Moodle in English: Security Attack?

Security Attack?

by Clive Gould - Tuesday, June 29, 2010, 4:01 PM

I encountered the following message in the server logwatch this morning:

GET /moodle/user/view.php?course=1&id=1%20and%201=2%20union%20select%20CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c)%20/* HTTP/1.1 with response code(s) 404 1 responses

Any idea what vulnerability this is trying to exploit?

Thanks

Clive

Re: Security Attack?

by Mauno Korpelainen - Tuesday, June 29, 2010, 6:45 PM

It might be a bot testing if your site could be vulnerable to SQL injections and attempt most likely failed.

One of these mysterious bots:

http://securestate.blogspot.com/2009/03/analysis-of-real-world-hacking-attempt.html

http://secshoggoth.blogspot.com/2009/03/odd-sql-injection-attack.html

http://wirewatcher.wordpress.com/2009/11/13/cz32ts-an-interesting-banana/

Average of ratings: -

Re: Security Attack?

by Lars-Olof Krause - Thursday, September 16, 2010, 7:23 PM

this is an SQL-Injection Attack (which failed)
someone tried to reade out the database... this could be an direct attack or only an bot which tests several sites.
Moodle escapes the user-input befor passing it to the database, so your system should be secure.

At the moment we (a team of students - FH Gießen-Friedberg - University of Applied Sciences) are developing an Moodle-Intrusion-Detection & -Prevention System using PHP-IDS and Suhosin.
This Plugin can e.g. block users who try to inject-code or send warn mails to the administrator.
You as administrator can also see several statistics about the attempts to break into the system.

At the moment we are in the last phase of developement and commited the idea to moodle-developer.

hardmoodle@lok-soft.net

Average of ratings:Useful (1)

Re: Security Attack?

by Lars-Olof Krause - Wednesday, October 6, 2010, 6:48 PM

Our two Plugin

PHP-IDS / IPS
Administration for PHP-Extention "Suhosin"

are available at http://sourceforge.net/projects/hardeningmoodle/files/ these plugins are developed for moodle 2+ (which is RC1 at the moment, but will be released as stable soon)

Average of ratings:Useful (1)

Security and privacy

Security Attack?