| What is this attack trying to do? [message #178234] |
Thu, 24 May 2012 02:22  |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
GET
mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d656761326475 6d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d656761356475 6d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d656761386475 6d706572,0x6d6567613964756d706572,0x6d65676131064756d706572
???
It doesn't do any damage but a botnet has been spraying a site with this.
--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
|
|
|
|
| Re: What is this attack trying to do? [message #178235 is a reply to message #178234] |
Thu, 24 May 2012 03:28  |
Robert Heller
Messages: 60
Registered: December 2010
Karma: 0
|
Member |
|
|
At Thu, 24 May 2012 03:22:58 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>
> GET
> mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d656761326475 6d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d656761356475 6d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d656761386475 6d706572,0x6d6567613964756d706572,0x6d65676131064756d706572
>
> ???
>
> It doesn't do any damage but a botnet has been spraying a site with this.
There is probably some websoftware out there with a mycode.php with some
sort of security hole and the botnet is poking at every web host it can
find looking for a hole to crawl in. Botnets are not always smart and
sometimes just use 'mindless' brute force and keep pounding until
something gives...
>
--
Robert Heller -- 978-544-6933 / heller(at)deepsoft(dot)com
Deepwoods Software -- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
|
|
|
|
| Re: What is this attack trying to do? [message #178241 is a reply to message #178235] |
Thu, 24 May 2012 11:34 |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Robert Heller wrote:
> The Natural Philosopher wrote:
>> GET
>>
mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d656761326475 6d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d656761356475 6d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d656761386475 6d706572,0x6d6567613964756d706572,0x6d65676131064756d706572
>>
>> ???
>>
>> It doesn't do any damage but a botnet has been spraying a site with this.
>
> There is probably some websoftware out there with a mycode.php with some
> sort of security hole and the botnet is poking at every web host it can
> find looking for a hole to crawl in. Botnets are not always smart and
> sometimes just use 'mindless' brute force and keep pounding until
> something gives...
The security hole here probably includes a vulnerability to an SQL
injection attack, as the "UNION SELECT" produced from this query part by
urldecode()d would suggest. A lot of information about this attack can be
found via Google, for example when using "0x6d6567613164756d706572" as
keyword.
<http://php.net/urldecode>
PointedEars
--
> If you get a bunch of authors […] that state the same "best practices"
> in any programming language, then you can bet who is wrong or right...
Not with javascript. Nonsense propagates like wildfire in this field.
-- Richard Cornford, comp.lang.javascript, 2011-11-14
|
|
|
|
| Re: What is this attack trying to do? [message #178245 is a reply to message #178235] |
Thu, 24 May 2012 14:40 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
> There is probably some websoftware out there with a mycode.php
A quick google suggests that some forum code (myBB) has a mycode.php.
Whether this is the target of the attack or not I have no idea.
Rgds
Denis McMahon
|
|
|
|
| Re: What is this attack trying to do? [message #178250 is a reply to message #178245] |
Thu, 24 May 2012 21:50 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
Denis McMahon wrote:
> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>
>> There is probably some websoftware out there with a mycode.php
>
> A quick google suggests that some forum code (myBB) has a mycode.php.
>
> Whether this is the target of the attack or not I have no idea.
>
no, because mnycode.php was just and example not what the attack
actually called.
It called a valid page I had written. I tested the URL supplied and it -
sent back the default page that happens when it didn't recognise the
parameter.
> Rgds
>
> Denis McMahon
>
--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
|
|
|
|
| Re: What is this attack trying to do? [message #178300 is a reply to message #178250] |
Wed, 30 May 2012 11:46 |
Captain Paralytic
Messages: 204
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
wrote:
> Denis McMahon wrote:
>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>
>>> There is probably some websoftware out there with a mycode.php
>
>> A quick google suggests that some forum code (myBB) has a mycode.php.
>
>> Whether this is the target of the attack or not I have no idea.
>
> no, because mnycode.php was just and example not what the attack
> actually called.
