FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » What is this attack trying to do?
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
What is this attack trying to do? [message #178234] Wed, 23 May 2012 22:22 Go to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
GET
mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d656761326475 6d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d656761356475 6d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d656761386475 6d706572,0x6d6567613964756d706572,0x6d65676131064756d706572

???

It doesn't do any damage but a botnet has been spraying a site with this.

--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
Re: What is this attack trying to do? [message #178235 is a reply to message #178234] Wed, 23 May 2012 23:28 Go to previous messageGo to next message
Robert Heller is currently offline  Robert Heller
Messages: 60
Registered: December 2010
Karma: 0
Member
add to buddy list
ignore all messages by this user
At Thu, 24 May 2012 03:22:58 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:

>
> GET
> mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d656761326475 6d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d656761356475 6d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d656761386475 6d706572,0x6d6567613964756d706572,0x6d65676131064756d706572
>
> ???
>
> It doesn't do any damage but a botnet has been spraying a site with this.

There is probably some websoftware out there with a mycode.php with some
sort of security hole and the botnet is poking at every web host it can
find looking for a hole to crawl in. Botnets are not always smart and
sometimes just use 'mindless' brute force and keep pounding until
something gives...

>

--
Robert Heller -- 978-544-6933 / heller(at)deepsoft(dot)com
Deepwoods Software -- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
Re: What is this attack trying to do? [message #178241 is a reply to message #178235] Thu, 24 May 2012 07:34 Go to previous messageGo to next message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
Robert Heller wrote:

> The Natural Philosopher wrote:
>> GET
>>
mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d656761326475 6d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d656761356475 6d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d656761386475 6d706572,0x6d6567613964756d706572,0x6d65676131064756d706572
>>
>> ???
>>
>> It doesn't do any damage but a botnet has been spraying a site with this.
>
> There is probably some websoftware out there with a mycode.php with some
> sort of security hole and the botnet is poking at every web host it can
> find looking for a hole to crawl in. Botnets are not always smart and
> sometimes just use 'mindless' brute force and keep pounding until
> something gives...

The security hole here probably includes a vulnerability to an SQL
injection attack, as the "UNION SELECT" produced from this query part by
urldecode()d would suggest. A lot of information about this attack can be
found via Google, for example when using "0x6d6567613164756d706572" as
keyword.

<http://php.net/urldecode>


PointedEars
--
> If you get a bunch of authors […] that state the same "best practices"
> in any programming language, then you can bet who is wrong or right...
Not with javascript. Nonsense propagates like wildfire in this field.
-- Richard Cornford, comp.lang.javascript, 2011-11-14
Re: What is this attack trying to do? [message #178245 is a reply to message #178235] Thu, 24 May 2012 10:40 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:

> There is probably some websoftware out there with a mycode.php

A quick google suggests that some forum code (myBB) has a mycode.php.

Whether this is the target of the attack or not I have no idea.

Rgds

Denis McMahon
Re: What is this attack trying to do? [message #178250 is a reply to message #178245] Thu, 24 May 2012 17:50 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
Denis McMahon wrote:
> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>
>> There is probably some websoftware out there with a mycode.php
>
> A quick google suggests that some forum code (myBB) has a mycode.php.
>
> Whether this is the target of the attack or not I have no idea.
>
no, because mnycode.php was just and example not what the attack
actually called.


It called a valid page I had written. I tested the URL supplied and it -
sent back the default page that happens when it didn't recognise the
parameter.


> Rgds
>
> Denis McMahon
>


--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
Re: What is this attack trying to do? [message #178300 is a reply to message #178250] Wed, 30 May 2012 07:46 Go to previous messageGo to next message
Captain Paralytic is currently offline  Captain Paralytic
Messages: 204
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
wrote:
> Denis McMahon wrote:
>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>
>>> There is probably some websoftware out there with a mycode.php
>
>> A quick google suggests that some forum code (myBB) has a mycode.php.
>
>> Whether this is the target of the attack or not I have no idea.
>
> no, because mnycode.php was just and example not what the attack
> actually called.
And how were we supposed to know that?
Re: What is this attack trying to do? [message #178302 is a reply to message #178300] Wed, 30 May 2012 08:20 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
Captain Paralytic wrote:
> On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
> wrote:
>> Denis McMahon wrote:
>>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>> There is probably some websoftware out there with a mycode.php
>>> A quick google suggests that some forum code (myBB) has a mycode.php.
>>> Whether this is the target of the attack or not I have no idea.
>> no, because mnycode.php was just and example not what the attack
>> actually called.
> And how were we supposed to know that?

