RE: Am I being hacked?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Behalf Of Richard Heyes
>> I set up a simple form to save comments on my webpage, and after just
one
>> day of going live, i'm getting weird comments up like this
>>
>> declare @q varchar(8000) select @q =
>> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q)
>>
>>
>> I don't recognise this code - is this an attempt to do something
nefarious,
>> or nothing I should worry about?
> 
> Looks like it may be. As long as you escape you SQL correctly using
> mysql_real_escape_string() or the equivalent, you should be OK.

Let me see if I got this right. The data you got from the form tries to
set up a local variable, assigns it a hex string as a value, then tries
to execute it. That definitely looks like an attempt to crack your
server. It looks like the semi-colons were removed somewhere, so none of
it actually runs. But you would probably need a set of dis-assemblers to
find out what CPU that code was written for and what it actually does.

Next question: You said there are multiple comments like this. How do
they differ, if they do? Possibly they are trying code for different
CPUs.

Did you trace these back to the logs to see if they all come from one IP
or subnet? Is there anywhere to report these attempts that would
actually do any good, or should you just ban that IP.

But this one goes into my journal as something to be prepared for.

Bob McConnell

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux