Silk Road forums

Discussion => Security => Topic started by: ENBOOM on November 10, 2011, 09:17 am

Title: Random Messages from 1stdegree
Post by: ENBOOM on November 10, 2011, 09:17 am

Today I recieved 5 messages from 1stdegree within seconds of eachother.

!S!WCRTESTINPUT000000<><><>!E!
!S!WCRTESTTEXTAREA000000!E!

subject'/**/and/**/'7'='7
!S!WCRTESTTEXTAREA000000!E!

subject
!S!WCRTESTTEXTAREA000000!E!'/**/and/**/'7'='7

subject
!S!WCRTESTTEXTAREA000000!E!

0
0

I'm not sure what's up I don't know much about SQL injections or anything of the sort, but random messages like this DO freak me out a bit can anyone please explain if they know what's going on?

Title: Re: Random Messages from 1stdegree
Post by: Cgault on November 10, 2011, 02:16 pm

SAL injection only works when a string is parsed to a SQL processor, like a URL parsed to a database. A message is not a vector for SQL inj.

However, if someone wanted to track you, they might send that snippet, and possibly, maybe, by posting it in a forum, they could text mine and do network timing analysis to whittle down your location . Most likely not - they look like test control messages from a bot infected machine/. SumYungai is the goto man here.

Title: Re: Random Messages from 1stdegree
Post by: biscuit on November 10, 2011, 03:12 pm

change your password, right now

Title: Re: Random Messages from 1stdegree
Post by: mito on November 10, 2011, 03:25 pm

Could mods kick this suspicious user?

Title: Re: Random Messages from 1stdegree
Post by: ENBOOM on November 10, 2011, 06:48 pm

biscuit explanation?

Title: Re: Random Messages from 1stdegree
Post by: mito on November 10, 2011, 06:53 pm

^^^ preemptive move I guess.......

Title: Re: Random Messages from 1stdegree
Post by: Dongville on November 10, 2011, 07:39 pm

Quote from: Cgault on November 10, 2011, 02:16 pm

A message is not a vector for SQL inj.

This is incorrect. Messages sent on Silk Road have to be stored, and they are almost certainly stored in some sort of backing db. This is almost definitely an attempt at SQL injection, although I've never seen an attack vector similar. The good news is that the attacker is targeting Silk Road, not you. The bad news is that the attacker is targeting Silk Road.

Title: Re: Random Messages from 1stdegree
Post by: Cgault on November 10, 2011, 08:42 pm

Taking a closer look: It looks like a script with a variable. SQL injection is an attack vector when a malformed URI is ingested by the webserver and passed to the database routine (or the program that calls the DB). I think the message body, correctly pointed out that it is probably stored in a MYSQL type DB - but could be files. Anyhow, I am not jousting over n-tier web app theory - look at the URL above in your browser. Then look at the attack or script that we are discussing:

Forum URL:  http://dkn255hz262ypmii.onion/index.php?action=post;topic=5256.0;last_msg=44909

Unknown Snippet:  !S!WCRTESTINPUT000000<><><>!E!
!S!WCRTESTTEXTAREA000000!E!

subject'/**/and/**/'7'='7
!S!WCRTESTTEXTAREA000000!E!

Looks much like a text editor script to automate or generate replies to the forum, not a SQL attack 0 Caveat: It could be used theoretically to generate a SQL attack. Good practice for websites such as SR advocate escaping the URLs that have DB key fields embedded.

Title: Re: Random Messages from 1stdegree
Post by: biscuit on November 10, 2011, 08:54 pm

Quote from: ENBOOM on November 10, 2011, 06:48 pm

biscuit explanation?

after Ive felt that I was violated, and am still in controle of the user name, I will change the password
just something I do to feel less raped