I've noticed some entries in our web servers log, that are new in format. As there were for Smartsection, I contacted Marcan from SmartFactory, who has been very helpful in advising about this problem.

It's not a Smartsection issue, but a new type of SQL injection attack.

Try this Google search:

http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=VCr&q=DECLARE%2520%40S%2520CHAR%284000%29%3BSET%2520%40S%3DCAST&btnG=Search

some very helpful ways to address the problem. We use protector, but I'm not sure protector will know about this or pickup that there are problems. The logs we have returned a "200" , and this is an issue I have raised before, that a "200" doesn't always means 'all is well'.

If the XOOPS developers are looking to develop a similar module as protector and have it as included in a standard XOOPS release, then there would be certain words/phrases being passed in URL's, that this new module could look for. This webmaster world thread shows how .htaccess can address the problem.

http://www.webmasterworld.com/apache/3731562.htm

HTH

Peter

According the web robot abuse blog the hack
Quote:.

Nevertheless, they recommend a good .htaccess script from Hacking & Security. It acts as a kind of Firewall against various kinds of SQL injections.

Advantage is that with this approach, the attack is countered by Apache itself. So nor XOOPS or Protector are disturbed or challenged.

I recommend that everyone should merge it in his .htaccess if possible!