need advice on hacking attempt

  • hkimscil

    (@hkimscil)


    17 years ago

    Hello all –

    I got this comment from one of my site. It looks like a hacking attempt using sql command insertion via comment function. So far, I have not noticed any problems. But, I would like to make it sure that my site is being prepared.
    Any suggestion would be appreciated. Thanks!

    I haven’t implmented any plugins regarding comment function. . . .

    Bill Gates’,’[email protected]’,”,’63.23.12.12′,’2008-03-07 16:01:27′,’2008-03-07 16:01:27′,”,’0′,’Mozilla/4.0(compatible; MSIE 5.0; Windows 98; DigExt)’,’comment’,’0′,’0′),(’0′, ”, ”, ”, ”, ‘2008-03-08 16:01:27′, ‘2008-03-08 16:01:27′, ”, ’spam’, ”, | None | IP: 64.191.63.181

    None…

    None…

Viewing 5 replies - 1 through 5 (of 5 total)
  • framness

    (@framness)

    I too received a similar attacks last night. The first one resembles yours and a follow up:
    Author : ‘ AND 1=0) UNION SELECT 1 FROM wp_users WHERE user_login=’admin’ and substring(reverse(lpad(conv(substring(user_pass,9,1), 16, 2),4,’0′)),4,1)=’1′ /* (IP: 64.191.63.181 , titania.hostingmadeeasy.com)

    I noticed that accessing the IP via web client displays a little insult too and the IP is tied in with the domain hostingmadeeasy.com.

    tylermenezes

    (@tylermenezes)

    They’re script-kiddie attacks, they’re trying old exploits. As long as you’re running the latest version, you should be fine. But be sure to back up your database regularly if you don’t already.

    squaredesign

    (@squaredesign)

    i would agree that it’s completely benign, except one of my clients got one of these last night. they’re running 2.3.3. their blog is set to:

    [ ] anyone can register
    [X] users must be logged in to post a comment

    therefore, whatever these people are doing, they are able to post a comment without even having a user account. sure it got caught in moderation, but they were still able to post.

    if you look at the httpd logs, it was done via POST method to wp-trackback.php:

    64.191.63.181 – – [09/Mar/2008:01:22:17 -0800] “POST /wp-trackback.php?p=4 HTTP/1.1” 200 922 “-” “Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)”

    that was the exact entry that created the comment.

    i’ll paste every access from this script to the site in order, it enters at an arbitrary posting URL, tries to find wp-trackback wherever it exists (starts recursively crawling up the directory tree) when it finds it, it then tries to GET wp-trackback with incrementing post numbers until it finds the first published post, then it GETs wp-login.php?action=logout, then it POSTs to wp-trackback 4 times.

    the comment was created on the 2nd POST (that’s the timestamp that matches the time in mysql).


    64.191.63.181 - - [09/Mar/2008:01:22:06 -0800] "POST /2007/04/09/post-name-here/wp-trackback.php HTTP/1.1" 200 2361 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:09 -0800] "POST /2007/04/09/wp-trackback.php HTTP/1.1" 200 2349 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:10 -0800] "POST /2007/04/wp-trackback.php HTTP/1.1" 200 7944 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:11 -0800] "POST /2007/wp-trackback.php HTTP/1.1" 200 7942 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:12 -0800] "POST /wp-trackback.php HTTP/1.1" 200 523 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:13 -0800] "GET /wp-trackback.php?p=1 HTTP/1.1" 200 522 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:13 -0800] "GET /wp-trackback.php?p=2 HTTP/1.1" 200 522 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:14 -0800] "GET /wp-trackback.php?p=3 HTTP/1.1" 200 522 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:15 -0800] "GET /wp-trackback.php?p=4 HTTP/1.1" 200 468 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:15 -0800] "GET /wp-login.php?action=logout HTTP/1.1" 200 1061 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:16 -0800] "POST /wp-trackback.php?p=4 HTTP/1.1" 200 476 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:17 -0800] "POST /wp-trackback.php?p=4 HTTP/1.1" 200 922 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:18 -0800] "POST /wp-trackback.php?p=4 HTTP/1.1" 200 922 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
    64.191.63.181 - - [09/Mar/2008:01:22:19 -0800] "POST /wp-trackback.php?p=4 HTTP/1.1" 200 922 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"

    squaredesign

    (@squaredesign)

    hrm okay thinking about this further, i think they’re simply submitting a trackback. trackbacks, by their nature, do not require authentication.

    the SQL injection is obviously not successful as their SQL statement is appearing in the body of the comment.

    my blog won’t allow none register user to post comment; however, the hacker success post one (waiting for approve).

    I am using the latest version 2.6.2, and got the attach at the same point.
    … “POST /wp-trackback.php?p=xx HTTP/1.0” 200 78 “-” “-“

    How can I prevent this in the future?
    Is this a security issue?

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘need advice on hacking attempt’ is closed to new replies.