• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 123
  • Last Modified:

External Query Attack

A couple of times over the past few weeks, my server has been hammered by a series of "scanning" type URL entries.

They all come from the same IP address: 188.165.251.129
Which is in France and shows up as being blacklisted on at least four blacklists.

What this attack does is uses my URL and a valid php file name.

https://mydomain.com/help.php

Then it adds on an "a=..." query which I assume is an attempt at looking for vulnerablities.

So for example:
https://mydomain.com/help.php?a=noscr+and+1=1&i=newLog

It then cycles through nearly 100 of these variations.  *See below for a list of other attempted options.

I have two questions:

1) What is the best way to handle this type of "scanning"
2) What does the following list of queries tell you they are trying to do?

Thanks.

*Here is a sample of attempted queries:

a=noscr+and+1=1&i=newLog
a=tour+-6863+union+all+select+CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a),1,1,1,1,1,1%2523
a=tour+%2527-6863+union+all+select+1,1,1,1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a),1,1,1%2523
a=tour+%2527-6863+union+all+select+1,1,1,1,1,1,1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)%2523
a=tour%2527)+AND+(SELECT+8041+FROM(SELECT+COUNT(%252A),CONCAT(0x3a6f79753a,(SELECT+(CASE+WHEN+(8041%253D8041)+THEN+1+ELSE+0+END)),0x3a70687a3a,floor(rand(0)%252A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)+AND+(%2527ffAM%2527%253D%2527ffAM
a=demo+%2527-6863+union+all+select+1,1,1,1,1,1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)%2523
a=demo+-6863+union+all+select+1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a),1,1,1,1,1,1,1%2523
a=demo+-6863+union+all+select+1,1,1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a),1,1%2523

IP ADDRESS:
0
Paul Konstanski
Asked:
Paul Konstanski
4 Solutions
 
Guy LidbetterCommented:
First off... almost all Web Hosting applications offer a means to block by IP, I would add that IP quick sharp. What application are you using to host the site?

Secondly, that looks to me like a SQL injection attack... They are trying to get access to a back end database.
0
 
Paul KonstanskiProject SpecialistAuthor Commented:
It is a Virtual Private Server running Linux (standard LAMP configuration).

I can block by IP address but the question I always wrestle with is can I potentially block a legitimate IP? Or are the odds of this IP being legit so low that I should just block anyway.

The fact that I'm catching all of these attempts indicates to me that my block is working, but I always wonder if I'm missing something. Is there any way to check if you've been hacked?
0
 
paarunCommented:
The best thing to do is block the IP address, but it is still possible that you could get attacked from a different IP. If that is not an option, I would suggest you contact the admin of the IP range (from whois database) asking them to check the situation. It is quite possible that they have been attacked and their systems are used without their knowledge.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
Guy LidbetterCommented:
It belongs to OVH ISP and Hosting, located in France.

I would contact them with this information at abuse-mailbox:  abuse@ovh.net
0
 
madunixCommented:
Fixing SQL injection problems is a matter of going through EVERY SINGLE LINE in your code that talks to SQL, and making sure that it's not passing in strings from the URL, so you should always filter any input from the web to accept only those characters and conditions which are reasonable for that list. Web Application Firewalls (WAF) is a common type of defense against web application attacks.
http://www.experts-exchange.com/Security/Vulnerabilities/Q_26865992.html
http://www.experts-exchange.com/questions/25019749/SQL-Injection.html
0
 
Dave BaldwinFixer of ProblemsCommented:
Does that page even accept query strings as data?  These would be found in the $_GET or $_REQUEST array if you did.  If you are not processing the $_GET or $_REQUEST variables then there isn't a problem because that info is not getting into your site.
0
 
NerdsOfTechTechnology ScientistCommented:
Maybe a catch and timeout solution would work.

Pseudo code :
Check ip flag

If flagged, time ban ip. Serve access denied error.  

If not flagged, invalid characters used or if user presents invalid query string x times, flag ip, serve error message.  

If not flagged/invalid ,  then proceed as designed.

As long as the hacker doesn't burn through spoofed ips this solution would be automated and maintenance free.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now