A new attack in the wild, and in my logs

Have a look at this (safe, defanged)

From a request:


?%27;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076
617263686172283430303029204445434C415245205461626C655F4375
....

655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Neat… huh? Direct injection attack. Removed most of the payload.

Didn’t succeed. Came from Malasia:

60.48.212.49   	 [W| B  | U  ] |MYS , Johor Bahru |  	 23-Jul  	12:30:41  	/?';DECLARE%2...
0));EXEC(@S);
	-
60.48.212.49 	[W| B | U ] |MYS , Johor Bahru | 	23-Jul 	12:30:41 	/?;DECLARE%20...
0));EXEC(@S);
	- 

And Brooklyn

24.184.25.236   	 [W| B  | U  ] |USA , Brooklyn |  	 23-Jul  	12:04:02  	/?';DECLARE%2...
0));EXEC(@S);
	-
24.184.25.236 	[W| B | U ] |USA , Brooklyn | 	23-Jul 	12:04:02 	/?;DECLARE%20...
0));EXEC(@S);
	- 

and China

116.18.42.203   	 [W| B  | U  ] |CHN , Guangzhou |  	 23-Jul  	16:56:25  	/?;DECLARE%20...
0));EXEC(@S);
	-
116.18.42.203 	[W| B | U ] |CHN , Guangzhou | 	23-Jul 	16:56:25 	/?';DECLARE%2...
0));EXEC(@S);
	- 

and Turkey

81.214.134.85   	 [W| B  | U  ] |TUR , Istanbul |  	 23-Jul  	14:14:50  	/?';DECLARE%2...
0));EXEC(@S);
	-

If you own one of those IPs, it is likely you no longer are in control of your machine. If you do, and you did this, then you are a baaaad person. Very baaaad.

Specifically

 whois 24.184.25.236
Optimum Online (Cablevision Systems) OOL-2BLK (NET-24-184-0-0-1) 
                                  24.184.0.0 - 24.187.255.255
Optimum Online (Cablevision Systems) OOL-CPE-NYK4NY-24-184-24-0-22 (NET-24-184-24-0-1) 
                                  24.184.24.0 - 24.184.27.255

# ARIN WHOIS database, last updated 2008-07-22 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Sad.

Viewed 11780 times by 2677 viewers

Facebooktwittergoogle_plusredditpinterestlinkedinmail