What was this hacker trying to do? [PHP/MySQL]

Gerbil333

Diamond Member
Jan 28, 2002
3,072
0
76
Our site just received at least 25 e-mails from someone via our PHP contact form. I assume it was an attempt to hack the database. All contained the following message:

111-222-1933email@address.tst

The "From: " field in every message had some strange variation of the following code (these are just a few attempts):

From: sample@email.tst and 1=1 --
From: sample@email.tst' and '1'='1' --
From: sample@email.tst" and "1"="1" --
From: sample@email.tst and 1=1
From: sample@email.tst' and '1'='1

The IP has been blocked, but I'm curious what was going on...

Edit: Just checked the IP we blocked: 70.37.66.104

Country: United States
IP address owner: Microsoft Corporation
One Microsoft Way
Redmond
WA 98052
US

Should I be worried?
 
Last edited:

Oakenfold

Diamond Member
Feb 8, 2001
5,740
0
76
The contact form you referenced, does it have an anti-bot measure in place like some type of image?
 

Duwelon

Golden Member
Nov 3, 2004
1,058
0
0
Our site just received at least 25 e-mails from someone via our PHP contact form. I assume it was an attempt to hack the database. All contained the following message:

111-222-1933email@address.tst

The "From: " field in every message had some strange variation of the following code (these are just a few attempts):

From: sample@email.tst and 1=1 --
From: sample@email.tst' and '1'='1' --
From: sample@email.tst" and "1"="1" --
From: sample@email.tst and 1=1
From: sample@email.tst' and '1'='1

The IP has been blocked, but I'm curious what was going on...

Edit: Just checked the IP we blocked: 70.37.66.104

Country: United States
IP address owner: Microsoft Corporation
One Microsoft Way
Redmond
WA 98052
US

Should I be worried?

Well, something is pretty odd alright. The "attacker" isn't too bright if you ask me.

If they were trying to do a logic injection attack of some kind into your forms, they surely wouldn't put "and 1=1". they'd put "or 1=1" if they actually wanted something to happen should a weakness exist.
 

Dravic

Senior member
May 18, 2000
892
0
76
Our site just received at least 25 e-mails from someone via our PHP contact form. I assume it was an attempt to hack the database. All contained the following message:

111-222-1933email@address.tst

The "From: " field in every message had some strange variation of the following code (these are just a few attempts):

From: sample@email.tst and 1=1 --
From: sample@email.tst' and '1'='1' --
From: sample@email.tst" and "1"="1" --
From: sample@email.tst and 1=1
From: sample@email.tst' and '1'='1

The IP has been blocked, but I'm curious what was going on...

Edit: Just checked the IP we blocked: 70.37.66.104

Country: United States
IP address owner: Microsoft Corporation
One Microsoft Way
Redmond
WA 98052
US

Should I be worried?

Looks like a generic/scripted scanner trying to perform an SQL injection attack in any form it can find. They are probing your forms for data leakage. Even if they don't get any data, the way your system responds could give them information on what more specific type of attack may work. Could be a drive by script kiddie or more serious, only additional log monitoring and investigation would let you know.

As the IP address isn't just some home cable/dsl IP I would actually contact MS as a professional courtesy. Its not your responsibility but EVERYBODY could use the help. IF I were MS, I would be grateful to know either we scanned your IP address on accident (bad scope) during regular scans, or one of their resources is being used as an attack launch point.
 

LiuKangBakinPie

Diamond Member
Jan 31, 2011
3,903
0
0
let me guess. A nigerian hacker?

Contact Acunetix and ask if theyre program is scanning your site
 
Last edited: