So as the SQL injection attacks have rained down on my server for the past few days, my logs have been steadily filling up with data about the requests. Frankly, the data probably can't be trusted, it's all totally un-scientific, and doesn't really lead me any closer to the people responsible for the attacks. Regardless, I think it's pretty interesting. I've compiled some graphs and stats here.Like I said in the previous paragraph, this data probably can't be trusted. Just about anything can be spoofed from HTTP headers to IP addresses. The fact that these request are coming from computers compromised with a Trojan/bot/virus what-have-you, probably makes the data all the more suspect. I have been logging date/time, URL, IP address, whether or not they returned a cookie I tried to set, and user agent info. Through some screen scraping of a web service provided by the American Registry for Internet Numbers I mapped most of the IP addresses to a Country. At best, I'll assume the country is a guess, but it's better than nothing. As to the frequency of the attacks, here is a graph of the number per hour starting a days and a half ago when I began logging. Basically a steady decline from when it started, but with occasional peaks of activity.
All the attacks have been using the exact same string with two variations. One with a single tick before it and one without. The text which gets injected into your database includes a JavaScript file which tries to exploit a number of IE, Flash, and VB vulnerabilities. I guess the hackers figured they would try as many approaches as they could. I might blog the internals of all that stuff later. There are multiple layers of iframes including various things. I'm not sure how the exploited machines on the bot net send their requests to my server, but they either use Internet Explorer on the machine to send the request, or they spoof a user agent to appear the request is coming from IE. I assume the user agent has something to do with the victim's computer. I've seen almost 400 unique user agents. Almost all the requests claimed to be from Windows XP.
A small handful claimed to be Windows 2000.
63% of requests appeared to have SP2 installed for XP.
The most common user agent was:
[code]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)[/code]
31% of requests identified themselves as IE 7
67% of requests identified themselves as IE 6
2% of requests identified themselves as both
Average requests from each unique IP address: 2.6
Fewest requests from an IP address: 1
Most requests received from an IP address: 10
It was interesting to note that 7% of the zombies returned a cookie that I set. I would have expected all or none of them to follow this one. Perhaps there are several versions of the bot out there that behave differently. Also, since most bots didn't give me very many hits, it's possible they didn't return the cookie because they didn't hit my site again after the initial cookie-setting hit. I think is shown by the fact that an IP was far more likely to return a cookie if they hit my site 4 or more times. Hits always seemed to be in multiples of two. This is probably because there were two versions of the URL being used. Both versions were probably fired off at the same time. 75% Bots that sent more than 2 hits returned my cookie. As far as the origin of my traffic, Australia won, hands down. The US came in second. This is only as accurate as the data found at the American Registry for Internet Numbers. You can look up a single IP by visiting http://ws.arin.net/whois/?queryinput=162.40.169.138. I used the following code to snag them en masse:
[code]<cfhttp url="http://ws.arin.net/whois/?queryinput=#ip_address#"></cfhttp>		
<cfset country = rereplacenocase(cfhttp.filecontent,"(.*Country:    )([A-Z]*)(.*)","\2","one")>
#ip_address#  -  #country#[/code]
Here is my break down by country:
Well, all this data doesn't tell me too much but I do find it all very interesting. I would love to get my hands on an infected machine. One thing I haven't been able to quite figure out is how the information about what servers to attack is sent out to the bot net. A number of the IPs that I tested appeared to be behind firewalls that blocked all the common ports at least. The only way for the computer to communicate with the coordinators of the attacks would be for it "call home" regularly to get instructions. If I had an infected machine to play around with, I would run a network sniffer on it and see who/what is was talking to. Probably just another proxy-- but it would be one step closer to the people behind all this. The malicious JS file that this attack wants to include on your website attempts to download and run a handful of executable files. I'm curious if they are unrelated malware, or if they will put your computer on the very bot net carrying out the attacks. I may take a spare machine, do a fresh install, and purposely infect it. Thing is though, I don't want it on my network. I'll have to think about that to see if I can do it safely.