$ `1 Z- K! u: z* f[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\' ( V& _$ O( k# f* P[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536-- 0 }5 I4 R$ t: O6 G5 x3 P[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536-- ' F4 l' X0 W9 \4 ~9 C' |. k上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 - u3 Z5 L5 y& d- y& w( eSQL盲注扫描" g5 c3 K- F- L; k- D* O9 j) e; o
攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。# m. u" P: Z) i% E) K
5 Q' e, R4 w; X9 M
[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--1 o: e1 t! I& x0 _! Q: Z2 I0 ]
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0) * _7 s3 a1 r$ |& k @$ eGoogle一下大规模扫描 . x' ]0 D c6 A# R7 N/ M ! O4 x5 s4 p) v1 b7 _2 p+ b ' M8 \# x" u/ L; h6 j [attach]163[/attach] & l2 T+ N% A/ R 6 H* P' u* v; `+ A9 J7 G' `! Q/ W9 ~* ?* C8 g& R- l
0 _; U2 {7 ~. M
僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段:
sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list; 8 ^" J- w" X0 Z' F! K
* M7 y$ p; e, }: Q8 q! h* {Cocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。 $ _6 f8 _* _" _) N* ~7 j2 m) v; M