Re: [PHP] Am I being hacked?
I set up a simple form to save comments on my webpage, and after just one day of going live, i'm getting weird comments up like this declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) I don't recognise this code - is this an attempt to do something nefarious, or nothing I should worry about? Looks like it may be. As long as you escape you SQL correctly using mysql_real_escape_string() or the equivalent, you should be OK. -- Richard Heyes HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: http://www.rgraph.net (Updated March 28th) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Am I being hacked?
On Wed, Apr 8, 2009 at 9:23 AM, Richard Heyes rich...@php.net wrote: I set up a simple form to save comments on my webpage, and after just one day of going live, i'm getting weird comments up like this declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) I don't recognise this code - is this an attempt to do something nefarious, or nothing I should worry about? Looks like it may be. As long as you escape you SQL correctly using mysql_real_escape_string() or the equivalent, you should be OK. -- Richard Heyes HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: http://www.rgraph.net (Updated March 28th) It's probably someone testing to see if your site is running SQL Server and is vulnerable to SQL injection. Effectively all it does is issue the command WAITFOR DELAY '00:00:10', telling the server to wait for 10 seconds before allowing the connection to continue. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Am I being hacked?
On Behalf Of Richard Heyes I set up a simple form to save comments on my webpage, and after just one day of going live, i'm getting weird comments up like this declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) I don't recognise this code - is this an attempt to do something nefarious, or nothing I should worry about? Looks like it may be. As long as you escape you SQL correctly using mysql_real_escape_string() or the equivalent, you should be OK. Let me see if I got this right. The data you got from the form tries to set up a local variable, assigns it a hex string as a value, then tries to execute it. That definitely looks like an attempt to crack your server. It looks like the semi-colons were removed somewhere, so none of it actually runs. But you would probably need a set of dis-assemblers to find out what CPU that code was written for and what it actually does. Next question: You said there are multiple comments like this. How do they differ, if they do? Possibly they are trying code for different CPUs. Did you trace these back to the logs to see if they all come from one IP or subnet? Is there anywhere to report these attempts that would actually do any good, or should you just ban that IP. But this one goes into my journal as something to be prepared for. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Am I being hacked?
On Wed, Apr 8, 2009 at 8:04 PM, Bob McConnell r...@cbord.com wrote: On Behalf Of Richard Heyes I set up a simple form to save comments on my webpage, and after just one day of going live, i'm getting weird comments up like this declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) I don't recognise this code - is this an attempt to do something nefarious, or nothing I should worry about? Looks like it may be. As long as you escape you SQL correctly using mysql_real_escape_string() or the equivalent, you should be OK. Let me see if I got this right. The data you got from the form tries to set up a local variable, assigns it a hex string as a value, then tries to execute it. That definitely looks like an attempt to crack your server. It looks like the semi-colons were removed somewhere, so none of it actually runs. But you would probably need a set of dis-assemblers to find out what CPU that code was written for and what it actually does. Next question: You said there are multiple comments like this. How do they differ, if they do? Possibly they are trying code for different CPUs. Did you trace these back to the logs to see if they all come from one IP or subnet? Is there anywhere to report these attempts that would actually do any good, or should you just ban that IP. But this one goes into my journal as something to be prepared for. I think the danger these codes have should be discussed well. And how to resist such attacks in your server and apps should also be discussed in greater depth. regards Lenin www.twitter.com/nine_L
Re: [PHP] Am I being hacked?
