Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
What is this attack trying to do?
15 views
Skip to first unread message
The Natural Philosopher
May 23, 2012, 10:22:58 PM5/23/12
to
GET
mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d6567613264756d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d6567613564756d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d6567613864756d706572,0x6d6567613964756d706572,0x6d65676131064756d706572
???
It doesn't do any damage but a botnet has been spraying a site with this.
--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d6567613264756d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d6567613564756d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d6567613864756d706572,0x6d6567613964756d706572,0x6d65676131064756d706572
???
It doesn't do any damage but a botnet has been spraying a site with this.
--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.
Robert Heller
May 23, 2012, 11:28:33 PM5/23/12
to
At Thu, 24 May 2012 03:22:58 +0100 The Natural Philosopher <t...@invalid.invalid> wrote:
>
> GET
> mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d6567613264756d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d6567613564756d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d6567613864756d706572,0x6d6567613964756d706572,0x6d65676131064756d706572
>
> ???
>
> It doesn't do any damage but a botnet has been spraying a site with this.
There is probably some websoftware out there with a mycode.php with some
>
> GET
> mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d6567613264756d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d6567613564756d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d6567613864756d706572,0x6d6567613964756d706572,0x6d65676131064756d706572
>
> ???
>
> It doesn't do any damage but a botnet has been spraying a site with this.
sort of security hole and the botnet is poking at every web host it can
find looking for a hole to crawl in. Botnets are not always smart and
sometimes just use 'mindless' brute force and keep pounding until
something gives...
>
--
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software -- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
Thomas 'PointedEars' Lahn
May 24, 2012, 7:34:00 AM5/24/12
to
Robert Heller wrote:
> The Natural Philosopher wrote:
>> GET
>>
mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d6567613264756d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d6567613564756d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d6567613864756d706572,0x6d6567613964756d706572,0x6d65676131064756d706572
>>
>> ???
>>
>> It doesn't do any damage but a botnet has been spraying a site with this.
>
> There is probably some websoftware out there with a mycode.php with some
> sort of security hole and the botnet is poking at every web host it can
> find looking for a hole to crawl in. Botnets are not always smart and
> sometimes just use 'mindless' brute force and keep pounding until
> something gives...
The security hole here probably includes a vulnerability to an SQL
injection attack, as the "UNION SELECT" produced from this query part by
urldecode()d would suggest. A lot of information about this attack can be
found via Google, for example when using "0x6d6567613164756d706572" as
keyword.
<http://php.net/urldecode>
PointedEars
--
> If you get a bunch of authors […] that state the same "best practices"
> in any programming language, then you can bet who is wrong or right...
Not with javascript. Nonsense propagates like wildfire in this field.
-- Richard Cornford, comp.lang.javascript, 2011-11-14
> The Natural Philosopher wrote:
>> GET
>>
mycode.php?param=-24+UNION+SELECT+0x6d6567613164756d706572,0x6d6567613264756d706572,0x6d6567613364756d706572,0x6d6567613464756d706572,0x6d6567613564756d706572,0x6d6567613664756d706572,0x6d6567613764756d706572,0x6d6567613864756d706572,0x6d6567613964756d706572,0x6d65676131064756d706572
>>
>> ???
>>
>> It doesn't do any damage but a botnet has been spraying a site with this.
>
> There is probably some websoftware out there with a mycode.php with some
> sort of security hole and the botnet is poking at every web host it can
> find looking for a hole to crawl in. Botnets are not always smart and
> sometimes just use 'mindless' brute force and keep pounding until
> something gives...
injection attack, as the "UNION SELECT" produced from this query part by
urldecode()d would suggest. A lot of information about this attack can be
found via Google, for example when using "0x6d6567613164756d706572" as
keyword.
<http://php.net/urldecode>
PointedEars
--
> If you get a bunch of authors […] that state the same "best practices"
> in any programming language, then you can bet who is wrong or right...
Not with javascript. Nonsense propagates like wildfire in this field.
-- Richard Cornford, comp.lang.javascript, 2011-11-14
Denis McMahon
May 24, 2012, 10:40:44 AM5/24/12
to
On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
> There is probably some websoftware out there with a mycode.php
A quick google suggests that some forum code (myBB) has a mycode.php.
> There is probably some websoftware out there with a mycode.php
Whether this is the target of the attack or not I have no idea.
Rgds
Denis McMahon
The Natural Philosopher
May 24, 2012, 5:50:58 PM5/24/12
to
actually called.
It called a valid page I had written. I tested the URL supplied and it -
sent back the default page that happens when it didn't recognise the
parameter.
> Rgds
>
> Denis McMahon
Captain Paralytic
May 30, 2012, 7:46:15 AM5/30/12
to
On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
wrote:
wrote:
> Denis McMahon wrote:
> > On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>
> >> There is probably some websoftware out there with a mycode.php
>
> > A quick google suggests that some forum code (myBB) has a mycode.php.
>
> > Whether this is the target of the attack or not I have no idea.
>
> no, because mnycode.php was just and example not what the attack
> actually called.
And how were we supposed to know that?
> > On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>
> >> There is probably some websoftware out there with a mycode.php
>
> > A quick google suggests that some forum code (myBB) has a mycode.php.
