thinking we are using a different database backend. I'm no MySQL expert but the whole thing doesn't look right. Maybe it is targeted against a different backend than MySQL.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Thu Jul 24, 2008 10:18 pm Reply with quote

This seems to be an explaination Only registered users can see links on this board! Get registered or login!
CAST is used in MSSQL

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Gremmie
PostPosted: Fri Jul 25, 2008 6:58 am Reply with quote

Thanks for the link evaders99. There is a CAST in MySQL but the syntax is a little different. There is no EXEC function in MySQL that I know of. Anyway, the mysql PHP bindings only allow you to execute 1 MySQL statement at a time for safety. It sounded like that is normally the case in Cold Fusion, but it could be disabled for "performance".
 
Gremmie
PostPosted: Sat Aug 09, 2008 1:50 pm Reply with quote

I don't know about you guys, but in the last 30 or so hours I have gotten about 100 of these all of a sudden. This is the most I have been attacked ever. He/they keeps trying the same thing, even though its aimed at the wrong database. Morons.
 
Gremmie
PostPosted: Sat Aug 09, 2008 3:51 pm Reply with quote

And on and on and on. I'm getting about 4 of these every hour for the past 36 hours or so.
 
evaders99
PostPosted: Sat Aug 09, 2008 4:12 pm Reply with quote

Yep ditto. Also Bob send an email of the same thing
 
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Sat Aug 09, 2008 4:45 pm Reply with quote

Gremmie I quess you could also use .htaccess something like the rules here:

Scroll down.

Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Gremmie
PostPosted: Sat Aug 09, 2008 6:35 pm Reply with quote

Thanks Susann.

Here is what someone suggested:

Code:


RewriteCond %{QUERY_STRING} ^(.+)declare(.+)$ [NC]
RewriteRule ^.* - [F,L]


I think I'll beef it up a bit, maybe make it DECLARE @S, as declare by itself is too common and may block legitimate queries?
 
Gremmie
PostPosted: Sat Aug 09, 2008 8:01 pm Reply with quote

I decided to trigger on "DECLARE @" which seems less likely in "normal" query strings.

This is what I came up with. I tested it too.

Code:


RewriteCond %{QUERY_STRING} ^.+DECLARE(%20)+@ [NC]
Rewriterule ^.* - [F,L]


Hopefully this should stop the hundreds of emails I am getting from Sentinel. Smile
 
Susann
PostPosted: Sun Aug 10, 2008 1:48 pm Reply with quote

Will test it but still no attacks.
 
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Mon Aug 18, 2008 5:56 pm Reply with quote

I did what Gremmie did but pushed it back to local host. Completely stopped the hundreds of emails.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
Gremmie
PostPosted: Mon Aug 18, 2008 7:17 pm Reply with quote

It stopped my avalanche of emails also. One could also add "DECLARE @S" to the string blocker in sentinel.
 
Misha
Worker
Worker


Joined: Jul 30, 2006
Posts: 203
Location: McLean, VA

PostPosted: Mon Aug 25, 2008 10:45 am Reply with quote

Wow! That helps! Thanks, guys! Smile

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
dad7732
RavenNuke(tm) Development Team


Joined: Mar 18, 2007
Posts: 1242

PostPosted: Mon Aug 25, 2008 10:58 am Reply with quote

I'll let you know how the .htaccess works as I've been getting hundreds daily on 4 domains.

Cheers, Jay
 
View user's profile Send private message
dad7732
PostPosted: Mon Aug 25, 2008 2:40 pm Reply with quote

Well now .. many hours have passed and not one single filter hack. And believe me, during these last few hours since the htaccess edit, I would have had at least 20 to 30 attempts logged by now.

Cheers
 
nb1
Regular
Regular


Joined: Mar 03, 2005
Posts: 94
Location: OZ

PostPosted: Tue Aug 26, 2008 7:35 am Reply with quote

Accessorize your Denial of Service or SQL Injection Attack
Only registered users can see links on this board! Get registered or login!
URLScan from Microsoft. Only registered users can see links on this board! Get registered or login!

_________________
Member Of The Windows Vista help and Support Community 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
dad7732
PostPosted: Tue Aug 26, 2008 8:19 am Reply with quote

Thanks, but URL Scan only works on IIs servers and not on *nix OS's. But ANY information provided can be put to good use, so thanks for that.

Also, the htaccess hack included above is working very well as I haven't received any block emails in almost 24 hrs since I edited all my domain's htaccess files.

Cheers
 
dad7732
PostPosted: Tue Aug 26, 2008 8:22 am Reply with quote

NOTE: Somebody with admin/moderator ability to edit posts needs to edit the first post in this thread to edit out the waaaayyyyy too long line that's causing the entire thread to be the same width as the loonnngggg line ... Thanks
 
Dawg
RavenNuke(tm) Development Team


Joined: Nov 07, 2003
Posts: 910

PostPosted: Tue Aug 26, 2008 8:22 am Reply with quote

God Bless You.....I run a BUNCH of RN sites and it was filling up my log files and E-mail box about as fast I could delete them.

Dave
 
View user's profile Send private message
nb1
PostPosted: Tue Aug 26, 2008 9:18 am Reply with quote

Thank you very much after talking via e-mail with montego I have applied the htaccess hack seems to be working well also added "DECLARE @S" to the string blocker in sentinel to but as we can see in the link as not only affecting nix OS's but IIs servers as well so any information provided can be put to good yes it can

It's really disheartening to see this sort of waste of energy - on both ends for those perpetrating these attacks as well as the hassle of having to prevent it or at least fend it off. We live in shitty times when this is somebody's way to amuse themselves
 
Gremmie
PostPosted: Tue Aug 26, 2008 11:25 am Reply with quote

Most of us Nuke people are probably using MySQL. The above SQL injection attack seems to be aimed at MSSQL and would not work on MySQL. Furthermore, the PHP MySQL bindings only allow one SQL statement per query, so this would FAIL again on Nuke.
 
dad7732
PostPosted: Tue Aug 26, 2008 12:06 pm Reply with quote

Thanks, I was wondering about that when I saw a breakdown on the script code itself. The best thing is now with the htaccess hack we don't have to be annoyed any longer by the hundreds of daily NS block emails .. Wink

Cheers
 
nb1
PostPosted: Tue Aug 26, 2008 1:45 pm Reply with quote

I am a Nuke person myself. The purpose of the post was to let people know there were other fixes for people running other than MySQL and Nuke. And what a wide range this particular vunerability/exploit, whatever you want to call it, is affecting web masters in general. And hopefully the information helps someone, and not to argue the point from which it is being attacked.

chips-ahoy
 
Gremmie
PostPosted: Tue Aug 26, 2008 3:17 pm Reply with quote

Well this is a Nuke forum. I doubt if anyone running ColdFusion is going to be reading this forum, unless they do a google search. I was just trying to say that it was totally ridiculous to aim this attack at a Nuke site. But the bad guys don't know that. They are just spraying this attack everywhere shotgun style and seeing what breaks. If we didn't run Sentinel we would never know about this attack unless we looked in our server logs because it would fail.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©