Sql injection!!!

Hi

My crawlprotect denied this ip address from India: 119.226.239.74 for sql injection,

Looks like they tried to use email for the injection

Do you think it's a real injection attempt?

Cleo

don't really look like SQL injection to me. The contact us page does not do anything in the database.

Ok thanks, then it's probably just a spam!

Cleo

Just spam
Cleo

Injection attempt or not, it's an entry attempt. When you know the quad-decimal you can ban it (within a suitable narrow range of other possibilities the culprit might try) in .htaccess to put an end to that one, and the same approach broadened significantly will also ban swaths of globe. Often they're trying, and all too often competently amongst the more frequently incompetent attempts, to insert a mime decryption in order to READ posts and outbound mail, which often contain private enough information that we don't want anyone but intended recipients to see it (and e-mail itself is already difficult enough to protect in the first place, it's NOT an ideal way to toss around confidentialities). Pursuant to some severely hacked websites I've resurrected, I'll shortly post some specifics about finding and eradicating at least a few avenues and means of attack for that purpose. We're outnumbered and they never sleep, they're all over the damned globe.

I'm trying to find out if it's blocking real attempt or if it's blocking things that shouldn't be block!
Maybe I didn't configured it the right way and it's blocking visitors that shouldn't be block!

Cleo

A good initial approximation to safety is had between the numbers of hackers out there and the numbers of actual customers you have in India or Mexico, let alone any returning from 119.226.239.74 although your Apache logs and your ftp logs would allow seeing when and for how long doing exactly what that quad-decimal was active.

[Below are the steps I just took through an hour in moving from suspicion to proof, including testing the infection for what it is. IT IS NOT INNOCUOUS: IT IS VICIOUS SOCIOPATHY WITH A LIVE VIRUS (READ ON). You're dealing with an unwelcome visit by a socipathic slug who should now be turned in to . . . Google itself for abusing its own gmail services to spread something that is actually virulent and even has a name.]

(1) The address is suspicious. The dns is truncated, and the parent has only these:

Mail Server 202.144.65.102 India Sifyinfranet SIFY INFRASTRUCTURE 202.144.65.0 202.144.65.254 Hostmaster Satyam Infoway Sify Limited,, Second Floor, Tidel Park,, No.4,Canal Bank Road,, Taramani, Chennai - 600113 ipadmin@sifycorp.com +91-44-22540770 +91-44-22540771 APNIC

Domain Name Server 202.144.63.12 India Sifyinfranet SIFY INFRASTRUCTURE 202.144.63.0 202.144.63.254 Hostmaster Satyam Infoway Sify Limited,, Second Floor, Tidel Park,, No.4,Canal Bank Road,, Taramani, Chennai - 600113 ipadmin@sifycorp.com +91-44-22540770 +91-44-22540771 APNIC

(2) The address is already considered suspicious. At http://www.projecthoneypot.org/ip_119.226.239.74
"The Project Honey Pot system has detected behavior from the IP address consistent with that of a spam harvester. Below we've reported some other data associated with this IP. This interrelated data helps map spammers' networks and aids in law enforcement efforts."

(3) The address is already considered suspicious. At http://spam-ip.com/find.php
"119.226.239.74 email justin.webseo5005@gmail.com user user name - See more at: http://spam-ip.com/find.php#sthash.W7DLNutd.dpuf"

(4) THE CODE IS PRIMA FACIE SUSPICIOUS. The linebreaks that you see in your initial post appear in text to be a space, linefeed, and tab. There are 30 of those. When those are found-and-replaced there are in those 30 instances FULLY 693 REPLACEMENTS! That's a piddling 23.1 characters PER LINE BREAK AND INDENT. Look at 'em, do you see 23.1 averaged characters' breadth in there? Noop. Worse, there are then STILL 30 TABS, which in turn when stripped collapse the text. THAT gets rid of your injection code. THAT CODE is virulent, it is called "screen lock", and while active it is fortunately an incompetent copy.