2009/4/8 9el le...@phpxperts.net: On Wed, Apr 8, 2009 at 8:04 PM, Bob McConnell r...@cbord.com wrote: On Behalf Of Richard Heyes I set up a simple form to save comments on my webpage, and after just one day of going live, i'm getting weird comments up like this declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) I don't recognise this code - is this an attempt to do something nefarious, or nothing I should worry about? Looks like it may be. As long as you escape you SQL correctly using mysql_real_escape_string() or the equivalent, you should be OK. Let me see if I got this right. The data you got from the form tries to set up a local variable, assigns it a hex string as a value, then tries to execute it. That definitely looks like an attempt to crack your server. It looks like the semi-colons were removed somewhere, so none of it actually runs. But you would probably need a set of dis-assemblers to find out what CPU that code was written for and what it actually does. Next question: You said there are multiple comments like this. How do they differ, if they do? Possibly they are trying code for different CPUs. Did you trace these back to the logs to see if they all come from one IP or subnet? Is there anywhere to report these attempts that would actually do any good, or should you just ban that IP. But this one goes into my journal as something to be prepared for. I think the danger these codes have should be discussed well. And how to resist such attacks in your server and apps should also be discussed in greater depth. regards Lenin www.twitter.com/nine_L I just googled for that string. Seems like you are not the only victim. Sadly, I can't give you any more advice. -- Currently developing a browsergame... http://www.p-game.de Trade - Expand - Fight Follow me on twitter! http://twitter.com/moortier -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Am I being hacked?
On Wed, Apr 8, 2009 at 10:04 AM, Bob McConnell r...@cbord.com wrote: On Behalf Of Richard Heyes I set up a simple form to save comments on my webpage, and after just one day of going live, i'm getting weird comments up like this declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) I don't recognise this code - is this an attempt to do something nefarious, or nothing I should worry about? Looks like it may be. As long as you escape you SQL correctly using mysql_real_escape_string() or the equivalent, you should be OK. Let me see if I got this right. The data you got from the form tries to set up a local variable, assigns it a hex string as a value, then tries to execute it. That definitely looks like an attempt to crack your server. It looks like the semi-colons were removed somewhere, so none of it actually runs. But you would probably need a set of dis-assemblers to find out what CPU that code was written for and what it actually does. Next question: You said there are multiple comments like this. How do they differ, if they do? Possibly they are trying code for different CPUs. Did you trace these back to the logs to see if they all come from one IP or subnet? Is there anywhere to report these attempts that would actually do any good, or should you just ban that IP. But this one goes into my journal as something to be prepared for. Bob McConnell You don't need a disassembler; I already said what that string is intended to do. If it is allowed to run on Microsoft's SQL Server, the hex value is implicitly converted to the string WAITFOR DELAY '00:00:10', which is then executed. It doesn't require semi-colons, as SQL Server doesn't need them between statements. This particular command is relatively harmless by itself. Its value lies in the fact that if it causes the resulting page to take more than 10 seconds to load, the attacker knows that your page is wide open to SQL injection as well as knowing that he can execute anything he wants. If you're running MySQL, this won't work so you should be unaffected. Just make sure your code is written to prevent SQL injection and you should be fine. I suppose if you get a lot of these requests from the same IP address you could have the web server block requests from that IP. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Am I being hacked?
Looks like an attempt to get your SQL server to execute a command, Microsoft SQL server will do that(among others), and if not properly set up can do it with root access. If you don't properly escape and store this comment in a database, it could execute (called SQL injection, no?). Warren Vail -Original Message- From: Yannick Mortier [mailto:mvmort...@googlemail.com] Sent: Wednesday, April 08, 2009 8:07 AM To: 9el Cc: Bob McConnell; Richard Heyes; julian haffegee; PHP Mailing List Subject: Re: [PHP] Am I being hacked? 2009/4/8 9el le...@phpxperts.net: On Wed, Apr 8, 2009 at 8:04 PM, Bob McConnell r...@cbord.com wrote: On Behalf Of Richard Heyes I set up a simple form to save comments on my webpage, and after just one day of going live, i'm getting weird comments up like this declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) I don't recognise this code - is this an attempt to do something nefarious, or nothing I should worry about? Looks like it may be. As long as you escape you SQL correctly using mysql_real_escape_string() or the equivalent, you should be OK. Let me see if I got this right. The data you got from the form tries to set up a local variable, assigns it a hex string as a value, then tries to execute it. That definitely looks like an attempt to crack your server. It looks like the semi-colons were removed somewhere, so none of it actually runs. But you would probably need a set of dis-assemblers to find out what CPU that code was written for and what it actually does. Next question: You said there are multiple comments like this. How do they differ, if they do? Possibly they are trying code for different CPUs. Did you trace these back to the logs to see if they all come from one IP or subnet? Is there anywhere to report these attempts that would actually do any good, or should you just ban that IP. But this one goes into my journal as something to be prepared for. I think the danger these codes have should be discussed well. And how to resist such attacks in your server and apps should also be discussed in greater depth. regards Lenin www.twitter.com/nine_L I just googled for that string. Seems like you are not the only victim. Sadly, I can't give you any more advice. -- Currently developing a browsergame... http://www.p-game.de Trade - Expand - Fight Follow me on twitter! http://twitter.com/moortier -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Am I being hacked?
