Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Reports of a Distributed Injection Scan InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Reports of a Distributed Injection Scan

Published: 2012-10-05
Last Updated: 2012-10-05 19:53:10 UTC
by Richard Porter (Version: 1)
5 comment(s)

We have received a report of a large distributed SQL Injection Scan from a reader. Behavior of scan is being reported as 9000+ Unique IPv4 Addresses and sends 4-10 requests to lightly fuzz the form field. Then the next IP will lightly fuzz the second form field within the same page and the next IP the next form field. Looks to be targeting MSSQL and seeking version.

The reader reports that this scan has been going on for several days.

Sample Payload:

%27%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--

%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--

%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version%29%29-

%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--

%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--

 

The User Agent String for all of the attacking IPs is always

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

There does not seem to be a referrer page either.

 

If you are seeing this activity and can report it please let us know.

 

Richard Porter

--- ISC Handler on Duty

5 comment(s)
Diary Archives