Web Talk

Lately my blog has been clogged with thousands of SQL injection attempts. One day in particular, I got more than 2000 SQL injection attempts. Luckily for me, despite I was on vacation, I had the nice idea to look at the web traffic in my server control panel and I saw that something was wrong, terribly wrong. As a matter of fact most of this attempts had to do with this kind of string:

DECLARE%20@S%20CHAR(4000);SET%20@S= CAST(0x4445434C—-removed—- %20AS%20 CHAR (4000));EXEC(@S);

Of course I didn’t know what it was about, but it looked suspicious to me. Anyway I decided to Google a little bit and with my dismay I found out what it was about. This kind of attacks are quite common and despite there is little to do because they come from different IP addresses, it has to be said that there are a lot of countermeasures to be applaied to avaoid this pest. But before speaking about it, I want to talk about this SQL attack. What was it trying to do in my blog? Reading from WebMasterWorld: “It’s actually a very common way that is used by hackers when they are exploiting blind SQL injection attacks. The idea is to create a condition that, if satisfied, will delay the execution of the script for a certain time period. So, the attacker watches the response time and if it was delayed, he knows that the SQL command was executed successfully.” This text doesn’t mean a lot, above all to people who are not into this kind of things. Let’s just said that someone was trying to replace page codes with javascript code in any vulnerable SQL database he could get into. Usually these kind of actions are related to spammers who try to show their personal junk on your website. Here are intestead the lines you will have to add to your .htaccess, if you get bombed by this kind of pest:

Code 1

RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)CAST(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)DECLARE(.*) [NC,OR]

Alternatively, you can use this other code:

Code 2

RewriteEngine On
RewriteCond %{QUERY_STRING} char(400) [NC]
RewriteRule .* – [F,L]

Useless to say, after I added one of the two codes (I used the first one), the attacks disappeared all of a sudden.

Edit: Here is a better solution. In the end I used this one because it provides a better protection.

### Injection Attack: DECLARE, SET and CAST. More: http://www.informationtechnologymanager.net/?p=25 ###
RewriteEngine On
Options +FollowSymLinks
ServerSignature Off
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).* (/\*|union|select| insert|cast|set|declare |drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule ^(.*)$ http://www.nosqlinjectionsanymoreplease.com