(5) THE CODE IS RECOGNIZABLE IN THE FIRST INSTANCE AS SUSPICIOUS. The resulting edited text should have a familiar ring to it relating to your opening post. Strip out the gibberish and you have yet another idiot promising money-back in incompetent English to put you number one in Google datadumps, but that's just a guise for spreading the virus:

Sqlinjection: /index.php?route=information/contact?variable_POST=hi lesbricoles team hope you are doing fine. i thought you might like to know some of the reasons why you are not getting enough totoanic traffic most often you stick to ad wtotos to get mtoto traffic which is quite expensive and the chances is high of getting a spam traffic as well. Alet me tell you that your website still does not totoanically rank on major search engine's first page for most of the popular keywords which means people searching for your products are not able to find your website and you are losing traffic. Asome of the major facttoto which can be overcome for your website to rank well in serp totoanically and increase your social media presence are seems like your website carries a lot of technical errtoto which prevents search engine to crawl and index your website properly. your website needs a proper keywtoto totoon and optimization. your website is not well furnished with enough quality and theme based back links. your website should be mtoto inclined towards social media promotion and a regular toto in major social netwtotos.%0D%0A5. missing quality web and promotion contents article blogs etc. which is preventing your website to gain mtoto authtototy and ranking in web market. Ain the present day scenario it's very essential to take a proper care of your website and keep it toto with fresh and totoginal contents. there are many additional improvements which can help your website to gain mtoto traffic and visibility. if you are interested to learn mtoto and curious to know how we can help you to improve your website to get a higher traffic%2C then i would be glad to provide you a detailed proposal for your website. Aour services include seo%2C reputation management smo for websites to make them popular in the web market. we have a dedicated google analytics certified team seo professionals who takes care of our campaign process. our clients consistently tell us that their customers find them because they are on the top of google. being on the top of google is the best thing you can do for your sales and online reputation. this email just tells you the fraction of things we do our optimization process involves many other technical facttoto which can be sent to you on your request. if you would like to know mtoto about our services then please write us back else you can give us a call us in our number mentioned below. this is our marketing strategy to use a gmail account. once you reply us back we will communicate with you through our ctotototote email id. Alet me know your thoughts and looking ftotoard to wtoto together. best regards justin taylor senior seo advisor Aph. no 320815-255-085500 skype seo.service this is a onetime email and you may ask us to remove if you are interested i will send details on our identity company profile why you should choose us price list money back etc. in my next mail.

(6) UPSHOT. Turn the bastard in to Google for posing as justin.webseo5005@gmail.com and attempting to inject and spread a virulent but fortunately incompetent copy of a virus known as "screen lock" which is actually active. THAT is what the vast majority of the 631 mostly invisible characters were all about.

(7) UPSHOT. You innocently took a step the bastard counted upon.

(7)(A) IMMEDIATELY DELETE THE LIVE VIRULENT CODE IN YOUR INITIAL POST AND REPLACE IT WITH "[VIRULENT CODE DELETED]" -- that's one reason for posting a screenshot rather than alien code.

(7)(B) ABSOLUTELY DO NOT ATTEMPT TO OPEN THAT FILE, YOU RISK LOCKING YOUR MACHINE. YOUR ANTI-VIRAL SOFTWARE HAS ALREADY FAILED TO SEE IT.

(7)(C) IMMEDIATELY DELETE THE FILE ON YOUR OWN MACHINE from which you plucked the code in your opening post, USING A SECURE SHREDDER BY MALWAREBYTES OR NORTON OR ANYBODY.

(8) Now you can sleep tight tonight.

@butte

First I didn't open that email because I didn't get it, CrawlProtect blocked it and made the report in my admin panel, that's why I was able to c/p the code

The 2nd one I posted from Mexico the ip is: 189.238.213.247 which was also blocked/reported by CrawlProtect.

I am unable to see the login/post attempt in my cpanel because CrawlProtect deny them as soon as they arrive on the site! The only thing I can see in my cpanel is in the error log and it says: 189.238.213.247 denied by server configuration, that's as far as they can go!

Cleo

You might not even be able to get at the Apache and ftp logs via cPanel, Plesk, or equivalent, it's often necessary to get them from support. However, what CrawlProtect gave you to look at is live, so go into the control panel and get rid of it there, too, and if you can't do that then ask support to get rid of it. If it's fed to the control panel from your shop (where CrawlProtect presumably snoozes in its own directory), then you can go in via ftp and put a Linux axe through the file there, by way of its timestamp. That damned thing is live, virulent, and active, just waiting to be spread by whatever means. It went from CrawlProtect to control panel to your machine (^C^V) and to your post. From there it was in safe hands, I have means of summary expungement, and war is war. ("Don't try this at home.")

I actually didn't get around to the second one, which a brief moment ago went poof along with the upper one. Thanky, ya done it good.

