2009/4/8 9el <le...@phpxperts.net>:
> On Wed, Apr 8, 2009 at 8:04 PM, Bob McConnell <r...@cbord.com> wrote:
>> On Behalf Of Richard Heyes
>> >> I set up a simple form to save comments on my webpage, and after just
>> one
>> >> day of going live, i'm getting weird comments up like this
>> >>
>> >> declare @q varchar(8000) select @q =
>> >> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q)
>> >>
>> >>
>> >> I don't recognise this code - is this an attempt to do something
>> nefarious,
>> >> or nothing I should worry about?
>> >
>> > Looks like it may be. As long as you escape you SQL correctly using
>> > mysql_real_escape_string() or the equivalent, you should be OK.
>> Let me see if I got this right. The data you got from the form tries to
>> set up a local variable, assigns it a hex string as a value, then tries
>> to execute it. That definitely looks like an attempt to crack your
>> server. It looks like the semi-colons were removed somewhere, so none of
>> it actually runs. But you would probably need a set of dis-assemblers to
>> find out what CPU that code was written for and what it actually does.
>> Next question: You said there are multiple comments like this. How do
>> they differ, if they do? Possibly they are trying code for different
>> CPUs.
>> Did you trace these back to the logs to see if they all come from one IP
>> or subnet? Is there anywhere to report these attempts that would
>> actually do any good, or should you just ban that IP.
>> But this one goes into my journal as something to be prepared for.
>> I think the danger these codes have should be discussed well. And how to
> resist such attacks in your server and apps should also be discussed in
> greater depth.
> regards
> Lenin
> www.twitter.com/nine_L

I just googled for that string. Seems like you are not the only
victim. Sadly, I can't give you any more advice.

Currently developing a browsergame...
Trade - Expand - Fight

Follow me on twitter!

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to