[Modsecurity] Getthing hit be sql injection attacks
Mike Cardwell
modsecurity at lists.grepular.com
Thu Aug 9 09:59:17 EDT 2007
* on the Thu, Aug 09, 2007 at 10:14:41AM -0300, Crazy Canucks wrote:
>>> One of my sites is getting hit hard by thousands of attempted sql injection
>>> attacks.
>>>
>>> 72.208.177.18 - - [09/Aug/2007:01:59:03 -0400] "GET
>>> /images/Web-Directory_12.gif HTTP/1.1" 200 562
>>> "http://www.mydomain.com/directory.php?ax=list&sub=1&cat_id=-1/**/UNION/**/S
>>> ELECT/**/1,2,3,4,concat(0x2D2D3E,email,0x3a,password),6,7,8,9,10,0x223E3C212
>>> D2D,12,13/**/from/**/links/*" "Mozilla/5.0 (Windows; U; Windows NT 5.1;
>>> en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
>>>
>>> Although they only succeeded once, im desperate for a rule to kick a 403
>>> back.
>>>
>>> Anyone know what they are trying to do?
>> From a look at the SQL, it appears they're trying to read a list of
>> email:password entries from table "links" in a database.
>>
>> Is directory.php home grown, or part of some other package you've
>> installed? If you go to the url you quoted above but with your real
>> domain name, does it show the list of login details?
> There is a new PNphpBB2 (and I'm guessing phpBB2 as well)
> vulnerability on viewforum.php. It allows passwords to be stolen.
> Not sure if it is related to this or not.
Hi. You accidently replied to me directly rather than to the list. I
don't think that vulnerability is related. The log entry you show is
attempting to exploit "directory.php" not "viewforum.php"
Mike
More information about the Modsecurity
mailing list