These are getting more and more common. These probes do 2 things, they identify servers that allow raw sql to run via get or post and they distract you with the dos style attack while they download the users table or inject using inserts/updates.

You gotta stop raw sql from being executed over http or your fair game for a whole wave of attacks. You also gotta cleanse all cms content before displaying , just in case, as x-site scripts being injected into text fields is becoming very common now.

This code was offered up by jdMorgan in another thread... I added it to my httpd.conf and have basically put a halt to their probing of my site:

RewriteCond %{QUERY_STRING} [^a-z](declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦select¦truncate¦update)[^a-z] [NC]
RewriteRule (.*) - [F,L] 

Worked like a charm for me. Thanks Morgan!

I am ashamed to say that I got hit by this.

Don't make my mistake. I was lazy. When I first programmed my site, I never heard of SQL injection, but after I knew about it I didn't take any steps to make it SQL-injection proof.

(1) Make sure that the account your application uses to log into the database does not have any permissions besides read write only on the tables it needs, and execute only on the stored procedures it needs.

(2) Go through all of your code's SQL statements, and make sure that (a) you are not passing in any strings without doubling up the single quotes; and (b) that all input that comes in over the web that you think is an integer or a date is REALLY that datatype. Don't get into the bad habit of storing number data as strings. If you have a page url that's MyPage.aspx?id=3, you better make sure that the id is really a number, otherwise someone can change the url to MyPage.aspx?id=;DROP TABLE

[edited by: Small_Website_Guy at 1:40 am (utc) on Sep. 1, 2008]

For more details about Jim Morgan's Mod_Rewrite-based solution, see the following thread in his "Apache Web Server" forum:

How can I block blind SQL injection attack?
[webmasterworld.com...]

Jim's code really does work like a charm! But be sure to read all of his posts in that thread because snippet placement early in .htaccess is a must.

Can someone also post a mod_security rule for this to block systemwide?

i'm getting tons of thes queries, i just wrote a quick script that collects the query string and if here are invalid charators then i throw a 404 error.

There are two types of common access attempts as far as I can tell.

1. SQL injection - it's easy to reject any querystring longer than about 800 characters (I haven't seen one less than approx 1100). Obviously make sure your own querystrings are shorter than the tested limit.

2. User - an addition to the querystring along the lines of...

'%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20''='

...which has to be trapped on substrings. I'm not sure what this is supposed to do - it looked bad so I trapped it without delving deeper.

Apparently this latest round of SQL injection was courtesy of a huge online criminal gang.

[theregister.co.uk...]

Asprox is also legendary for the recent spate of SQL injection attacks on high-profile websites, including those carrying news of the 2008 Olympic games and the British government.

These request were getting on my nerves as well the last few days. Because we have a lot of URLs with keywords in it, I can not be sure, if DECLARE or SELECT is in the URI.

Here is a snippet you may want to put in your PHP file(s):

/**
 * First block stupid request uris before you do anything else
 */
if(substr_count(strtolower($thisrequesturi),"union+select")>0 
 OR substr_count(strtolower($thisrequesturi),"union%20select")>0
 OR substr_count(strtolower($thisrequesturi),"declare%20@")>0)
{
print "<html><body>\n";
print "We appreciate your interest in trying out SQL injections, but could you just do that somewhere else, please?<BR>";
print "If you see this page on error, please let us know: *adminemail*<BR><BR>\n";
print "To learn more about intrusion detection, please go to <a href='http://www.snort.org/'>SNORT.org</a><BR><BR>\n";
print "<a href='/'>Back to the homepage</a><BR><BR>\n";
print "</body></html>\n";
exit;
}
if(substr_count(strtolower($thisrequesturi),"../..")>0 OR substr_count(strtolower($thisrequesturi),"..%2f..")>0)
{
print "<html><body>\n";
print "We appreciate your interest in trying out file system hacks, but could you just do that somewhere else, please?<BR>";
print "If you see this page on error, please let us know: *adminemail*<BR><BR>\n";
print "To learn more about intrusion detection, please go to <a href='http://www.snort.org/'>SNORT.org</a><BR><BR>\n";
print "<a href='/'>Back to the homepage</a><BR><BR>\n";
print "</body></html>\n";
exit;
}
// ******************************************************************

which also blocks "../.." in the uri to avoid file access on insecure systems.

for us this is just to block these requests on expensive PHP pages which drive up server load.

cheers,
P!

You're giving them far too much information, plus an email address to spam! :)

I doubt anyone who sent SELECT etc strings would ever read the message but my approach is to not tell them anything if they send a hack string.

Those words seem to cover most SQL Injection attacks but a full set of querystring hack keywords is far more extensive.

I am getting the mysql injection attempts on one of our servers and have tried the code listed here for apache mod_rewrite. The rewrite does not seem to work on the server (linux) no errors just does not work. Here is what I have:

<VirtualHost *:80>
DocumentRoot /var/www/vhosts/aaaa/
ServerName aaaa.com
ServerAlias *.aaaa.com

RewriteEngine on
RewriteCond %{QUERY_STRING} [^a-z]declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦select¦truncate¦update[^a-z][NC]
RewriteRule (.*) - [F,L]

<Directory "/var/www/vhosts/aaaa/">
AllowOverride AuthConfig
#allow from all
Options +Indexes
AcceptPathInfo On
</Directory>
</VirtualHost>

Any help is appreciated. the RewriteCond is all on one line.

You've omitted the parentheses:

see this example [webmasterworld.com]

On my server I did use parentheses, had omited them for some reason on the example. I will paste code again.

RewriteEngine on
RewriteCond %{QUERY_STRING} [^a-z](declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦select¦truncate¦update)[^a-z] [NC]
RewriteRule (.*) - [F,L]

There is no errors, just does not work. Red Hat linux. Apache

raydance, did you edit those '¦' symbols to be solid or are they dashed in the code on your server. That could be the problem. They won't show up as solid here.

I did edit (replace) with pipes, I am a perl programmer and am knowledgeable in linux, and apache somewhat. I use rewrite on several sites, can't understand why this will not work. It just does not do anything, no errors.

Is there a <Directory directive I am missing?