Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

WASC Distributed Open Proxy Honeypot: Blind SQL Injection Attempt (Update)

As some of you may know, I am heading up the WASC Distributed Open Proxy Honeypot Project. The project architecture includes having participants deploy VMware images of a specially configured Apache server (functioning as an open proxy) along with ModSecurity. When the honeypot identifies an attack, it blocks it and then sends back the attack data to a central log server. This gives us a pretty unique view of the types of attacks that happening out on the web as most bad guys are using these types of open proxies to funnel their attacks through to try and hide their true origins.

We recently (Oct 2007) deployed phase II of the project and now have many more sensors online. As you might expect, we are getting some interesting traffic :) With this in mind, I am going to be periodically posting attack data that we identify with the honeypots and provide a sort of web attack "Chalk Talk" breakdown of what is happening. For those of you aren't familiar with the "Chalk Talk" term, it is commonly used by sports commentators in the United States when discussing American Football. The sports analysts breakdown the schemes used by offenses and defenses to show spectators the details of what is happening.

With this in mind, here is the 1st installment - Blind SQL Injection.

A client sent the following request (bolded portions are of interest):

GET http://www.mehdiplugins.com/misc/phpbbjoomhack.htm?textfield=Your%20site%20was%20so%20interesting %20and%20informative%20I%20had%20to%20call%20a%20friend%20to%20tell%20her%20about%20it%2E%20Great %20work%0D%0A%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap4%2Ehtml%20%3E%20 My%20Best%20Links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2F map2%2Ehtml%20%3E%20top%20links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fahsjh%2Efreephpwebhosting %2Enet%2Fmap8%2Ehtml%20%3E%20favourite%20links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fahsjh %2Efreephpwebhosting%2Enet%2Fmap7%2Ehtml%20%3E%20Links%20%3C%2Fa%3E%20%0D%0A%20%5Burl%3Dhttp%3A%2F %2Fmembers%2Elycos%2Eco%2Euk%2Fdfska%2Fmap3%2Ehtml%5D%20top%20links%20%5B%2Furl%5D%20%20%5Burl%3D http%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom%2Fmap3%2Ehtml%5D%20best%20links%20%5B%2Furl%5D%20%20%5B url%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap5%2Ehtml%5D%20My%20Links%20%5B%2Furl%5D%20 %20%5Burl%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap1%2Ehtml%5D%20my%20favourite%20links %20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom%2Fmap6%2Ehtml%5D%20Links %20%5B%2Furl%5D%20&textfield2=Michalis&textfield3=if%28%20md5%28%24password%29%20%3D%3D%20 %24row%5B%27user%5Fpassword%27%5D%20%26%26%20%24row%5B%27user%5Factive%27%5D%20%29&textfield4 =Your%20site%20was%20so%20interesting%20and%20informative%20I%20had%20to%20call%20a%20friend%20to%20 tell%20her%20about%20it%2E%20Great%20work%0D%0A%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2D host%2Ecom%2Fmap4%2Ehtml%20%3E%20My%20Best%20Links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl %2Efree%2Dsite%2Dhost%2Ecom%2Fmap2%2Ehtml%20%3E%20top%20links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp %3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap8%2Ehtml%20%3E%20favourite%20links%20%3C%2Fa%3E%20%20 %3Ca%20href%3Dhttp%3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap7%2Ehtml%20%3E%20Links%20%3C%2Fa%3E %20%0D%0A%20%5Burl%3Dhttp%3A%2F%2Fmembers%2Elycos%2Eco%2Euk%2Fdfska%2Fmap3%2Ehtml%5D%20top%20links %20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom%2Fmap3%2Ehtml%5D%20best%20 links%20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap5%2Ehtml%5D%20 My%20Links%20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap1%2Ehtml %5D%20my%20favourite%20links%20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom %2Fmap6%2Ehtml%5D%20Links%20%5B%2Furl%5D%20&textfield32=if%28%20md5%28%24password%29%20%3D %3D%20%24row%5B%27user%5Fpassword%27%5D%20%26%26%20%24row%5B%27user%5Factive%27%5D%20%29 &textfield5=Namibia%2C%20Guangzhou&textfield6=http%3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap8%2E html&textfield22=http%3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap8%2Ehtml HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referer: http://www.mehdiplugins.com/misc/phpbbjoomhack.htm Host: www.mehdiplugins.com 

