[Modsecurity] Getthing hit be sql injection attacks
Mike Cardwell
modsecurity at lists.grepular.com
Thu Aug 9 09:10:24 EDT 2007
* on the Thu, Aug 09, 2007 at 02:13:49AM -0400, admin at efastservers.com wrote:
> One of my sites is getting hit hard by thousands of attempted sql injection
> attacks.
>
> 72.208.177.18 - - [09/Aug/2007:01:59:03 -0400] "GET
> /images/Web-Directory_12.gif HTTP/1.1" 200 562
> "http://www.mydomain.com/directory.php?ax=list&sub=1&cat_id=-1/**/UNION/**/S
> ELECT/**/1,2,3,4,concat(0x2D2D3E,email,0x3a,password),6,7,8,9,10,0x223E3C212
> D2D,12,13/**/from/**/links/*" "Mozilla/5.0 (Windows; U; Windows NT 5.1;
> en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
>
> Although they only succeeded once, im desperate for a rule to kick a 403
> back.
>
> Anyone know what they are trying to do?
>From a look at the SQL, it appears they're trying to read a list of
email:password entries from table "links" in a database.
Is directory.php home grown, or part of some other package you've
installed? If you go to the url you quoted above but with your real
domain name, does it show the list of login details?
Mike
More information about the Modsecurity
mailing list