On Wed, Apr 8, 2009 at 10:04 AM, Bob McConnell <rvm@xxxxxxxxx> wrote: > On Behalf Of Richard Heyes >>> I set up a simple form to save comments on my webpage, and after just > one >>> day of going live, i'm getting weird comments up like this >>> >>> declare @q varchar(8000) select @q = >>> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) >>> >>> >>> I don't recognise this code - is this an attempt to do something > nefarious, >>> or nothing I should worry about? >> >> Looks like it may be. As long as you escape you SQL correctly using >> mysql_real_escape_string() or the equivalent, you should be OK. > > Let me see if I got this right. The data you got from the form tries to > set up a local variable, assigns it a hex string as a value, then tries > to execute it. That definitely looks like an attempt to crack your > server. It looks like the semi-colons were removed somewhere, so none of > it actually runs. But you would probably need a set of dis-assemblers to > find out what CPU that code was written for and what it actually does. > > Next question: You said there are multiple comments like this. How do > they differ, if they do? Possibly they are trying code for different > CPUs. > > Did you trace these back to the logs to see if they all come from one IP > or subnet? Is there anywhere to report these attempts that would > actually do any good, or should you just ban that IP. > > But this one goes into my journal as something to be prepared for. > > Bob McConnell > You don't need a disassembler; I already said what that string is intended to do. If it is allowed to run on Microsoft's SQL Server, the hex value is implicitly converted to the string "WAITFOR DELAY '00:00:10'", which is then executed. It doesn't require semi-colons, as SQL Server doesn't need them between statements. This particular command is relatively harmless by itself. Its value lies in the fact that if it causes the resulting page to take more than 10 seconds to load, the attacker knows that your page is wide open to SQL injection as well as knowing that he can execute anything he wants. If you're running MySQL, this won't work so you should be unaffected. Just make sure your code is written to prevent SQL injection and you should be fine. I suppose if you get a lot of these requests from the same IP address you could have the web server block requests from that IP. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
