A new attack in the wild, and in my logs

Have a look at this (safe, defanged)

From a request:


?%27;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076
617263686172283430303029204445434C415245205461626C655F4375
....

655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Neat… huh? Direct injection attack. Removed most of the payload.

Didn’t succeed. Came from Malasia:

60.48.212.49   	 [W| B  | U  ] |MYS , Johor Bahru |  	 23-Jul  	12:30:41  	/?';DECLARE%2...
0));EXEC(@S);
	-
60.48.212.49 	[W| B | U ] |MYS , Johor Bahru | 	23-Jul 	12:30:41 	/?;DECLARE%20...
0));EXEC(@S);
	- 

And Brooklyn

24.184.25.236   	 [W| B  | U  ] |USA , Brooklyn |  	 23-Jul  	12:04:02  	/?';DECLARE%2...
0));EXEC(@S);
	-
24.184.25.236 	[W| B | U ] |USA , Brooklyn | 	23-Jul 	12:04:02 	/?;DECLARE%20...
0));EXEC(@S);
	- 

and China

116.18.42.203   	 [W| B  | U  ] |CHN , Guangzhou |  	 23-Jul  	16:56:25  	/?;DECLARE%20...
0));EXEC(@S);
	-
116.18.42.203 	[W| B | U ] |CHN , Guangzhou | 	23-Jul 	16:56:25 	/?';DECLARE%2...
0));EXEC(@S);
	- 

and Turkey

81.214.134.85   	 [W| B  | U  ] |TUR , Istanbul |  	 23-Jul  	14:14:50  	/?';DECLARE%2...
0));EXEC(@S);
	-

If you own one of those IPs, it is likely you no longer are in control of your machine. If you do, and you did this, then you are a baaaad person. Very baaaad.

Specifically

 whois 24.184.25.236
Optimum Online (Cablevision Systems) OOL-2BLK (NET-24-184-0-0-1) 
                                  24.184.0.0 - 24.187.255.255
Optimum Online (Cablevision Systems) OOL-CPE-NYK4NY-24-184-24-0-22 (NET-24-184-24-0-1) 
                                  24.184.24.0 - 24.184.27.255

# ARIN WHOIS database, last updated 2008-07-22 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Sad.

Viewed 12541 times by 2829 viewers

Facebooktwittergoogle_plusredditpinterestlinkedinmail

3 thoughts on “A new attack in the wild, and in my logs

  1. it’s spelled “Malaysia” 😛

    Some years ago, some statistics came out in the press that placed Malaysia as one of the most common sources of attacks world wide. Some political suits tried to sell it as an indication of the nation’s technical prowess, albeit misdirected… nobody told them that it was probably just a case of hosts in Malaysia having gotten hijacked.

  2. I have had the same attack but i’ve searched the database and saw that nothing happened. They are just attacking. This is an exploit for coldfusion not capable with wordpress.

Comments are closed.