I didn't think it was relevant. It was calling a random php script that
takes parameters.


--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
Re: What is this attack trying to do? [message #178304 is a reply to message #178302] Wed, 30 May 2012 10:06 Go to previous messageGo to next message
Robert Heller is currently offline  Robert Heller
Messages: 60
Registered: December 2010
Karma: 0
Member
add to buddy list
ignore all messages by this user
At Wed, 30 May 2012 13:20:10 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:

>
> Captain Paralytic wrote:
>> On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
>> wrote:
>>> Denis McMahon wrote:
>>>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>> > There is probably some websoftware out there with a mycode.php
>>>> A quick google suggests that some forum code (myBB) has a mycode.php.
>>>> Whether this is the target of the attack or not I have no idea.
>>> no, because mnycode.php was just and example not what the attack
>>> actually called.
>> And how were we supposed to know that?
>
> I didn't think it was relevant. It was calling a random php script that
> takes parameters.

I suspect that the cracker botnet 'spiders' web sites looking for links
with URLs that match the RegEx pattern '.*\.php\?.*' and then create
'attack' URLs based on these URLs, but with crafted parameters that
probe for security holes or perform SQL Injections. The actual PHP
scripts being called are not partitularly relevant. There might be
some well known PHP scripts or common script elements that have
possible security issues that people are 'recycling' in custom PHP
scripts and these crackers are looking for these scripts with their
botnet 'spiders' and are using a 'brute force' type of attack.


>
>

--
Robert Heller -- 978-544-6933 / heller(at)deepsoft(dot)com
Deepwoods Software -- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
Re: What is this attack trying to do? [message #178305 is a reply to message #178304] Wed, 30 May 2012 10:28 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
Robert Heller wrote:
> At Wed, 30 May 2012 13:20:10 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>
>> Captain Paralytic wrote:
>>> On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
>>> wrote:
>>>> Denis McMahon wrote:
>>>> > On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>> >> There is probably some websoftware out there with a mycode.php
>>>> > A quick google suggests that some forum code (myBB) has a mycode.php.
>>>> > Whether this is the target of the attack or not I have no idea.
>>>> no, because mnycode.php was just and example not what the attack
>>>> actually called.
>>> And how were we supposed to know that?
>> I didn't think it was relevant. It was calling a random php script that
>> takes parameters.
>
> I suspect that the cracker botnet 'spiders' web sites looking for links
> with URLs that match the RegEx pattern '.*\.php\?.*' and then create
> 'attack' URLs based on these URLs, but with crafted parameters that
> probe for security holes or perform SQL Injections. The actual PHP
> scripts being called are not partitularly relevant. There might be
> some well known PHP scripts or common script elements that have
> possible security issues that people are 'recycling' in custom PHP
> scripts and these crackers are looking for these scripts with their
> botnet 'spiders' and are using a 'brute force' type of attack.
>
>
I think that is probably the case.

"well known PHP scripts or common script elements that have
possible security issues that people are 'recycling'"

One good reason to roll your own. There may be bugs and security holes
but they aren't *well known* bugs and security holes.


