« Links For August 19th 2008
Links For August 20th 2008 »

A SQL Injection Attack Attempt - An Investigation

Your Ad Here

A SQL Injection Attack Attempt - An Investigation

This morning I found 3 very peculiar entries in my websites Weblog. All 3 look like the following:

SOME_URL_ON_MY_SITE?;DECLARE%20@S%20CHAR(4000);SET%2…. For now forgive me for not showing the complete entry. First I was very worried, is my website hacked ? I am still able to login and view posts. OK, ma be the attack was not successful. I thought I would leave for work and worry about this later. Did I say all 3 of these are from the same IP address ?

This evening after I returned from work I found 2 more such entries but from a different IP. This is when I started getting more curious. I found that these 2 IP addresses from where they tried to hack my blog are from China. I did a WHOIS lookup on these 2 IP addresses and strangely found them belonging to same organization. I googled for the organization and found it to be a ISP provider in China.

Next I started looking into the code the attacker tried inserting a js file into webpages. I tried opening that js file, but firefox warned me its a malicious site. Yes, I know that, but I am interested in looking at the js file.

Firefox Warning Message

Firefox Warning Message

So I clicked ignore this warning, but unfortunately I got “Network Timeout“, “The server at SERVER_NAME is taking too long to respond.

So, I clicked Why was this site blocked ? and got the following info:

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, www3.800mg.cn/csrss/ appeared to function as an intermediary for the infection of 142 site(s) including winezap.com, nitevibe.com, clarkstationery.com.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 333 domain(s), including rupalisite.com, bsmhoustonarea.org, pdxguide.com.

A SQL Injection Attack Attempt - An Investigation

Tags:

This entry was posted on Thursday, August 21st, 2008 at 9:36 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “A SQL Injection Attack Attempt - An Investigation”

  1. steven Says:
    August 21st, 2008 at 11:04 am

    this isnt really an injection attack
    this is a xss attack

    an injection attack would be the modification/destruction of database data. he/she merely performed a regular insert that wen presented to the webbrowser, would send the browser somewhere bad.

  2. admin Says:
    August 21st, 2008 at 11:23 am

    Hi Steven,
    he was trying to inject sql, so that after successful injection, all the pages retrieved from the database would have his javascript code in it. So it is attempting XSS attack by injecting SQL.

  3. Steven Says:
    August 24th, 2008 at 7:25 am

    yes, but the attacker was not exploiting poorly done sql/database handling, he was exploiting the input validation on html which affects the browser
    = xss attack

Leave a Reply

Books 24x7