Definitely an attempted SQL injection attack there.
Getting them from Google and Microsoft may mean that they’ve indexed a page that features those links, which isn’t good news. You could try googling for those particular links to see if you can find the page(s) that they’re on.
If you’d like to see what they’re trying to do, you can use this site to decode the URLs. It will give you a better idea of the attempted exploit.
I’ve written a check for these into my homegrown system to check for common exploit code in the URL’s. for instance “%28select”. When it’s found, it automatically bans the IP for an hour to give the system a break from the often rapid hits from the bot scripts. After an hour, the autoban drops off.
1st, thanks for your reply.
So I used that Site you provided to decode the sample URL I provided but the decoded results shown by that site looks a lot like the URL that I enter!
Anyway, so you too are sure and confirming that the URLs are provided are MySQL injection type Hacks?
And what about the fact that some, not all, but some of these URLs are originating from Google and Microsoft ips?
And what are they exactly trying to do where the URLs start like:
and then switch to:
They all have that 999999 in the URLs that they fire by the 100s.
It’s more that because there is a page on the internet that provides SQL injection formatted links to other sites, when Googlebot indexes the page, it will also see those links too. Whenever Googlebot sees a link it doesn’t already know about, it will follow that link to index the new url as well.
That is how I think Googlebot is arriving at your site - somebody posted a link to your site on their web page, which Googlebot saw and thought, aha! I haven’t indexed that url yet, I’ll go look at it next.
Does that make sense?
If you try this search in google, you should get an idea of who’s linking to your site:
Without a doubt. You do see the MySQL commands they’re passing in the URL, correct? The union and selects are their attempt to find a way in.
The reason they’re using the 999’s is because they don’t want a legitimate return from the script, so they’re using an ID that will never be matched. They’re only interested in the part of the SQL statement they’re providing.
You’re getting hit tons of times because these scripts just loop through potential exploits hoping to get a promising response, for instance a MySQL error stating that no column named “theirVar” exists, letting them know that the SQL statement was passed unfiltered to the DB. Once that return is recorded by a script, the script kiddie will be notified and he’ll come do some personal work on an attempt to get access.
Finally, Google isn’t trying to hack your site. They follow links around the web and somewhere, someone thought your site looked promising and posted the URLs on a publicly accessible page, which the search engines then followed.
1st part of what you are saying makes sense.
But what does not make sense is why Google or Microsoft are entering these URLs like 600 times within an Hour? Which BTW is the trigger that causes a Code that I have to Block that IP and to infirm us that an IP was blocked for engaging in suspicious acts.
So I can see as you have stated that Google or Microsoft are following a URL they found on another site, but would they do it like 600 times per Hour?
I’d be more likely to suspect that the person responsible is spoofing the user agent header in the requests. The numerous iterations are likely scripted to run through a catalogue of generally workable exploits.
If you take a look at your logs, do the ‘Google’ lines include an ip address? (They should)
running dig like this from the command line
dig -x $ip_addy <- replace $ip_addy with the actual ip address in your logs
should either confirm it is Google, or it’s all hacker related and with spoofed headers too.
Well, that IP address certainly does seem to belong to Microsoft (despite the lack of a PTR record), so I’d guess the IP addy is indeed being spoofed in light of the fact that the urls in question are most certainly SQL injection attack attempts.
I take it you have tried those URLs on your own site yourself? Hopefully you’ve taken the appropriate steps already to prevent them from working (sanitised input, prepared statements etc)
They are coming from ip address of: 220.127.116.11
which maps to Google in Mountain View, so it must be a legit Google ip.
So again, are these URLs somehow Google trying to do a legit Crawling of our Site?
Or are they attempt at Hacking our Site, which I think they are to a 99% degree by looking at these URLs. But maybe I am wrong.
So what do you think?
Are these Hacks or legit Google crawling?
If they are Hack attempts, how are they coming from Google ip?
1st, yes we are protecting against such beasts. At least I hoppe.
2nd, but these URLs were issued by the ip address listed which ip address is clearly that of Google in Mountain View. To be exact these ip addressed were detected using Php command:
which of course captures the ip address of the source which issued that URL.
So what the HEK is going on?
Is Google trying to HACK us? OTN, we run an alternative People powered search engine to Google, as you can read about it here: https://www.anoox.com/what_anoox_is.php
But still cannot fathom that Google is trying to Hack us, and that more logical explanation is somehow someone else is trying to Hack us but how in GODs name are they using the actual ip address of Google servers???
Do you think that as a good defense against all sort such attacks, we should have Code that checks all incoming URLs and if they contain “select+” then it will rejects all such access?
Since all such HACKs as the URLs I have you they all have SeLeCt+ (with variations in case) in them.