>
> > Whether this is the target of the attack or not I have no idea.
>
> no, because mnycode.php was just and example not what the attack
> actually called.
The Natural Philosopher
May 30, 2012, 8:20:10 AM5/30/12
to
takes parameters.
Robert Heller
May 30, 2012, 10:06:27 AM5/30/12
to
At Wed, 30 May 2012 13:20:10 +0100 The Natural Philosopher <t...@invalid.invalid> wrote:
>
> Captain Paralytic wrote:
> > On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
> > wrote:
> >> Denis McMahon wrote:
> >>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
> >>>> There is probably some websoftware out there with a mycode.php
> >>> A quick google suggests that some forum code (myBB) has a mycode.php.
> >>> Whether this is the target of the attack or not I have no idea.
> >> no, because mnycode.php was just and example not what the attack
> >> actually called.
> > And how were we supposed to know that?
>
> I didn't think it was relevant. It was calling a random php script that
> takes parameters.
I suspect that the cracker botnet 'spiders' web sites looking for links
>
> Captain Paralytic wrote:
> > On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
> > wrote:
> >> Denis McMahon wrote:
> >>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
> >>>> There is probably some websoftware out there with a mycode.php
> >>> A quick google suggests that some forum code (myBB) has a mycode.php.
> >>> Whether this is the target of the attack or not I have no idea.
> >> no, because mnycode.php was just and example not what the attack
> >> actually called.
> > And how were we supposed to know that?
>
> I didn't think it was relevant. It was calling a random php script that
> takes parameters.
with URLs that match the RegEx pattern '.*\.php\?.*' and then create
'attack' URLs based on these URLs, but with crafted parameters that
probe for security holes or perform SQL Injections. The actual PHP
scripts being called are not partitularly relevant. There might be
some well known PHP scripts or common script elements that have
possible security issues that people are 'recycling' in custom PHP
scripts and these crackers are looking for these scripts with their
botnet 'spiders' and are using a 'brute force' type of attack.
The Natural Philosopher
May 30, 2012, 10:28:33 AM5/30/12
to
Robert Heller wrote:
> At Wed, 30 May 2012 13:20:10 +0100 The Natural Philosopher <t...@invalid.invalid> wrote:
>
>> Captain Paralytic wrote:
>>> On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
>>> wrote:
>>>> Denis McMahon wrote:
>>>>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>>>> There is probably some websoftware out there with a mycode.php
>>>>> A quick google suggests that some forum code (myBB) has a mycode.php.
>>>>> Whether this is the target of the attack or not I have no idea.
>>>> no, because mnycode.php was just and example not what the attack
>>>> actually called.
>>> And how were we supposed to know that?
>> I didn't think it was relevant. It was calling a random php script that
>> takes parameters.
>
> I suspect that the cracker botnet 'spiders' web sites looking for links
> with URLs that match the RegEx pattern '.*\.php\?.*' and then create
> 'attack' URLs based on these URLs, but with crafted parameters that
> probe for security holes or perform SQL Injections. The actual PHP
> scripts being called are not partitularly relevant. There might be
> some well known PHP scripts or common script elements that have
> possible security issues that people are 'recycling' in custom PHP
> scripts and these crackers are looking for these scripts with their
> botnet 'spiders' and are using a 'brute force' type of attack.
>
>
I think that is probably the case.
> At Wed, 30 May 2012 13:20:10 +0100 The Natural Philosopher <t...@invalid.invalid> wrote:
>
>> Captain Paralytic wrote:
>>> On May 24, 10:50 pm, The Natural Philosopher <t...@invalid.invalid>
>>> wrote:
>>>> Denis McMahon wrote:
>>>>> On Wed, 23 May 2012 22:28:33 -0500, Robert Heller wrote:
>>>>>> There is probably some websoftware out there with a mycode.php
>>>>> A quick google suggests that some forum code (myBB) has a mycode.php.
>>>>> Whether this is the target of the attack or not I have no idea.
>>>> no, because mnycode.php was just and example not what the attack
>>>> actually called.
>>> And how were we supposed to know that?
>> I didn't think it was relevant. It was calling a random php script that
>> takes parameters.
>
> I suspect that the cracker botnet 'spiders' web sites looking for links
> with URLs that match the RegEx pattern '.*\.php\?.*' and then create
> 'attack' URLs based on these URLs, but with crafted parameters that
> probe for security holes or perform SQL Injections. The actual PHP
> scripts being called are not partitularly relevant. There might be
> some well known PHP scripts or common script elements that have
> possible security issues that people are 'recycling' in custom PHP
> scripts and these crackers are looking for these scripts with their
> botnet 'spiders' and are using a 'brute force' type of attack.
>
>
"well known PHP scripts or common script elements that have
possible security issues that people are 'recycling'"
but they aren't *well known* bugs and security holes.
Robert Heller
May 30, 2012, 1:30:51 PM5/30/12
to
Prefer $_POST[] over $_GET[] where possible or sensible. Check the
referer where that makes sense. And so on.
The Natural Philosopher
May 30, 2012, 5:27:33 PM5/30/12
to
select from one of 47 possible news items.
You can do a huge amount of damage to a script like that.
0 new messages