I have an IP address that is actively attempting SQL injection attacks on my site. I put this IP into the IIS Manager Deny list 2 days ago and this morning he got through with at lease a dozen injection attack attempts. How is he getting through the IIS Deny? His IP is 192.168.211.3
I log all activity to an usage table so I get a better idea of what is going on in the site. What do you mean by "it's a local IP"?
Local IP is the static / dynamic IP issued by your router/hub. Its non public facing meaning its only good within your internal network (192.168.xxx.xxx) IIS does not filter these IP's 192.168.1.0 / 1 Is an internal IP which would normally be the gateway. Connect to it, and see the DHCP client table to see who was assigned for (192.168.211.3) within your private network
Ok, this is a bit disturbing. What router/hub? As far as I know I have no router/hub. I definitely don't have a private network that I know of. To get these values I'm using Request.UserHostName and Request.UserHostAddress.
Well, our network could use private IPs for internal server to server connections as well. jayc is referring to typical home use of private IPs. I'm checking with the system admins right now to see what they think.
Here are the log entries. 2012-03-30 02:20:06.523 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=7/29/2011+and+1=1-- 2012-03-30 02:20:06.610 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=5/19/2011+and+1=1-- 2012-03-30 02:20:06.663 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=5/26/2011+and+1=1-- 2012-03-30 02:20:07.033 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=7/29/2011-999.9+union+select+0-- 2012-03-30 02:20:07.123 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=5/19/2011-999.9+union+select+0-- 2012-03-30 02:20:07.170 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=5/26/2011-999.9+union+select+0-- 2012-03-30 02:20:07.553 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=7/29/2011+order+by+1-- 2012-03-30 02:20:07.643 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=5/19/2011+order+by+1-- 2012-03-30 02:20:07.710 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=5/26/2011+order+by+1-- 2012-03-30 02:20:08.063 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=9/30/2011+and+1=1-- 2012-03-30 02:20:08.600 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=9/30/2011-999.9+union+select+0-- 2012-03-30 02:20:09.107 192.168.211.3 http://www.delval.biz/DailyUpdates.aspx?Target_Date=9/30/2011+order+by+1-- NULL NULL NULL
I would suggest you to open a support ticket with a copy of this log attached so we can investigate further. support.discountasp.net
i also think you should create a support ticket. we need further details that you might not want to post in a public forum.
