MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
March
Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          
2014
Months
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Oct Nov Dec


Mon, Mar 24, 2014 8:17 am

Attempted SQL injection attack

When I checked the webserver's error log file this morning, I noticed the following two entries related to the IP address 221.11.108.10:

[Mon Mar 24 08:15:07 2014] [error] [client 221.11.108.10] File does not exist: / home/jdoe/public_html/ctscms
[Mon Mar 24 08:15:12 2014] [error] [client 221.11.108.10] File does not exist: /home/jdoe/public_html/plus, referer: http://support.moonpoint.com/plus/search.php?keyword=as&typeArr[111%3D@`\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\'`+]=a

There is no ctscms file nor directory, nor do I use a search.php file, nor even have a directory named plus on this web site, so the queries seemed suspicious.

Performing a Google search on the attempted query to search.php, which appears to be an SQL query, I found links to a number of sites in the Chinese language. E.g., dedecms plus / search.php latest injection vulnerability (translated to English).

The query I saw in the Apache error log appeared to be an SQL injection attack. In Arrays in requests, PHP and DedeCMS, an InfoSec Handlers Diary Blog entry, I found the following in relation to an SQL injection attack used against /plus/download.php, which is a PHP script associated with the DedeCMS Content Management System (CMS):

And this definitely looks malicious. After a bit of research, it turned out that this is an attack against a known vulnerability in the DedeCMS, a CMS written in PHP that appears to be popular in Asia. This CMS has a pretty nasty SQL injection vulnerability that can be exploited with the request shown above.

So I blocked any further access to the server hosting this site from that IP address using a route reject command.

# route add 221.11.108.10 reject
[root@frostdragon ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
221.11.108.10   -               255.255.255.255 !H    0      -        0 -
171.216.29.9    -               255.255.255.255 !H    0      -        0 -

The 221.11.108.10 IP address is allocated to an entity in China. I blocked another Chinese IP address, 171.216.29.9 two days ago.

The Arrays in requests, PHP and DedeCMS blog entry indicated the attacker discussed in that article was using a script that identified itself with a user agent string of WinHttp.WinHttpRequest:

Additionally, as you can see in the log at the top, the User Agent string has been set to WinHttp.WinHttpRequest, which indicates that this request was created by a script or an attack tool executed on a Windows machine.

When I checked the Apache CustomLog to see what user agent string was submitted with the queries to this site, I saw it was "Googlebot/2.1", so the attacker appears to be using an updated script. that misidentifies itself as Googlebot. The Internet Storm Center blog entry was posted 6 months ago and discusses a log entry from September 5, 2013. The log entry posted in that article shows a source IP address of 10.10.10.10, which is a private IP address substituted in the article for the actual IP address from which the attack originated.

I saw the following in my log:

221.11.108.10 - - [24/Mar/2014:08:15:07 -0400] "GET /ctscms/ HTTP/1.1" 404 291 "
-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
221.11.108.10 - - [24/Mar/2014:08:15:12 -0400] "GET /plus/search.php?keyword=as&
typeArr[111%3D@`\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2
),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),
1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\'`+]=a HTTP/1.1" 404
 299 "http://support.moonpoint.com/plus/search.php?keyword=as&typeArr[111%3D@`\\
'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((sele
ct+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+info
rmation_schema.tables+group+by+a)b)%23@`\\'`+]=a" "Googlebot/2.1 (+http://www.go
ogle.com/bot.html)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, a
pplication/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-power
point, application/msword, */*"

References:

  1. Stopping an Attacker with the Route Reject Command
    MoonPoint Support
    Date: April 15, 2007
  2. Arrays in requests, PHP and DedeCMS
    Internet Storm Center
    By: Bojan, ISC Handler

[/security/attacks] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo