tags:

views:

85

answers:

4
+1  Q: 

is this an attempt of code injection or just spamming?

Hello, community! Once in a while we get registrations on our website similar to this one. (This is a transcript of an email notification):

New User Registration
FirstName: cowdqd
LastName: cowdqd
Company: nWJrFxUitwFMbnK
Email: [email protected]
Phone: oCFsfSHolrnx
Fax: -152
AddressLineOne: xRQgqnCOJkkoA
AddressLineTwo: obsDvktXDL
City: vqxXGZQgIplDwm
Province: AB
PostalCode: kgyabr
Country: CA
IncludedInPromotions: Yes
RequestInfo: No
Comments: x0EDw7 eecfocnmvwzu, [url=http://fvbppxzancnj.com/]fvbppxzancnj[/url], [link=http://tyflcliodtqa.com/]tyflcliodtqa[/link], http://ldklshrkpwwn.com/
RegistrationDate: February 24 2010

I thought it was spamming, but usually the emails and links are not even valid. Why would anybody want to do that?

+5  A: 

Sql injection tries don't look like that ;). This is just spam :). Sql-injection looks more like this:

' OR 't'='t';


http://stackoverflow.com/questions/2327413/is-this-an-attempt-of-code-injection-or-just-spamming/2327430#2327430'OR1=1
Younes  2010-02-24 16:02:10
+1  A: 

Why indeed...

It's not an injection attempt, it looks like a bot is trying to submit spam comments to blogs and has mistaken your registration form for a comment form. Annoying, but not an attack.

Mark B  2010-02-24 16:05:12
+1  A: 

You can normally tell SQL injection attempts as they look like snippets of code to some degree. This is bizarre in that unless they own those extremely bizarre domain names, there is no real benefit.

It could be someone just trialing / testing your form by typing with their Elbow... :P

Amadiere  2010-02-24 16:05:32
+2  A: 

This could be spam, or it could be someone doing a sort of "perimeter test" on your system to see if you use a captcha, if you validate certain types of data, if the data is posted somewhere public, etc.

For instance, the string "eecfocnmvwzu" looks random, but it might be specifically generated to be unique. An attacker can then do a search of your website looking for that string and, if it's found, they might know that they can script a form submission and have the results show up. Once they know that they might submit a new form that looks more legit but contains an attack of some kind, perhaps a XSS attack or a link to a website that hosts malware.

I don't know if that scenario is realistic, but it seems possible.

Seth Petry-Johnson  2010-02-24 16:10:00
Well, thanks for your insight. I had to wonder about this because it happens on average once a week, or every other week
Eduardo  2010-02-24 18:35:59

related questions

How can I inject PHP code at certain points of a string variable?
Reading Text from Another Application's Frame
[net]how to inject debugging code to an assembly?
Elevating rights to use mach_inject
Javascript security problem...
How to prevent code injection attacks in PHP?
Sharing memory between two processes (C, Windows)
Running JavaScript in a UIWebView before any other JavaScript is run
Finding a 3rd party QWidget with injected code & QWidget::find(hwnd)
How to Inject code in c# method calls from a separate app
Writing a very basic debugger
How to prevent Javascript injection attacks within user-generated HTML
Injecting a CLR host into a running process - possible?
Injecting properties into .NET classes post-compile
How would you force the System.Net.Socket.Connect() method to use a socks proxy (code injection vs external custom proxy)
Best way to inject your code into running WPF application
Do stackoverflow users agree with the CWE/SANS Top 25 most dangerous programming mistakes?
Why does automatic injection of log-object not always work in grails?
Hooking sycalls from userspace on Linux
Best way to inject functionality into a binary...
is code injection bad?
Cleaning/sanitizing xpath attributes
Can I inject a thread in a remote app domain from C#
Hooking syscalls from userspace on Windows
Code Injection With C#