New call-to-action
Results 1 to 6 of 6

Thread: Recent SQL Injection attacks

  1. #1
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,849

    Default Recent SQL Injection attacks

    Just a notice that I have had several SQL Injection attacks on the iadn.com website in the last week, all from several Netherlands IP address. It has nothing to do with the site being Alpha. But you should review your logs occasionally and have a means to block by IP address (You can use the one built in to Alpha web server, but it is better to use a 3rd party tool because although Alpha's blocks access, each hit still takes up web server resources, and because you have to stop-start the Alpha server for the block to take effect).

    Here is a summary of 'how to prevent' sql injection attacks from website: https://www.codeproject.com/Articles...on-How-to-Prev

    • Encrypt sensitive data.
    • Access the database using an account with the least privileges necessary.
    • Install the database using an account with the least privileges necessary.
    • Ensure that data is valid.
    • Do a code review to check for the possibility of second-order attacks.
    • Use parameterised queries.
    • Use stored procedures.
    • Re-validate data in stored procedures.
    • Ensure that error messages give nothing away about the internal architecture of the application or the database.


    Here is an example of how injectoin looks in the Alpha web server access log:

    185.92.73.107 - - [05/Nov/2017:14:19:53 -0600] "GET /events.a5w?A5WSessionId=f7587af9da034468b1e4202d16e9ad4d&qtsT%3D3276%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%2F%3B%20EXEC%20xp_cmdshell%28%27cat%20..%2F..%2F..%2Fetc%2Fpasswd%27%29%23 HTTP/1.1" 200 60385
    185.92.73.107 - - [05/Nov/2017:14:19:58 -0600] "GET /events.a5w?A5WSessionId=f7587af9da034468b1e4202d16e9ad4d HTTP/1.1" 200 59573
    185.92.73.107 - - [05/Nov/2017:14:20:02 -0600] "GET /events.a5w?A5WSessionId=f7587af9da034468b1e4202d16e9ad4d%27%2C%22..%2C%29%2C.%28 HTTP/1.1" 200 59655
    185.92.73.107 - - [05/Nov/2017:14:20:05 -0600] "GET /events.a5w?A5WSessionId=f7587af9da034468b1e4202d16e9ad4d%27lnVaEb%3C%27%22%3EUCFjBq HTTP/1.1" 200 59665
    185.92.73.107 - - [05/Nov/2017:14:20:16 -0600] "GET /events.a5w?A5WSessionId=f7587af9da034468b1e4202d16e9ad4d%29%20AND%206423%3D3998%20AND%20%286707%3D6707 HTTP/1.1" 200 59725
    185.92.73.107 - - [05/Nov/2017:14:20:22 -0600] "GET /events.a5w?A5WSessionId=f7587af9da034468b1e4202d16e9ad4d%29%20AND%201860%3D1860%20AND%20%281962%3D1962 HTTP/1.1" 200 59725
    185.92.73.107 - - [05/Nov/2017:14:20:26 -0600] "GET /events.a5w?A5WSessionId=f7587af9da034468b1e4202d16e9ad4d%29%20AND%204046%3D3998%20AND%20%289833%3D9833 HTTP/1.1" 200 59725
    185.92.73.107 - - [05/Nov/2017:14:20:30 -0600] "GET /events.a5w?A5WSessionId=f7587af9da034468b1e4202d16e9ad4d%20AND%203636%3D8661 HTTP/1.1" 200 59641
    185.92.73.107 - - [05/Nov/2017:14:20:35 -0600] "GET /events.a5w?A5WSessionId=f7587af9da034468b1e4202d16e9ad4d%20AND%201860%3D1860 HTTP/1.1" 200 59641
    185.92.73.107 - - [05/Nov/2017:14:20:38 -0600] "GET /events.a5w?A5WSessionId=f7587af9da034468b1e4202d16e9ad4d%20AND%206370%3D5443 HTTP/1.1" 200 59641
    185.92.73.107 - - [05/Nov/2017:14:20:42 -0600] "GET /events.a5w?A5WSessionId=f7587af9da034468b1e4202d16e9ad4d%27%29%20AND%203672%3D8377%20AND%20%28%27GUvw%27%3D%27GUvw HTTP/1.1" 200 59765
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  2. #2
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,701

    Default Re: Recent SQL Injection attacks

    A minor point Steve, but you should not need to restart the Application Server to apply a block on a new IP address. While that was true in previous versions, Alpha Anywhere picks these configuration changes up on the fly.

    That said, I agree completely with your assertion that the Application Server itself is not the best place to do this blocking. In fact, this is something I discussed in my security presentation at DevCon a couple of weeks ago. The functionality is there in case you have no other mechanism available, but it is very inefficient to be doing IP restrictions at this level of the network stack. IP restrictions are much more efficiently handled in a firewall or other layer 3 device/software.

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  3. #3
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,849

    Default Re: Recent SQL Injection attacks

    I am using a product by BeeThink to block countries and by blacklist. It works, but looks like it has not been updated since DOS days.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  4. #4
    "Certified" Alphaholic kkfin's Avatar
    Real Name
    Kenneth
    Join Date
    Dec 2006
    Posts
    1,578

    Default Re: Recent SQL Injection attacks

    I would add to the list also that do not use SQL if you do not especially need it. Flat file web sites thanks to json are more and more popular all the time.
    Also use just service providers that have an external firewall a standard feature, like Leaseweb USA cloud and AWS.
    Also with classic AA server use reverse proxy and bind AA server to localhost.

    Also is good to notice that they do "scan"/"ping" normally to an IP address and not to an domain name. So bind your IP address to an empty web site. You need to use reverse proxy with multi host support to get this done with classic aa server.

  5. #5
    "Certified" Alphaholic
    Real Name
    eric
    Join Date
    Mar 2009
    Location
    Amsterdam
    Posts
    1,284

    Default Re: Recent SQL Injection attacks

    Steve,

    That ip adres is located at FoxCloud LLP located Netherlands Amsterdam that is a cloudprovider but the user is from Cyprus

    hope helps

  6. #6
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,849

    Default Re: Recent SQL Injection attacks

    Yes saw that. I am using blacklists and blocking some countries. But one cannot just blindly block by country. I track login attempts at my site as well, and every single day I get attempted logins from Russia and China domains. Recently for a B2B client, I totally restriced all public domains from registering (yahoo, gmail, yandex, etc). I cannot do that in my case because many independent developers and small businesses use public domain email addresses.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

Similar Threads

  1. Real World attacks from Hackers at the Internet [ Show Map ]
    By bea2701 in forum General Questions
    Replies: 0
    Last Post: 07-09-2014, 07:54 AM
  2. How can we protect Quick Search from SQL Injection?
    By Fulltimer in forum Application Server Version 11 - Web/Browser Applications
    Replies: 0
    Last Post: 07-16-2013, 06:16 PM
  3. My Concern for SQL Injection
    By Fulltimer in forum Application Server Version 11 - Web/Browser Applications
    Replies: 6
    Last Post: 08-19-2012, 01:43 PM
  4. SQL injection attack and sql_lookup()
    By Garry Flanigan in forum Application Server Version 11 - Web/Browser Applications
    Replies: 2
    Last Post: 03-05-2012, 09:37 AM
  5. Thwarting DOS server attacks
    By Steve Wood in forum Application Server Version 9 - Web/Browser Applications
    Replies: 11
    Last Post: 06-10-2009, 12:00 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •