malicious javascript or SQL injection attack?

You’re right to be wary, but I wouldn’t get too worked up in this case. My take is that’s a false positive from Bad Behaviour, just caused by the ‘#’ in the URL request.

Browsers don’t normally send the # anchor as part of an http request, as the whole page is downloaded regardless, and the anchor just extracted from the page by the browser when its rendered. So anything out of the ordinary gets blocked by Bad Behavior.

I don’t understand quite why the browser has sent that # in this case, but it’s not malicious – it’s just a page anchor appended to the URL.

If it were a spam comment that you’ve deleted, it might be a bot, but if it was an otherwise ok comment (ie not trying to peddle pills ‘n porn and actually related to the post etc), I’d probably call it legit and guess that the visitor has just got a bad plugin installed or some bad config that’s causing it to send anchors too and just wouldn’t worry about it.

Hmmmmm, any user input that’s fed into a script/program should be treated as malicious at first, so I wouldn’t entirely agree with that statement, but I know what they’re getting at. As long as that input is validated properly and checked for any badness and shenanigans, it’s not a problem.

There’s always someone trying to hack their way in using some innovative technique that no-one has ever planned for happening or thought of before, so never say never. Based on what you’ve written above, I don’t think you’re seeing anything to worry about with that particular URL request though.

But, I see you’ve said you’re running WordPress 2.7.1, if that’s the case, you really should update it *asap*, as there’s been a security update since then which is worth worrying about:
http://ww.wp.xz.cn/support/topic/307660?replies=1

G’night!