Hack attempts ...

Discussion:

Hack attempts ...

Lester Caine lester@lsces.co.uk [firebird-support]

2014-09-20 08:22:45 UTC

One of my sites is being hit with an attempt to hack into it or at least
that is what I assume. The following SQL is being added where they think
it will get processed

+AND+(SELECT+8041+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+(CASE+WHEN+(8041%3D8041)+THEN+1+ELSE+0+END)),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)+AND+(7609%3D7609
---probably truncated?----

I can see traffic about INFORMATION_SCHEMA.CHARACTER_SETS being missing
and people needing to update to MySQL 5, but I am a little curious as to
what this is trying to achieve?

Needless to say my framework does not allow any injections like this to
be processed anyway. It's just creating a lot of traffic on the error
log and if it persists I'll add some handling and create a page saying
why Firebird does not suffer from that vulnerability ;)
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

------------------------------------
Posted by: Lester Caine <***@lsces.co.uk>
------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Visit http://www.firebirdsql.org and click the Documentation item
on the main (top) menu. Try FAQ and other links from the left-side menu there.

Also search the knowledgebases at http://www.ibphoenix.com/resources/documents/

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
------------------------------------

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/firebird-support/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/firebird-support/join
(Yahoo! ID required)

<*> To change settings via email:
firebird-support-***@yahoogroups.com
firebird-support-***@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
firebird-support-***@yahoogroups.com

<*> Your use of Yahoo Groups is subject to:
https://info.yahoo.com/legal/us/yahoo/utos/terms/

mapopa@gmail.com [firebird-support]

2014-09-20 09:51:28 UTC

Permalink

Seems to be an automated bot that tries to takeover the server something inspired by sqlmap

https://github.com/sqlmapproject/sqlmap https://github.com/sqlmapproject/sqlmap

or phpmvs
http://sourceforge.net/projects/phpmvs/ http://sourceforge.net/projects/phpmvs/

some of the takeover attempts are useless on a firebird system

sqlmapproject/sqlmap https://github.com/sqlmapproject/sqlmap/blob/master/plugins/dbms/firebird/takeover.py

https://github.com/sqlmapproject/sqlmap/blob/master/plugins/dbms/firebird/takeover.py

sqlmapproject/sqlmap https://github.com/sqlmapproject/sqlmap/blob/master/plugins/dbms/firebird/takeover.py sqlmap - Automatic SQL injection and database takeover tool

View on github.com https://github.com/sqlmapproject/sqlmap/blob/master/plugins/dbms/firebird/takeover.py
Preview by Yahoo

Lester Caine lester@lsces.co.uk [firebird-support]

2014-09-20 10:16:13 UTC

Permalink

Post by ***@gmail.com [firebird-support]
Seems to be an automated bot that tries to takeover the server something inspired by sqlmap
https://github.com/sqlmapproject/sqlmap
or phpmvs
http://sourceforge.net/projects/phpmvs/
some of the takeover attempts are useless on a firebird system
sqlmapproject/sqlmap
<https://github.com/sqlmapproject/sqlmap/blob/master/plugins/dbms/firebird/takeover.py>

Interesting ...
Of cause it fails miserably when it's injecting into parameters anyway :)

Since it claims to be able to identify Firebird has anybody actually
seen it do anything but cause error messages? It obviously has no idea
what underlies the sites it's trying to hack?
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

------------------------------------
Posted by: Lester Caine <***@lsces.co.uk>
------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Visit http://www.firebirdsql.org and click the Documentation item
on the main (top) menu. Try FAQ and other links from the left-side menu there.

Also search the knowledgebases at http://www.ibphoenix.com/resources/documents/

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
------------------------------------

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/firebird-support/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/firebird-support/join
(Yahoo! ID required)

<*> To change settings via email:
firebird-support-***@yahoogroups.com
firebird-support-***@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
firebird-support-***@yahoogroups.com

<*> Your use of Yahoo Groups is subject to:
https://info.yahoo.com/legal/us/yahoo/utos/terms/