External Query Attack

A couple of times over the past few weeks, my server has been hammered by a series of "scanning" type URL entries.

They all come from the same IP address: 188.165.251.129
Which is in France and shows up as being blacklisted on at least four blacklists.

What this attack does is uses my URL and a valid php file name.

https://mydomain.com/help.php

Then it adds on an "a=..." query which I assume is an attempt at looking for vulnerablities.

So for example:
https://mydomain.com/help.php?a=noscr+and+1=1&i=newLog

It then cycles through nearly 100 of these variations.  *See below for a list of other attempted options.

I have two questions:

1) What is the best way to handle this type of "scanning"
2) What does the following list of queries tell you they are trying to do?

Thanks.

*Here is a sample of attempted queries:

a=noscr+and+1=1&i=newLog
a=tour+-6863+union+all+select+CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a),1,1,1,1,1,1%2523
a=tour+%2527-6863+union+all+select+1,1,1,1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a),1,1,1%2523
a=tour+%2527-6863+union+all+select+1,1,1,1,1,1,1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)%2523
a=tour%2527)+AND+(SELECT+8041+FROM(SELECT+COUNT(%252A),CONCAT(0x3a6f79753a,(SELECT+(CASE+WHEN+(8041%253D8041)+THEN+1+ELSE+0+END)),0x3a70687a3a,floor(rand(0)%252A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)+AND+(%2527ffAM%2527%253D%2527ffAM
a=demo+%2527-6863+union+all+select+1,1,1,1,1,1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)%2523
a=demo+-6863+union+all+select+1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a),1,1,1,1,1,1,1%2523
a=demo+-6863+union+all+select+1,1,1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a),1,1%2523

IP ADDRESS:
Paul KonstanskiProject SpecialistAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Guy LidbetterCommented:
First off... almost all Web Hosting applications offer a means to block by IP, I would add that IP quick sharp. What application are you using to host the site?

Secondly, that looks to me like a SQL injection attack... They are trying to get access to a back end database.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul KonstanskiProject SpecialistAuthor Commented:
It is a Virtual Private Server running Linux (standard LAMP configuration).

I can block by IP address but the question I always wrestle with is can I potentially block a legitimate IP? Or are the odds of this IP being legit so low that I should just block anyway.

The fact that I'm catching all of these attempts indicates to me that my block is working, but I always wonder if I'm missing something. Is there any way to check if you've been hacked?
0
paarunCommented:
The best thing to do is block the IP address, but it is still possible that you could get attacked from a different IP. If that is not an option, I would suggest you contact the admin of the IP range (from whois database) asking them to check the situation. It is quite possible that they have been attacked and their systems are used without their knowledge.
0
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

Guy LidbetterCommented:
It belongs to OVH ISP and Hosting, located in France.

I would contact them with this information at abuse-mailbox:  abuse@ovh.net
0
madunix (Fadi SODAH)Chief Information Security Officer Commented:
Fixing SQL injection problems is a matter of going through EVERY SINGLE LINE in your code that talks to SQL, and making sure that it's not passing in strings from the URL, so you should always filter any input from the web to accept only those characters and conditions which are reasonable for that list. Web Application Firewalls (WAF) is a common type of defense against web application attacks.
http://www.experts-exchange.com/Security/Vulnerabilities/Q_26865992.html
http://www.experts-exchange.com/questions/25019749/SQL-Injection.html
0
Dave BaldwinFixer of ProblemsCommented:
Does that page even accept query strings as data?  These would be found in the $_GET or $_REQUEST array if you did.  If you are not processing the $_GET or $_REQUEST variables then there isn't a problem because that info is not getting into your site.
0
NerdsOfTechTechnology ScientistCommented:
Maybe a catch and timeout solution would work.

Pseudo code :
Check ip flag

If flagged, time ban ip. Serve access denied error.  

If not flagged, invalid characters used or if user presents invalid query string x times, flag ip, serve error message.  

If not flagged/invalid ,  then proceed as designed.

As long as the hacker doesn't burn through spoofed ips this solution would be automated and maintenance free.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Query Syntax

From novice to tech pro — start learning today.