Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Reports of a Distributed Injection Scan SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Reports of a Distributed Injection Scan

We have received a report of a large distributed SQL Injection Scan from a reader. Behavior of scan is being reported as 9000+ Unique IPv4 Addresses and sends 4-10 requests to lightly fuzz the form field. Then the next IP will lightly fuzz the second form field within the same page and the next IP the next form field. Looks to be targeting MSSQL and seeking version.

The reader reports that this scan has been going on for several days.

Sample Payload:

%27%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--

%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--

%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version%29%29-

%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--

%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--

 

The User Agent String for all of the attacking IPs is always

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

There does not seem to be a referrer page either.

 

If you are seeing this activity and can report it please let us know.

 

Richard Porter

--- ISC Handler on Duty

 Richard

167 Posts
ISC Handler
Subscribe Oct 5th 2012
7 years ago
I observed similar activity about a week ago. However in my case there were less than 100 unique source IPs, all belonging to a particular shared hosting provider inside the continental US. The activity continued for about 4 days before stopping.
 Anonymous
Quote Oct 6th 2012
7 years ago
We seen one occurrence, multiple IP's. Only difference user agent was IE8.

 jono

10 Posts
Quote Oct 8th 2012
7 years ago
It's turned up in a mass grep of IIS logs.

145 Unique IP Addresses, however they all belong to the same AS allocated to a provider in the US, (I presume the same one as AB mentioned)

Doesn't seem like the injections were successful. Will keep an eye out though.
 Yinette

12 Posts
Quote Oct 10th 2012
7 years ago
User-Agents were

Mozilla/5.2+(Windows;+U;+Windows+NT+5.2;+en-EN)+Gecko/20090818+Firefox/3.5.6
 Yinette

12 Posts
Quote Oct 10th 2012
7 years ago
We also saw a huge group of attempts at sql injection, while perusing event viewers for last week. All from the same shared hosting provider in Pennsylvania. There were several hundred attempts all with LOONNGG urls with multi "at at version" strings.
 David

6 Posts
Quote Oct 15th 2012
7 years ago

Sign Up for Free or Log In to start participating in the conversation!