>>
>


--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
Re: What is this attack trying to do? [message #178307 is a reply to message #178305] Wed, 30 May 2012 13:30 Go to previous messageGo to next message
Robert Heller is currently offline  Robert Heller
Messages: 60
Registered: December 2010
Karma: 0
Member
add to buddy list
ignore all messages by this user
At Wed, 30 May 2012 15:28:33 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:

>
> Robert Heller wrote:
>> At Wed, 30 May 2012 13:20:10 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>>
>>> Captain Paralytic wrote:
>>>> On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
>>>> wrote:
>>>> > Denis McMahon wrote:
>>>> >> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>> >>> There is probably some websoftware out there with a mycode.php
>>>> >> A quick google suggests that some forum code (myBB) has a mycode.php.
>>>> >> Whether this is the target of the attack or not I have no idea.
>>>> > no, because mnycode.php was just and example not what the attack
>>>> > actually called.
>>>> And how were we supposed to know that?
>>> I didn't think it was relevant. It was calling a random php script that
>>> takes parameters.
>>
>> I suspect that the cracker botnet 'spiders' web sites looking for links
>> with URLs that match the RegEx pattern '.*\.php\?.*' and then create
>> 'attack' URLs based on these URLs, but with crafted parameters that
>> probe for security holes or perform SQL Injections. The actual PHP
>> scripts being called are not partitularly relevant. There might be
>> some well known PHP scripts or common script elements that have
>> possible security issues that people are 'recycling' in custom PHP
>> scripts and these crackers are looking for these scripts with their
>> botnet 'spiders' and are using a 'brute force' type of attack.
>>
>>
> I think that is probably the case.
>
> "well known PHP scripts or common script elements that have
> possible security issues that people are 'recycling'"
>
> One good reason to roll your own. There may be bugs and security holes
> but they aren't *well known* bugs and security holes.

And one should *allways* bulletprof the code. ALLWAYS sanitize parameters.
Prefer $_POST[] over $_GET[] where possible or sensible. Check the
referer where that makes sense. And so on.

>
>
>>>
>>
>
>

--
Robert Heller -- 978-544-6933 / heller(at)deepsoft(dot)com
Deepwoods Software -- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
Re: What is this attack trying to do? [message #178311 is a reply to message #178307] Wed, 30 May 2012 17:27 Go to previous message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
Robert Heller wrote:
> At Wed, 30 May 2012 15:28:33 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>
>> Robert Heller wrote:
>>> At Wed, 30 May 2012 13:20:10 +0100 The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>>>
>>>> Captain Paralytic wrote:
>>>> > On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
>>>> > wrote:
>>>> >> Denis McMahon wrote:
>>>> >>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>> >>>> There is probably some websoftware out there with a mycode.php
>>>> >>> A quick google suggests that some forum code (myBB) has a mycode.php.
>>>> >>> Whether this is the target of the attack or not I have no idea.
>>>> >> no, because mnycode.php was just and example not what the attack
>>>> >> actually called.
>>>> > And how were we supposed to know that?
>>>> I didn't think it was relevant. It was calling a random php script that
>>>> takes parameters.
>>> I suspect that the cracker botnet 'spiders' web sites looking for links
>>> with URLs that match the RegEx pattern '.*\.php\?.*' and then create
>>> 'attack' URLs based on these URLs, but with crafted parameters that
>>> probe for security holes or perform SQL Injections. The actual PHP
>>> scripts being called are not partitularly relevant. There might be
>>> some well known PHP scripts or common script elements that have
>>> possible security issues that people are 'recycling' in custom PHP
>>> scripts and these crackers are looking for these scripts with their
>>> botnet 'spiders' and are using a 'brute force' type of attack.
>>>
>>>
>> I think that is probably the case.
>>
>> "well known PHP scripts or common script elements that have
>> possible security issues that people are 'recycling'"
>>
>> One good reason to roll your own. There may be bugs and security holes
>> but they aren't *well known* bugs and security holes.
>
> And one should *allways* bulletprof the code. ALLWAYS sanitize parameters.
> Prefer $_POST[] over $_GET[] where possible or sensible. Check the
> referer where that makes sense. And so on.
>
yeah right. As in the case I cited where the ONLY thing it does is
select from one of 47 possible news items.

You can do a huge amount of damage to a script like that.

>>
>>
>


--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: How best to print an array to table?
Next Topic: CFP - DEIS2012 - Czech Republic - SDIWC
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Oct 21 11:44:20 EDT 2017

Total time taken to generate the page: 0.00894 seconds