2009/4/8 9el <lenin@xxxxxxxxxxxxx>: > On Wed, Apr 8, 2009 at 8:04 PM, Bob McConnell <rvm@xxxxxxxxx> wrote: > >> On Behalf Of Richard Heyes >> >> I set up a simple form to save comments on my webpage, and after just >> one >> >> day of going live, i'm getting weird comments up like this >> >> >> >> declare @q varchar(8000) select @q = >> >> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) >> >> >> >> >> >> I don't recognise this code - is this an attempt to do something >> nefarious, >> >> or nothing I should worry about? >> > >> > Looks like it may be. As long as you escape you SQL correctly using >> > mysql_real_escape_string() or the equivalent, you should be OK. >> >> Let me see if I got this right. The data you got from the form tries to >> set up a local variable, assigns it a hex string as a value, then tries >> to execute it. That definitely looks like an attempt to crack your >> server. It looks like the semi-colons were removed somewhere, so none of >> it actually runs. But you would probably need a set of dis-assemblers to >> find out what CPU that code was written for and what it actually does. >> >> Next question: You said there are multiple comments like this. How do >> they differ, if they do? Possibly they are trying code for different >> CPUs. >> >> Did you trace these back to the logs to see if they all come from one IP >> or subnet? Is there anywhere to report these attempts that would >> actually do any good, or should you just ban that IP. >> >> But this one goes into my journal as something to be prepared for. >> >> I think the danger these codes have should be discussed well. And how to > resist such attacks in your server and apps should also be discussed in > greater depth. > > regards > > Lenin > > www.twitter.com/nine_L > I just googled for that string. Seems like you are not the only victim. Sadly, I can't give you any more advice. -- Currently developing a browsergame... http://www.p-game.de Trade - Expand - Fight Follow me on twitter! http://twitter.com/moortier -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