Andrew Ballard wrote: You don't need a disassembler; I already said what that string is intended to do. If it is allowed to run on Microsoft's SQL Server, the hex value is implicitly converted to the string WAITFOR DELAY '00:00:10', which is then executed. It doesn't require semi-colons, as SQL Server doesn't need them between statements. This particular command is relatively harmless by itself. Its value lies in the fact that if it causes the resulting page to take more than 10 seconds to load, the attacker knows that your page is wide open to SQL injection as well as knowing that he can execute anything he wants. If you're running MySQL, this won't work so you should be unaffected. Just make sure your code is written to prevent SQL injection and you should be fine. Would doing all SQL queries via pear mdb2 prepare() and execute() prevent sql injection, or do other sql injection stepps need to take when using pear mdb2? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Am I being hacked?
On Wed, Apr 8, 2009 at 12:05 PM, Michael A. Peters mpet...@mac.com wrote: Andrew Ballard wrote: You don't need a disassembler; I already said what that string is intended to do. If it is allowed to run on Microsoft's SQL Server, the hex value is implicitly converted to the string WAITFOR DELAY '00:00:10', which is then executed. It doesn't require semi-colons, as SQL Server doesn't need them between statements. This particular command is relatively harmless by itself. Its value lies in the fact that if it causes the resulting page to take more than 10 seconds to load, the attacker knows that your page is wide open to SQL injection as well as knowing that he can execute anything he wants. If you're running MySQL, this won't work so you should be unaffected. Just make sure your code is written to prevent SQL injection and you should be fine. Would doing all SQL queries via pear mdb2 prepare() and execute() prevent sql injection, or do other sql injection stepps need to take when using pear mdb2? I'm not very familiar with the Pear libraries, but the approach is a good one. A good library will either pass the query off as a prepared statement with parameters to the database (if supported) or else will perform parameter substitution that should use mysql_real_escape_string() or similar functions to build a statement that should be safe to execute. The fact that you see these strings in the correct database field is a good sign, because they were correctly interpreted as string input and inserted rather than being interpreted as statements and executed. Just don't use this as a litmus test for your site's overall security. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Am I being Hacked ???
Hi Mark, 408 is an HTTP status code meaning Request Timeout. The excerpt from the RFC2616 is: 408 Request Timeout The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time. Do you have lots of this? If just a few I wouldn't say its an attack but a problem from the person making the request. Sean C. McCarthy SCI, SL (www.sci-spain.com) Mark Lo wrote: Hi, My apache log files contains the following log info sending from my desktop to my server which hosted at remote data center, I am wondering, am I being hacked ?? Is there something wrong in my apache server ?? 203.218.49.24 - - [07/Aug/2001:22:04:52 +0800] - 408 - - - - 203.218.49.24 - - [07/Aug/2001:22:04:55 +0800] - 408 - - - - 203.218.49.24 - - [07/Aug/2001:22:04:56 +0800] - 408 - - - - 203.218.49.24 - - [07/Aug/2001:22:04:56 +0800] - 408 - - - - Thanks Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]