On Wed, Apr 8, 2009 at 8:04 PM, Bob McConnell <r...@cbord.com> wrote:
> On Behalf Of Richard Heyes
> >> I set up a simple form to save comments on my webpage, and after just
> >> day of going live, i'm getting weird comments up like this
> >> declare @q varchar(8000) select @q =
> >> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q)
> >> I don't recognise this code - is this an attempt to do something
> >> or nothing I should worry about?
> > Looks like it may be. As long as you escape you SQL correctly using
> > mysql_real_escape_string() or the equivalent, you should be OK.
> Let me see if I got this right. The data you got from the form tries to
> set up a local variable, assigns it a hex string as a value, then tries
> to execute it. That definitely looks like an attempt to crack your
> server. It looks like the semi-colons were removed somewhere, so none of
> it actually runs. But you would probably need a set of dis-assemblers to
> find out what CPU that code was written for and what it actually does.
> Next question: You said there are multiple comments like this. How do
> they differ, if they do? Possibly they are trying code for different
> Did you trace these back to the logs to see if they all come from one IP
> or subnet? Is there anywhere to report these attempts that would
> actually do any good, or should you just ban that IP.
> But this one goes into my journal as something to be prepared for.
> I think the danger these codes have should be discussed well. And how to
resist such attacks in your server and apps should also be discussed in