Re: Am I being hacked?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/4/8 9el <lenin@xxxxxxxxxxxxx>:
> On Wed, Apr 8, 2009 at 8:04 PM, Bob McConnell <rvm@xxxxxxxxx> wrote:
>
>> On Behalf Of Richard Heyes
>> >> I set up a simple form to save comments on my webpage, and after just
>> one
>> >> day of going live, i'm getting weird comments up like this
>> >>
>> >> declare @q varchar(8000) select @q =
>> >> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q)
>> >>
>> >>
>> >> I don't recognise this code - is this an attempt to do something
>> nefarious,
>> >> or nothing I should worry about?
>> >
>> > Looks like it may be. As long as you escape you SQL correctly using
>> > mysql_real_escape_string() or the equivalent, you should be OK.
>>
>> Let me see if I got this right. The data you got from the form tries to
>> set up a local variable, assigns it a hex string as a value, then tries
>> to execute it. That definitely looks like an attempt to crack your
>> server. It looks like the semi-colons were removed somewhere, so none of
>> it actually runs. But you would probably need a set of dis-assemblers to
>> find out what CPU that code was written for and what it actually does.
>>
>> Next question: You said there are multiple comments like this. How do
>> they differ, if they do? Possibly they are trying code for different
>> CPUs.
>>
>> Did you trace these back to the logs to see if they all come from one IP
>> or subnet? Is there anywhere to report these attempts that would
>> actually do any good, or should you just ban that IP.
>>
>> But this one goes into my journal as something to be prepared for.
>>
>> I think the danger these codes have should be discussed well. And how to
> resist such attacks in your server and apps should also be discussed in
> greater depth.
>
> regards
>
> Lenin
>
> www.twitter.com/nine_L
>


I just googled for that string. Seems like you are not the only
victim. Sadly, I can't give you any more advice.


-- 
Currently developing a browsergame...
http://www.p-game.de
Trade - Expand - Fight

Follow me on twitter!
http://twitter.com/moortier

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux