Aug 22, 2008

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST

The latest hack running right now is a injection atempt using a string like this.

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C----removed----%20AS%20CHAR(4000));EXEC(@S);

This is a bot atack and is comming from everywhere.
The come in 2 at a time from the same IP.

They are trying to inject some code into your site to display a iframe that will take people to another site. It doesnt look like they are atacking PHP they are atacking ASP Cold Fusion and Perl See more here isc.sans.org

Also see this post which recomends.


RewriteCond %{REQUEST_URI} ^(.*)CAST(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)DECLARE(.*) [NC,OR]

But a better page on how to block this by .htaccess is located here.


They are also scanning for a delay in page return so any script that sleeps when it detects a hack must have the sleep removed or they will come back and hit you harder.


Just the hits will bring you server down if you try to ban all the IPS being used so I have modified the hacker modules.

Update hacker modules Here.




You will also want to download your databases and scan them for IFRAMES and java script.

5 comments:

Anonymous said...

Our website is bombarded by this hack. the ip address is:
69.249.95.147 - Whois Information

OrgName: Comcast Cable Communications, Inc.
OrgID: CMCS
Address: 1800 Bishops Gate Blvd
City: Mt Laurel
StateProv: NJ
PostalCode: 08054
Country: US

NetRange: 69.240.0.0 - 69.255.255.255
CIDR: 69.240.0.0/12
NetName: JUMPSTART-4
NetHandle: NET-69-240-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: DNS101.COMCAST.NET
NameServer: DNS102.COMCAST.NET
Comment:
RegDate: 2004-02-11
Updated: 2007-11-19

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: abuse@comcast.net

Log files are send to comcast.

Rixstep said...

It's not just good old Comcast. It's all over the bloody place.

http://rixstep.com/1/1/0/20080822,00.shtml

And that's just for one day.

Anonymous said...

Mine's getting these too, from 79.80.155.16. WHOIS says:

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 79.0.0.0 - 79.255.255.255
CIDR: 79.0.0.0/8
NetName: 79-RIPE
NetHandle: NET-79-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: SUNIC.SUNET.SE
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2006-08-29
Updated: 2006-09-07

Paul Zagoridis said...

The link at http://www.0x000000.com/?i=567 doesn't work do you have something else to search for?

IKillSpammerz said...

There is anecdotal evidence pointing to these scans being perpetrated by individual bots infected with the Storm Worm.

They will attempt any type of exploit. They range from a test to see if you're using cgi mailing scripts, to .NET exploits, SQL injections (of which this is only one example), Wordpress exploits, unpatched old apache exploits, etc. They typically try only one attack type at a time. This particular one for some reason is always attempted twice.

The Storm Worm is tied to the group known as the Russian Business Network (aka: RBN), and they are renowned for abusing numerous systems in a very large number of ways. (Most recently they've started performing ftp hijacks of sites and using them as hosts for further Storm infections, and redirects to the illegal "Canadian Pharmacy" range of websites.)

Somebody has to shut this group down.

SiL / IKS / concerned citizen