[Edit, added:] I was just about to grab the second code sample when it went poof as you edited it out. The second quad-decimal isn't listed with honeypot but is has a similar mail relay setup:

The second one shows
dsl-189-238-213-247-dyn.prod-infinitum.com.mx (a dsl user, so they can find him and throttle his Easter Bunny)
with a Stateside parent with only two servers:

Web Server 208.73.210.214 USA - California OVERSEE-NET-2 Oversee.net 208.73.208.0 208.73.215.255 Oversee.net 515 S. Flower St, Suite 4400, Los Angeles ipadmin@oversee.net ipadmin@oversee.net +1-213-408-0080 ARIN

Mail Server 199.168.90.106 USA - Virginia DL-6 Deteque LLC 199.168.88.0 199.168.91.255 Deteque LLC 5211 Ballycastle Circle, Alexandria afried@deteque.com afried@deteque.com +1-703-362-0067 ARIN

Name: Admin -
Organization: Oversee Domain Management, LLC
Email: admin@overseedomainmanagement.com
Address: 515 S. Flower Street, Suite 4400
City, Province, Post Code: Los Angeles, California, 90071
Country: US
Phone: 1.2132653191

Abuse Desk Email Address: abuse@nameking.com

Given injection intercepted and infection, the specific code appears (in both instances) to relate to attempted mail-relaying of infection rather than to phishing for sensitive data. Over the next few days you can check whether your own mailing address needs to go through whitelisting -- probably not.

You might not even be able to get at the Apache and ftp logs via cPanel, Plesk, or equivalent, it's often necessary to get them from support. However, what CrawlProtect gave you to look at is live, so go into the control panel and get rid of it there, too, and if you can't do that then ask support to get rid of it. If it's fed to the control panel from your shop (where CrawlProtect presumably snoozes in its own directory), then you can go in via ftp and put a Linux axe through the file there, by way of its timestamp. That damned thing is live, virulent, and active, just waiting to be spread by whatever means. It went from CrawlProtect to control panel to your machine (^C^V) and to your post. From there it was in safe hands, I have means of summary expungement, and war is war. ("Don't try this at home.")

Whoo hoo! Calm down!

You might not even be able to get at the Apache and ftp logs via cPanel, Plesk, or equivalent

Why?

what CrawlProtect gave you to look at is live, so go into the control panel and get rid of it there, too, and if you can't do that then ask support to get rid of it

Whoo hoo! It's just a picture/image of it! I didn't get it and I didn't look at it! It's not on the server because it couldn't access it!

That damned thing is live, virulent, and active, just waiting to be spread by whatever means. It went from CrawlProtect to control panel to your machine

As a matter of fact you are wrong! It didn't go to Crawlprotect, CP stopped it, made an image of it and post that image in my CP report file, it's not in control panel, and it's not on my machine either! The file is block as soon as it tries to access the server and redirect to a "You do not have permission to access this site" File!

Every time I get something like that: Sql/or code injection attempt I report them to the web hosting and they add the IP to their block list too, they also added more security a few weeks ago and also installed an antivirus for us for we can scan our web site.

I'm not in the paranoid stage yet!

Cleo

If the IP blockage is done at the host level, then it will be system wide, including your account, trees, and shops. Since the host has anti-viral software on the server, you can use that for peace of mind that bad residue is not there. There is a kind of pass-through (relay) monitoring that can be activated on many hosts to require your own approval for outbound recipient addresses, which essentially stops bad guys from relaying mail through your own software (inbound and abruptly outbound but in your name). And the latter step is where need to whitelist your own outbound address can arise, but CrawlProtect probably axed the matter dead. That happens even with regular mailservers, when some account holders give the whole mailserver a black eye for several hours at a time (in automated, dynamic blacklisting). Server personnel have definite interest in protecting the whole system, and they know that they may have some bad guys signed on as account holders, so it's all perfectly serious and they're on your side.

Do you know why sometimes the pm stays in the outbox instead of being send?

Cleo

when the guy have yet to read your mail, it stays there.

. . . and if it's received (read) while you're busily editing it with an afterthought, you can no longer Submit the edit, gotta send a new one.

Ah ok

Thank you MarketInSG and butte for the answer

Cleo

To echo here (for relevance here) a note over at http://forum.opencart.com/viewtopic.php ... 62#p433362, (A) an http addressable 777 window was announced 2013 May 27; (B) the present thread began 21 days and a few hours later, whether that 777 post caused or not the problem of concern in this thread the example of RISK is important, and (C) "777" is readily searched and perused, by the wrong people, for http addressable 777 windows. Setting 777 is bad enough without also announcing it.