Spambot Security Blog

Deffinate New MySQL attack through phpBB2 and possibly other CMS. ZB Block defends.

Well, just when you think life is boring, some aspiring skript kiddie tries a new attack! This one affects MySQL and was attempted against a phpBB2 board. I feel that this attack is probably damaging to any board, and perhaps even CMS systems.

This is a serious situation, and did require an update to the signatures in ZB Block. Here is what the new attack looked like...

#: 5437 @: Tue, 24 Mar 2009 21:10:16 -0600
Host: mail.tmanshost.com
IP: 207.44.178.47
Score: 2
Why blocked: MySQL attack. Mail server, usually infected. Please access from a regular domain name.
File: removed for security
Post:
Query: p=-1/**/AND/**/1=0/**/UNION/**/ALL/**/SELECT/**/0x30653763326137383538643038336566366365353233373433305317531753175317/*
Referer:
User Agent: Mozilla/5.0
Reconstructed URL: http://zaphodb777.dyndns.org/forum/viewtopic.php?p=-1/**/AND/**/1=0/**/UNION/**/ALL/**/SELECT/**/0x30653763326137383538643038336566366365353233373433305317531753175317/*

Don't worry, that version has been neutered. It appears to be a self propogating worm, with several attack sequences, most much longer, attempting multiple injections into your MySQL db. ZB Block caught it on just 1 variable, and in smarter hands, would have missed it, and I would have been exploited.

Things the new attack has in common...

1. Uses a negative page number (probably to pop execution at a specified/known/expected place in the script.)
2. Uses "/**/" for blind concatenation of strings. The older attacks used "+".
3. Has a "/*" trailing at the end of query.

ZB Block's signatures have been updated to adapt to this new threat, and updating them is critical!

Zap.