SQL Injection scanning attacks discovered from WordPress error logs

This article introduces how to discover SQL injection attacks based on error_log after WordPress enables error records. What attracts Cocoa is that this blog is actually an official blog of the Spiderlab team under TrustWave, which seems interesting. For example, the articles in the Honeypot Alert label are used to analyze the Apache access_log logs of a Web Honeypot.Let's briefly introduce this article. Enable the WP error record FunctionYou only need to modify the following lines of the wp-config.php: @ ini_set ('Log _ errors ', 'on'); @ ini_set ('display _ errors', 'off '); @ ini_set ('error _ log', '/home/example.com/logs/php_error.log ');SQL Injection Scan[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where id =-1 \ ''at line 1 for query SELECT text, author_id, date from where id =-1 \ '[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQ L server version for the right syntax to use near 'where id = 999999.9 union all select 0x313032353438303536 -- 'At line 1 for query SELECT text, author_id, date from where id = 999999.9 union all select 0x313032353438303536 -- [07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax t O use near 'where id = 999999.9 union all select 0x31303235343830303536, 0x313032353438303035 'at line 1 for query SELECT text, author_id, date from where id = 999999.9 union all select 0x31303235343830303536, 0x31303235343830303536 -- the log above is the number of columns in the brute force cracking table. The huge hexadecimal value will be parsed to null.SQL blind injection ScanAttackers use functions such as "waitfor delay" and "benchmark" to perform blind injection. [07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id =-1; if (1 = 1) waitfor delay \ '00: 00: 05 \ '-- 'At line 1 for query SELECT text, author_id, date from where id =-1; if (1 = 1) waitfor delay \ '00: 00: 05 \ '-- [07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id =-1 and if (1 = 1, BENCHMARK (8623333, MD5 (0x41), 0) 'at line 1 for query SELECT text, author_id, date from where id =-1 and if (1 = 1, BENCHMARK (8623333, MD5 (0x41), 0)Google large-scale ScanningBotnets control the possibility of using infected hosts to identify potential targets. Below is a snippet of the RFI (Remote File Inclusion) attack code captured by the company's honeypot: sub google () {my @ list; my $ key = $ _ [0]; for (my $ I = 0; $ I <= 400; $ I ++ = 10) {my $ search = ("http://www.google.com/search? Q = ". & key ($ key ). "& num = 100 & filter = 0 & start = ". $ I); my $ res = & search_engine_query ($ search); while ($ res = ~ M/<a href = "\"? Http: \/([^ "> \"] *) \ // g) {if ($1 !~ /Google/) {my $ link = $1; my @ grep = & links ($ link); push (@ list, @ grep) ;}} return @ list; cocoa conclusion: The article is relatively simple, but Detecting attacks from logs seems to be a popular trend.References:[Honeypot Alert] SQL Injection Scanning Detected in WordPress Error LogsSpiderLabs Anterior