If you URL Decode this text, you will get the following:

GET http://www.mehdiplugins.com/misc/phpbbjoomhack.htm?textfield=Your site was so interesting and informative I had to call a friend to tell her about it. Great work  <a href=http://nwhjl.free-site-host.com/map4.html > My Best Links   <a href=http://nwhjl.free-site-host.com/map2.html > top links   <a href=http://ahsjh.freephpwebhosting.net/map8.html > favourite links   <a href=http://ahsjh.freephpwebhosting.net/map7.html > Links    [url=http://members.lycos.co.uk/dfska/map3.html] top links [/url]  [url=http://kersnm.awesomewebspace.com/map3.html] best links [/url]  [url=http://nwhjl.free-site-host.com/map5.html] My Links [/url]  [url=http://nwhjl.free-site-host.com/map1.html] my favourite links [/url]  [url=http://kersnm.awesomewebspace.com/map6.html] Links [/url] &textfield2=Michalis&textfield3=if( md5($password) == $row['user_password'] && $row['user_active'] )&textfield4=Your site was so interesting and informative I had to call a friend to tell her about it. Great work  <a href=http://nwhjl.free-site-host.com/map4.html > My Best Links   <a href=http://nwhjl.free-site-host.com/map2.html > top links   <a href=http://ahsjh.freephpwebhosting.net/map8.html > favourite links   <a href=http://ahsjh.freephpwebhosting.net/map7.html > Links    [url=http://members.lycos.co.uk/dfska/map3.html] top links [/url]  [url=http://kersnm.awesomewebspace.com/map3.html] best links [/url]  [url=http://nwhjl.free-site-host.com/map5.html] My Links [/url]  [url=http://nwhjl.free-site-host.com/map1.html] my favourite links [/url]  [url=http://kersnm.awesomewebspace.com/map6.html] Links [/url] &textfield32=if( md5($password) == $row['user_password'] && $row['user_active'] )&textfield5=Namibia, Guangzhou&textfield6=http://ahsjh.freephpwebhosting.net/map8.html&textfield22= http://ahsjh.freephpwebhosting.net/map8.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referer: http://www.mehdiplugins.com/misc/phpbbjoomhack.htm Host: www.mehdiplugins.com 

The URL-decoded data makes it much easier to visually identify what the client was trying to do. This appears to be a SPAMMER show is sending their data to this destination in the hopes that it will be posted to the comment site where user will see it.

The bolded portion of the data triggered a ModSecurity Core Rule for Blind SQL Injection and generated this alert message:

Message: Access denied with code 200 (phase 2). Pattern match "\\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c (?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr (?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)| ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects) |object_(?:(?:nam|typ)e|id) ..." at ARGS:textfield3. [id "950904"] [msg "Blind SQL Injection Attack. Matched signature <user_password>"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/4.5"] [tag "OWASP/A6"] [tag "PCI/6.5.6"] 

So, the matched portion of the text was this:

if( md5($password) == $row['user_password'] && $row['user_active'] ) 

What is this attempting to do? It appears that the SPAMMER is attempting to Bypass Authentication for the PHPBB form page. This actually makes sense when you think about it from a spammer's perspective. What is easier and less resource intensive? To either actually register for accounts on these sites to then allow them to post or to include this Blind SQL Injection Authentication Bypass string and not have to worry about authenticating at all? The later it seems is the case.

Update

We had more time to review this specific transaction and it appears to be a False Positive. It is not that the rule triggered on something that it shouldn't have, but rather that this was not an actual Blind SQL Injection attack.

The string that was matched is actually a PHP code snippet that was present in the page. It seems that the SPAMMER's script automatically included all of the hidden arguments in their request. I guess that instead of taking the time to code in the proper intelligence as to what fields are required for their request, it is just easier to "throw the kitchen sink" at it and included everything. Most web apps will not error out with extra parameters, however they will if you are missing require elements.

As a side note, at the same time were were conducting this internal analysis, we did recieve some feedback from the public re-affirming this theory (thanks kuza55 by way of Jeremiah Grossman's Blog). This does raise an important issue - we need help with data analysis! If you are interested in participating in the WASC honeypot project (even if you don't want to deploy an actual honeypot) then please let me know and we will get you signed up for the project mail-list. This way, we can get more eyes on these alerts for validation.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More