A new attack in the wild, and in my logs
By joe
- 2 minutes read - 217 wordsHave a look at this (safe, defanged) From a request:
?%27;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076 617263686172283430303029204445434C415245205461626C655F4375 .... 655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
Neat… huh? Direct injection attack. Removed most of the payload.
Didn’t succeed. Came from Malasia:
60.48.212.49 [W| B | U ] |MYS , Johor Bahru | 23-Jul 12:30:41 /?';DECLARE%2...
0));EXEC(@S);
-
60.48.212.49 [W| B | U ] |MYS , Johor Bahru | 23-Jul 12:30:41 /?;DECLARE%20...
0));EXEC(@S);
-
And Brooklyn
24.184.25.236 [W| B | U ] |USA , Brooklyn | 23-Jul 12:04:02 /?';DECLARE%2...
0));EXEC(@S);
-
24.184.25.236 [W| B | U ] |USA , Brooklyn | 23-Jul 12:04:02 /?;DECLARE%20...
0));EXEC(@S);
-
and China
116.18.42.203 [W| B | U ] |CHN , Guangzhou | 23-Jul 16:56:25 /?;DECLARE%20...
0));EXEC(@S);
-
116.18.42.203 [W| B | U ] |CHN , Guangzhou | 23-Jul 16:56:25 /?';DECLARE%2...
0));EXEC(@S);
-
and Turkey
81.214.134.85 [W| B | U ] |TUR , Istanbul | 23-Jul 14:14:50 /?';DECLARE%2...
0));EXEC(@S);
-
If you own one of those IPs, it is likely you no longer are in control of your machine. If you do, and you did this, then you are a baaaad person. Very baaaad. Specifically
whois 24.184.25.236
Optimum Online (Cablevision Systems) OOL-2BLK (NET-24-184-0-0-1)
24.184.0.0 - 24.187.255.255
Optimum Online (Cablevision Systems) OOL-CPE-NYK4NY-24-184-24-0-22 (NET-24-184-24-0-1)
24.184.24.0 - 24.184.27.255
# ARIN WHOIS database, last updated 2008-07-22 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Sad.