Getting really strange 'hits' to our site

Forum Moderators: phranque

Message Too Old, No Replies

Getting really strange 'hits' to our site

Looks dodgy - don't know what it is

giggle

3:27 am on Aug 6, 2008 (gmt 0)

We've been getting a lot of hits that have the following referral string:

http://www.example.com/%27;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054...(trimmed by me)

The destination pages all seems to be of the same type within our site structure.

Today they all seem to originate from China/Hing Kong/Taiwan/Japan. They all have different IP addresses.

Does this seem like a hack attempt? What can I do?

I have a piece of tracking code in all pages to keep a note of where business is coming from - should I test for this type of string and redirect them to a blank page?

Thanks

Mick

[edited by: engine at 8:39 am (utc) on Aug. 6, 2008]
[edit reason] use example.com, thanks [/edit]

jake66

8:35 am on Aug 6, 2008 (gmt 0)

Ban them.
Ban the entire IP range if you don't get any use from that part of the world.
They can always use a proxy to come back, but if they sense somebody is keeping an eye on them, they are less likely to.

They're looking for vulnerabilities in your script/database. Absolute waste of bandwidth and server resources to allow them to continue, regardless of how tough your scripts or server's security policy is.

rocknbil

6:55 pm on Aug 6, 2008 (gmt 0)

This is a pretty common attack, recent in depth discussion [webmasterworld.com]. Starting you off on page two which discusses this exact code.

Banning IP's will work un the short term (and slow down a lot of other attacks) but there is always the possibility they'll use compromised servers/machines in your part of the world. Best is to lock down any scripts that might receive this sort of attack.