And how were we supposed to know that?
|
|
|
|
| Re: What is this attack trying to do? [message #178302 is a reply to message #178300] |
Wed, 30 May 2012 12:20 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
Captain Paralytic wrote:
> On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
> wrote:
>> Denis McMahon wrote:
>>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>> There is probably some websoftware out there with a mycode.php
>>> A quick google suggests that some forum code (myBB) has a mycode.php.
>>> Whether this is the target of the attack or not I have no idea.
>> no, because mnycode.php was just and example not what the attack
>> actually called.
> And how were we supposed to know that?
I didn't think it was relevant. It was calling a random php script that
takes parameters.
--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
|
|
|
|
| Re: What is this attack trying to do? [message #178304 is a reply to message #178302] |
Wed, 30 May 2012 14:06 |
Robert Heller
Messages: 60
Registered: December 2010
Karma: 0
|
Member |
|
|
At Wed, 30 May 2012 13:20:10 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>
> Captain Paralytic wrote:
>> On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
>> wrote:
>>> Denis McMahon wrote:
>>>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>> > There is probably some websoftware out there with a mycode.php
>>>> A quick google suggests that some forum code (myBB) has a mycode.php.
>>>> Whether this is the target of the attack or not I have no idea.
>>> no, because mnycode.php was just and example not what the attack
>>> actually called.
>> And how were we supposed to know that?
>
> I didn't think it was relevant. It was calling a random php script that
> takes parameters.
I suspect that the cracker botnet 'spiders' web sites looking for links
with URLs that match the RegEx pattern '.*\.php\?.*' and then create
'attack' URLs based on these URLs, but with crafted parameters that
probe for security holes or perform SQL Injections. The actual PHP
scripts being called are not partitularly relevant. There might be
some well known PHP scripts or common script elements that have
possible security issues that people are 'recycling' in custom PHP
scripts and these crackers are looking for these scripts with their
botnet 'spiders' and are using a 'brute force' type of attack.
>
>
--
Robert Heller -- 978-544-6933 / heller(at)deepsoft(dot)com
Deepwoods Software -- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
|
|
|
|
| Re: What is this attack trying to do? [message #178305 is a reply to message #178304] |
Wed, 30 May 2012 14:28 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
Robert Heller wrote:
> At Wed, 30 May 2012 13:20:10 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>
>> Captain Paralytic wrote:
>>> On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
>>> wrote:
>>>> Denis McMahon wrote:
>>>> > On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>> >> There is probably some websoftware out there with a mycode.php
>>>> > A quick google suggests that some forum code (myBB) has a mycode.php.
>>>> > Whether this is the target of the attack or not I have no idea.
>>>> no, because mnycode.php was just and example not what the attack
>>>> actually called.
>>> And how were we supposed to know that?
>> I didn't think it was relevant. It was calling a random php script that
>> takes parameters.
>
> I suspect that the cracker botnet 'spiders' web sites looking for links
> with URLs that match the RegEx pattern '.*\.php\?.*' and then create
> 'attack' URLs based on these URLs, but with crafted parameters that
> probe for security holes or perform SQL Injections. The actual PHP
> scripts being called are not partitularly relevant. There might be
> some well known PHP scripts or common script elements that have
> possible security issues that people are 'recycling' in custom PHP
> scripts and these crackers are looking for these scripts with their
> botnet 'spiders' and are using a 'brute force' type of attack.
>
>
I think that is probably the case.
"well known PHP scripts or common script elements that have
possible security issues that people are 'recycling'"
One good reason to roll your own. There may be bugs and security holes
but they aren't *well known* bugs and security holes.
