Looks like an attempt to get your SQL server to execute a command, Microsoft SQL server will do that(among others), and if not properly set up can do it with root access. If you don't properly escape and store this comment in a database, it could execute (called SQL injection, no?). Warren Vail > -----Original Message----- > From: Yannick Mortier [mailto:mvmortier@xxxxxxxxxxxxxx] > Sent: Wednesday, April 08, 2009 8:07 AM > To: 9el > Cc: Bob McConnell; Richard Heyes; julian haffegee; PHP Mailing List > Subject: Re: Am I being hacked? > > 2009/4/8 9el <lenin@xxxxxxxxxxxxx>: > > On Wed, Apr 8, 2009 at 8:04 PM, Bob McConnell <rvm@xxxxxxxxx> wrote: > > > >> On Behalf Of Richard Heyes > >> >> I set up a simple form to save comments on my webpage, > and after > >> >> just > >> one > >> >> day of going live, i'm getting weird comments up like this > >> >> > >> >> declare @q varchar(8000) select @q = > >> >> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) > >> >> > >> >> > >> >> I don't recognise this code - is this an attempt to do something > >> nefarious, > >> >> or nothing I should worry about? > >> > > >> > Looks like it may be. As long as you escape you SQL > correctly using > >> > mysql_real_escape_string() or the equivalent, you should be OK. > >> > >> Let me see if I got this right. The data you got from the > form tries > >> to set up a local variable, assigns it a hex string as a > value, then > >> tries to execute it. That definitely looks like an attempt > to crack > >> your server. It looks like the semi-colons were removed > somewhere, so > >> none of it actually runs. But you would probably need a set of > >> dis-assemblers to find out what CPU that code was written > for and what it actually does. > >> > >> Next question: You said there are multiple comments like > this. How do > >> they differ, if they do? Possibly they are trying code for > different > >> CPUs. > >> > >> Did you trace these back to the logs to see if they all > come from one > >> IP or subnet? Is there anywhere to report these attempts > that would > >> actually do any good, or should you just ban that IP. > >> > >> But this one goes into my journal as something to be prepared for. > >> > >> I think the danger these codes have should be discussed > well. And how > >> to > > resist such attacks in your server and apps should also be > discussed > > in greater depth. > > > > regards > > > > Lenin > > > > www.twitter.com/nine_L > > > > > I just googled for that string. Seems like you are not the > only victim. Sadly, I can't give you any more advice. > > > -- > Currently developing a browsergame... > http://www.p-game.de > Trade - Expand - Fight > > Follow me on twitter! > http://twitter.com/moortier > > -- > PHP General Mailing List (http://www.php.net/) To > unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
