cz32ts

Forum Moderators: open

Message Too Old, No Replies

cz32ts

SQL Injection

GaryK

3:09 pm on Nov 16, 2009 (gmt 0)

cz32ts
75.70.89.nn
c-75-70-89-nn.hsd1.co.comcast.net
-----
My friend Jonathan who maintains the phpbrowscap project let me know about this SQL Injector this morning.
He said his records indictate it's related to the NV32ts UA from a few months ago. Which makes sense considering the patterns for both look the same.

dstiles

9:36 pm on Nov 17, 2009 (gmt 0)

This is another following from the original NV32ts. I also have quite a few ati2qs.

Been seeing the newer pair for several weeks. All are SQL injections.

Pfui

4:42 pm on Nov 19, 2009 (gmt 0)

The timing of and slight variations between cz32ts attacks from two very disparate machines indicate a botnet, not just localized zombies:

cpe-75-185-223-nnn.woh.res.rr.com
cz32ts
14:57:26 /?id=1011&display=photo[yada-yada]
14:57:26 /?id=1011&display=photo[yada-yada]

static-69-201-230-nn.ipcom.comunitel.net
cz32ts
14:57:27 /?display=photo&id=1011[yada-yada]
14:57:27 /?display=photo&id=1011[yada-yada]

(Curiously, the site hit had a PHP photo display script but when the site transferred to me/my server, I removed all traces. The only place you can still find URLs with display=photo -- different id-- are in Bing's SERPS... even after 404'ing the pages for six months.)

If you don't already rewrite SQL injection scripts, check out Jim Morgan's posts in: How can I block blind SQL injection attack? [webmasterworld.com]

FWIW: If you Google the following pair, you'll find more info about cz32ts, etc., in Wirewatcher, a Wordpress blog (which I can't link to because it's non-authoritative):

cz32ts botnet

GaryK

11:19 pm on Nov 19, 2009 (gmt 0)

To be honest, the best way to block SQL injection attacks is to always use stored procedures with typed parameters. Never use inline queries!

cz32ts

SQL Injection

GaryK

dstiles

Pfui

GaryK

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week