>>
>
--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
|
|
|
|
| Re: What is this attack trying to do? [message #178307 is a reply to message #178305] |
Wed, 30 May 2012 17:30 |
Robert Heller
Messages: 60
Registered: December 2010
Karma: 0
|
Member |
|
|
At Wed, 30 May 2012 15:28:33 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>
> Robert Heller wrote:
>> At Wed, 30 May 2012 13:20:10 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>>
>>> Captain Paralytic wrote:
>>>> On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
>>>> wrote:
>>>> > Denis McMahon wrote:
>>>> >> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>> >>> There is probably some websoftware out there with a mycode.php
>>>> >> A quick google suggests that some forum code (myBB) has a mycode.php.
>>>> >> Whether this is the target of the attack or not I have no idea.
>>>> > no, because mnycode.php was just and example not what the attack
>>>> > actually called.
>>>> And how were we supposed to know that?
>>> I didn't think it was relevant. It was calling a random php script that
>>> takes parameters.
>>
>> I suspect that the cracker botnet 'spiders' web sites looking for links
>> with URLs that match the RegEx pattern '.*\.php\?.*' and then create
>> 'attack' URLs based on these URLs, but with crafted parameters that
>> probe for security holes or perform SQL Injections. The actual PHP
>> scripts being called are not partitularly relevant. There might be
>> some well known PHP scripts or common script elements that have
>> possible security issues that people are 'recycling' in custom PHP
>> scripts and these crackers are looking for these scripts with their
>> botnet 'spiders' and are using a 'brute force' type of attack.
>>
>>
> I think that is probably the case.
>
> "well known PHP scripts or common script elements that have
> possible security issues that people are 'recycling'"
>
> One good reason to roll your own. There may be bugs and security holes
> but they aren't *well known* bugs and security holes.
And one should *allways* bulletprof the code. ALLWAYS sanitize parameters.
Prefer $_POST[] over $_GET[] where possible or sensible. Check the
referer where that makes sense. And so on.
>
>
>>>
>>
>
>
--
Robert Heller -- 978-544-6933 / heller(at)deepsoft(dot)com
Deepwoods Software -- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
|
|
|
|
| Re: What is this attack trying to do? [message #178311 is a reply to message #178307] |
Wed, 30 May 2012 21:27 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
Robert Heller wrote:
> At Wed, 30 May 2012 15:28:33 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>
>> Robert Heller wrote:
>>> At Wed, 30 May 2012 13:20:10 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>>>
>>>> Captain Paralytic wrote:
>>>> > On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
>>>> > wrote:
>>>> >> Denis McMahon wrote:
>>>> >>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>> >>>> There is probably some websoftware out there with a mycode.php
>>>> >>> A quick google suggests that some forum code (myBB) has a mycode.php.
>>>> >>> Whether this is the target of the attack or not I have no idea.
>>>> >> no, because mnycode.php was just and example not what the attack
>>>> >> actually called.
>>>> > And how were we supposed to know that?
>>>> I didn't think it was relevant. It was calling a random php script that
>>>> takes parameters.
>>> I suspect that the cracker botnet 'spiders' web sites looking for links
>>> with URLs that match the RegEx pattern '.*\.php\?.*' and then create
>>> 'attack' URLs based on these URLs, but with crafted parameters that
>>> probe for security holes or perform SQL Injections. The actual PHP
>>> scripts being called are not partitularly relevant. There might be
>>> some well known PHP scripts or common script elements that have
>>> possible security issues that people are 'recycling' in custom PHP
>>> scripts and these crackers are looking for these scripts with their
>>> botnet 'spiders' and are using a 'brute force' type of attack.
>>>
>>>
>> I think that is probably the case.
>>
>> "well known PHP scripts or common script elements that have
>> possible security issues that people are 'recycling'"
>>
>> One good reason to roll your own. There may be bugs and security holes
>> but they aren't *well known* bugs and security holes.
>
> And one should *allways* bulletprof the code. ALLWAYS sanitize parameters.
> Prefer $_POST[] over $_GET[] where possible or sensible. Check the
> referer where that makes sense. And so on.
>
yeah right. As in the case I cited where the ONLY thing it does is
select from one of 47 possible news items.
You can do a huge amount of damage to a script like that.
>>
>>
>
--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]