Malicious bot trying to inject SQL code into Invenio URL

Wed, 23 Jun 2010 07:52:09 +0200 

Hi Invenio devs,
Lately we have several attempts from an agent named 'czxt2s' that repeatedly tries to inject a certain SQL code into the url of our invenio server. The injection is unsuccessful, but an exception is produced every time. Where could i put some code to deny access to our server from that specific agent? 


The produced exception, follows: (the ip is different every time)
>>> Registered exception

2010-06-22 23:19:22 -> ValueError: invalid literal for int(): 1' And 
char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From 
[sysobjects] Where 1=1)>0 and ''='


>>> >>> User details
       agent: czxt2s
apache_group: []
 apache_user: None
       email: guest
       group: []
       guest: 1
  last_login: 1970-01-01 00:00:00
    nickname:
     referer: <>
 remote_host:
   remote_ip: 201.227.166.225
         uid: 0

         uri: 
</record/113780/files/diplomatikh_androutsou_2009.pdf?version=1'%20And%20char(124)%2b(Select%20Cast(Count(1)%20as%20varchar(8000))%2Bchar(124)%20From%20[sysobjects]%20Where%201=1)>0%20and%20''='>


>>> >>> Traceback details
Forced traceback (most recent call last)

  File "//usr/lib/python2.4/site-packages/mod_python/importer.py", line 
1229, in _process_target

    result = _execute_target(config, req, object, arg)

  File "//usr/lib/python2.4/site-packages/mod_python/importer.py", line 
1128, in _execute_target

    result = object(arg)

  File 
"/usr/lib/python2.4/site-packages/invenio/webinterface_handler.py", line 
298, in _profiler

    return _handler(req)
Traceback (most recent call last):

  File 
"/usr/lib/python2.4/site-packages/invenio/webinterface_handler.py", line 
316, in _handler

    return root._traverse(req, path)

  File 
"/usr/lib/python2.4/site-packages/invenio/webinterface_handler.py", line 
195, in _traverse

    return obj._traverse(req, path)

  File 
"/usr/lib/python2.4/site-packages/invenio/webinterface_handler.py", line 
195, in _traverse

    return obj._traverse(req, path)

  File 
"/usr/lib/python2.4/site-packages/invenio/webinterface_handler.py", line 
210, in _traverse

    result = _check_result(req, obj(req, form))

  File 
"/usr/lib/python2.4/site-packages/invenio/websubmit_webinterface.py", 
line 219, in getfile
    filelist = bibarchive.display("", args['version'], ln=ln, 
verbose=verbose)
  File "/usr/lib/python2.4/site-packages/invenio/bibdocfile.py", line 
587, in display

    ln=ln, display_hidden=display_hidden))

  File "/usr/lib/python2.4/site-packages/invenio/bibdocfile.py", line 
1224, in display

    version = int(version)

ValueError: invalid literal for int(): 1' And char(124)+(Select 
Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0 
and ''='



Best regards,
Theodoropoulos Theodoros






















					Reply via email to