• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

What was this hacker trying to do? [PHP/MySQL]

G

Gerbil333

Diamond Member
Our site just received at least 25 e-mails from someone via our PHP contact form. I assume it was an attempt to hack the database. All contained the following message:

111-222-1933email@address.tst

The "From: " field in every message had some strange variation of the following code (these are just a few attempts):

From: sample@email.tst and 1=1 --
From: sample@email.tst' and '1'='1' --
From: sample@email.tst" and "1"="1" --
From: sample@email.tst and 1=1
From: sample@email.tst' and '1'='1

The IP has been blocked, but I'm curious what was going on...

Edit: Just checked the IP we blocked: 70.37.66.104

Country: United States
IP address owner: Microsoft Corporation
One Microsoft Way
Redmond
WA 98052
US

Should I be worried?
 
Last edited:
Gerbil333 said:
Our site just received at least 25 e-mails from someone via our PHP contact form. I assume it was an attempt to hack the database. All contained the following message:

111-222-1933email@address.tst

The "From: " field in every message had some strange variation of the following code (these are just a few attempts):

From: sample@email.tst and 1=1 --
From: sample@email.tst' and '1'='1' --
From: sample@email.tst" and "1"="1" --
From: sample@email.tst and 1=1
From: sample@email.tst' and '1'='1

The IP has been blocked, but I'm curious what was going on...

Edit: Just checked the IP we blocked: 70.37.66.104

Country: United States
IP address owner: Microsoft Corporation
One Microsoft Way
Redmond
WA 98052
US

Should I be worried?
Click to expand...

Well, something is pretty odd alright. The "attacker" isn't too bright if you ask me.

If they were trying to do a logic injection attack of some kind into your forms, they surely wouldn't put "and 1=1". they'd put "or 1=1" if they actually wanted something to happen should a weakness exist.
 
Gerbil333 said:
Our site just received at least 25 e-mails from someone via our PHP contact form. I assume it was an attempt to hack the database. All contained the following message:

111-222-1933email@address.tst

The "From: " field in every message had some strange variation of the following code (these are just a few attempts):

From: sample@email.tst and 1=1 --
From: sample@email.tst' and '1'='1' --
From: sample@email.tst" and "1"="1" --
From: sample@email.tst and 1=1
From: sample@email.tst' and '1'='1

The IP has been blocked, but I'm curious what was going on...

Edit: Just checked the IP we blocked: 70.37.66.104

Country: United States
IP address owner: Microsoft Corporation
One Microsoft Way
Redmond
WA 98052
US

Should I be worried?
Click to expand...

Looks like a generic/scripted scanner trying to perform an SQL injection attack in any form it can find. They are probing your forms for data leakage. Even if they don't get any data, the way your system responds could give them information on what more specific type of attack may work. Could be a drive by script kiddie or more serious, only additional log monitoring and investigation would let you know.

As the IP address isn't just some home cable/dsl IP I would actually contact MS as a professional courtesy. Its not your responsibility but EVERYBODY could use the help. IF I were MS, I would be grateful to know either we scanned your IP address on accident (bad scope) during regular scans, or one of their resources is being used as an attack launch point.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top