This may be more of an Apache question but was wondering if any other MediaWiki users have seen this...
There was someone who we assume has been trying to break into our web system request URLS such as
/index.php?title=%53%70%65%63%69%61%6C%3A%52%65%63%65%6E%74%63%68%61%6E%67%65%73&d ays=14&limit=100&hidepatrolled=1%27%2F%2A%4E%2A%2F%6F%72%2F%2A%4E%2A%2F1%3D1%2F%2A%4E%2A%2F%61%6E%64%2F%2A%4E%2A%2F1%3D1%2F%2A%4E%2A%2F%61%6E%64%2F%2A%4E%2A% 2F2%3D2%2F%2A%4E%2A%2F%61%6E%64%2F%2A%4E%2A%2F%27%61%27%3D%27%61
which in turn really is...
/index.php?title=Special%3ARecentchanges&days=14&limit=100&hidepatrolled=1%27%2F*N*%2For%2F*N*%2F1%3D1%2F*N*%2Fand%2F*N*%2F1%3D1%2F*N*%2Fand%2F*N*%2F2%3D2%2F*N*%2Fand%2F*N*%2F%27a% 27%3D%27a
Some requests look like possible SQL injections..
/index.php?title=Special%3ARecentchanges%2F*N*%2For%2F*N*%2F(select%2F*N*%2Fcount(*)%2F*N*%2Ffrom%2F*N*%2FINFORMATION_SCHEMA.tables%2F*N*%2Fwhere%2F*N*%2Fadmin_loginname%3Dadmin_loginname)%3D-1%2F*N*%2Fand%2F*N*%2F0%3D0&hidepatrolled=1&days=14&limit=100&hideanons=1
We haven't seen this happening in a while now but we cannot be 100% positive that the visitor was not successful in getting in..
Thanks!
On 8/3/09 2:47 PM, Liz Kim wrote:
This may be more of an Apache question but was wondering if any other MediaWiki users have seen this...
There was someone who we assume has been trying to break into our web system request URLS such as
That looks like a generic sql injection fuzz attempt tacking junk onto numbers in URL parameters in the hopes that something will catch a poorly-written bit of code.
You can enable the debug log and watch the actual queries being performed; you'll see nothing untoward.
-- brion
mediawiki-l@lists.wikimedia.org