By xWhiplash on

I have asked what this meant before, but this is not what I made this thread for. I get the following about 20 times an hour now:

Type page not found
Date Friday, August 22, 2008 - 11:11
User Anonymous
Location http://www.phstudios.com/?q=node/43\';DECLARE%20@S%20CHAR(4000);6F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Referrer
Message node/43';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F.............
Severity warning
Hostname 218.103.138.125
Operations

How do I know it didnt work a few times? I sat on my site banning IPs for 6 hours and finally gave up.

Categories: Drupal 6.x

Comments

xWhiplash’s picture

xWhiplash commented

Is there a setting to disable this?

shiva7663’s picture

shiva7663 commented

One of the code strings you note is mentioned on the Mass Attack FAQ discussion.

davidlark’s picture

davidlark commented

Sounds like a botnet. When they catch you trying to fight them, they may just get mad & really go after you. I'm not suggesting any course of action; you may never know whether your efforts made things better or worse.

xWhiplash’s picture

xWhiplash commented

So I should just sit back and let it do its thing? How can I make sure it wont get through?

davidlark’s picture

davidlark commented

... I'm not suggesting a course of action. It sounds like you need assistance beyond my abilities. Of course you must do something. Find out the nature of the threat & make a plan. Are you on a hosting service? Make sure they know what's going on, maybe they can help you.

FYI, most botnet revenge comes in the form of DoS attacks. With all the crap floating around out there, it's just a matter of time for all of us. Good luck.

xWhiplash’s picture

xWhiplash commented

What can my host do really? If banning IP addresses wont work, what will?

davidlark’s picture

davidlark commented

but if you're getting hammered, so are they, so they need to be in the loop.

Ron Chandy’s picture

Ron Chandy commented

If you have acces to the hosting service administrative pannel (Like C-pannel) check the error logs you could possiblly find some lead to your problem.

Best of luck
Ron

eaton’s picture

eaton commented

So I should just sit back and let it do its thing? How can I make sure it wont get through?

There's no way to be sure that a piece of software has no security holes. What we can be sure of, though, is that the attack the botnet is attempting in this case will never work against Drupal.

It's executing what's called a "SQL Injection attack" -- trying to trick Drupal into running a SQL query that's improperly formed, and sneaks bogus 'additional' database commands in under the guise of a legitimate query. Drupal uses security functions to cleanse and filter all of its SQL queries before they're executed, rendering this particular attack harmless.

It's possible that other third-party modules could perform queries in an insecure fashion, bypassing Drupal's security functions, but the attack you're describing is only hitting the built-in core "Node" module, which always uses the secure functions. Thus, the only danger is annoyance as bots hammer your server with 'broken' requests.

--
Lullabot! | Eaton's blog | VotingAPI discussion

--
Eaton — Partner at Autogram