Solved

Site being hacked?

Posted on 2006-07-10
5
1,096 Views
Last Modified: 2008-03-10
This is the second time (two different IP's) I've seen this in the past 3 weeks.  Someone from China looks to be trying to use a SQL Injection technique to hack one of my sites.  What is interesting is that both times, they tried the exact same order of manipulation to the querystring, so I'm wondering if this is a program or something they are running.  Has anyone seen this?

News.aspx?ArticleID=1' and char(124)+user+char(124)=0 and ''='
News.aspx?ArticleID=1 and char(124)+user+char(124)=0
News.aspx?ArticleID=1' and char(124)+user+char(124)=0 and '%'='
News.aspx?ArticleID=1 and 1=1
News.aspx?ArticleID=1 and 1=2
News.aspx?ArticleID=1' and 1=1 and ''='

Both times it has been in the exact same order...  When I look at this technique, even if my site was suspect to sql injection, this stuff wouldn't even do anything.  

I put a few of this stuff into google, and it returned a site that has a few of these "techniques" listed on website, so I wonder if they are standard techniques.  Has anyone seen something like this before.  Should I be worried?
0
Comment
Question by:thrill_house
5 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 150 total points
ID: 17073973
Nessus, Gfi Languard Network Security scanner, any number of these kinds of tools can look for those vulnerabilites and report on them. You can create your own script to do these things quite easily, so it's hard to say for certain. You should follow best practices, and try to harden your systems as much as possible...
Only allow necessary ports in and out of your servers, try to block all unnecessary ports
Keep up2date with OS patches, as well as web-server patches, and software patches, like php, sql, java etc...
Install AV where possible, keep that up2date and schedule regualr scans, you may also consider getting an IDS like Snort implimented.
Log readers and alerting software like Gfi's SELM, "Snare" or KiwiTools can help you detect possible attempts also
http://www.kiwisyslog.com/links.htm
http://www.intersectalliance.com/projects/SnareWindows/index.html
-rich
0
 
LVL 1

Accepted Solution

by:
PugnaciousOne earned 200 total points
ID: 17108074
Filter the input and url header to your site by disallowing any special characters and re-parsing the URL.  This should stop most SQL injection attacks cold.   This is definitely a standard technique.
0
 
LVL 4

Assisted Solution

by:kruptos
kruptos earned 150 total points
ID: 17158670
Yeap,

This is a standard technique, mainly used just to see a sites DB is open to certain types of SQL Injection. Also, Pugnacious one had a good idea for helping crack down on this.

If you also google "prevent sql injection" you will get some good ideas to help combat these attacks.

http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/

http://cyberforge.com/weblog/aniltj/archive/2004/05/21/535.aspx

Also,

Read up on some tutorials so you can get inside the mind of the bad guys :-)

http://www.governmentsecurity.org/articles/SQLinjectionBasicTutorial.php



But, to answer you last question...... Always be worried, when you stop being worried the crackers come out to play :-)

Hope this helps,

-Kruptos
0
 
LVL 1

Expert Comment

by:PugnaciousOne
ID: 17159695
Also, since you're using asp.net i'm not completely sure this code applies, as i use ASP, but you can use something like this:

< % response.write(Server.URLEncode("http://www.yoururl.com")) % >

and

< % response.write(Server.HTMLEncode("The image tag: < img >")) % >

These re-encode the url and various site code.  Basically it's sanitizing the input.
0
 

Expert Comment

by:Gangloff
ID: 23515304
I also see this exact thing in my web logs.

This is most probably a SQL injection attempt like people have suggested above. And the solutions do apply.

This particular sequence checks to see if your server is vulnerable to the particular attack. Basically, you've been probed for a potential vulnerability... When you see URLs like that or such messages in the logs, it's always good to try it yourself and see what happens. In most cases, nothing happens either because your system is not the type/version that is being targeted by the probe or your system is not vulnerable to the issue (your system is correctly patched, you don't have the earlier version that is being targeted, etc.).
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now