locked
suspicious logged entries - User Agent is always "Mozilla/4.0 (compatible; Synapse)" RRS feed

  • Question

  • User-1982395779 posted

    Not sure if this is the correct forum for this, but my web site is being hit with a lot of suspicious entries. Every day, I get a lot of hits where the User Agent is always "Mozilla/4.0 (compatible; Synapse)". They are almost always from different IP addresses, and all are from suspicious countries. The querystring almost always contans a "-1", such as: "n=-1%27"

    I've blocked all requests that contain the above user agent, but am worried that there may be legitimate attempts with this browser. 

    Can anyone shed any light on what this is?

    Here is the ip/country list that I received today:

    94.242.233.18 LUXEMBOURG
    113.190.144.108 VIET NAM
    178.172.155.72 BELARUS
    46.211.135.136 UKRAINE
    189.19.71.199 BRAZIL
    92.112.184.203 UKRAINE
    78.170.163.154 TURKEY
    176.112.22.5 UKRAINE
    41.79.248.174 SOUTH AFRICA
    93.84.18.164 BELARUS
    175.137.64.125 MALAYSIA
    178.129.63.200 RUSSIAN FEDERATION
    176.118.41.131 UKRAINE
    61.230.72.2 TAIWAN, PROVINCE OF CHINA
    94.178.27.163 UKRAINE
    46.237.95.119 BULGARIA
    189.4.111.42 BRAZIL
    90.31.105.58 GUADELOUPE
    176.36.143.102 UKRAINE
    193.203.49.46 RUSSIAN FEDERATION
    94.242.233.18 LUXEMBOURG
    94.242.233.18 LUXEMBOURG
    94.242.233.18 LUXEMBOURG
    94.242.233.18 LUXEMBOURG
    201.152.149.140 MEXICO
    201.89.167.61 BRAZIL
    91.217.90.145 RUSSIAN FEDERATION
    94.242.233.18 LUXEMBOURG
    86.57.185.199 BELARUS
    178.126.159.196 BELARUS
    178.152.15.52 QATAR
    194.242.103.142 UKRAINE
    94.242.233.18 LUXEMBOURG
    201.53.225.111 BRAZIL
    217.76.78.138 KAZAKHSTAN
    93.74.147.55 UKRAINE
    72.27.104.238 JAMAICA
    93.78.5.120 UKRAINE

    thanks,

    bert

    Friday, May 9, 2014 11:01 AM

Answers

  • User-760709272 posted

    BertSirkin

    I roughly understand what SQL Injection is, but the query strings are rarely anything but "n=-1"; what could "-1" do?

    The -1 isn't important, it's what comes after it that is, the %27 which is an apostrophe.  If you write code like this

    sql = "select * from table where field = '" & Request["n"] & "'"

    and n was "John" then the sql would be

    select * from table where field = 'John'

    if I request the url where n is -1' then the sql is

    select * from table where field = '-1''

    that is invalid and will cause your code to error, which means your site is open to sql injection attacks.  If you didn't trap errors then the response code will be 500.  So people write bots that make these requests and if the server responds with a 500 code then that site is flagged as being open to sql injection attacks.  Once the site is identified as such, a hacker will come along later and see if he can get any luck breaking your login etc, or if he recognises known software on it that he can attack.  So identifying possible targets is automated, and a human-based attack will follow up, or a more intensive script-based attack might follow up.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, May 26, 2014 10:27 PM

All replies

  • User1140095199 posted

    Hi,

    Not sure if this is the correct forum for this, but my web site is being hit with a lot of suspicious entries. Every day, I get a lot of hits where the User Agent is always "Mozilla/4.0 (compatible; Synapse)". They are almost always from different IP addresses, and all are from suspicious countries. The querystring almost always contans a "-1", such as: "n=-1%27"

    I guess the Malicious User is trying SQL Injection Attacks.

    SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

    http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx

    Do NOT pass SqlParemeters as String rather use Parameterized Queries and Validate User Inputs using jQuery or Validation Controls.

    For more reference on how to Proevent SQL Injection Attacks:

    http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev

    How To: Protect From SQL Injection in ASP.NET - http://msdn.microsoft.com/en-us/library/ff648339.aspx

    Validating ASP.NET Query Strings - http://msdn.microsoft.com/en-us/magazine/cc163462.aspx

    You might try to Block Certain QS and Requests but the Malicious User will keep on changing his strategy so better follow the information in the above articles take preventive measures.

    Hope it helps!

    Best Regards!

    Monday, May 12, 2014 2:15 AM
  • User-1982395779 posted

    I roughly understand what SQL Injection is, but the query strings are rarely anything but "n=-1"; what could "-1" do?

    Monday, May 12, 2014 7:59 AM
  • User1140095199 posted

    Hi,

      

    I roughly understand what SQL Injection is, but the query strings are rarely anything but "n=-1"; what could "-1" do?

    Not sure what n-1 can do here exactly. but something like 1=1 can expose the entire table to the malicious user.

    select * from info where 1=1

    I would suggest you to use UrlScan.

    There's a great IIS7 Request Filter for protecting against nasty attacks, but UrlScan Beta 3.0 still has the edge on the filter for the time being. Version 3.0 of UrlScan adds:

    • Support for query string scanning, including an option to scan an unescaped version of the query string.
    • Change notification for configuration (no more restarts for most settings.)
    • UrlScan can be installed as a site filter.  Different sites can have their own copy, with their own configuration.
    • Escape sequences can be used in the configuration file to express CRLF, a semicolon (normally a comment delimiter) or unprintable characters in rules.
    • Custom rules can be created to scan the URL, query string, a particular header, all headers or combination of these.  The rules can be applied based on the type of file requested.
    • Support for 64 bit IIS worker processes.

    Refer to the following article:

    http://www.hanselman.com/blog/HackedAndIDidntLikeItURLScanIsStepZero.aspx

    UrlScan Setup - http://www.iis.net/learn/extensions/working-with-urlscan/urlscan-setup

    Hope it helps!

    Best Regards!

    Tuesday, May 20, 2014 5:55 AM
  • User913442891 posted

    does you app send emails, does your web.config has the following lines

    <configuration>
      <!-- Add the email settings to the <system.net> element -->
      <system.net>
        <mailSettings>
          <smtp>
            <network
                 host="relayServerHostname"
                 port="portNumber"
                 userName="username"
                 password="password" />
          </smtp>
        </mailSettings>
      </system.net>
    
      <system.web>
        ...
      </system.web>
    </configuration>

    if yes to any of the questions...

    my answer would be...it your host company .... let me make an example lets say your wrote a code to notify you by email if there is an error on your site...

    everytime an error occours your hosting company will send email to you with your credentials...it not suspicious it your hosting company... unless you do not trust them

    Monday, May 26, 2014 10:00 PM
  • User-760709272 posted

    BertSirkin

    I roughly understand what SQL Injection is, but the query strings are rarely anything but "n=-1"; what could "-1" do?

    The -1 isn't important, it's what comes after it that is, the %27 which is an apostrophe.  If you write code like this

    sql = "select * from table where field = '" & Request["n"] & "'"

    and n was "John" then the sql would be

    select * from table where field = 'John'

    if I request the url where n is -1' then the sql is

    select * from table where field = '-1''

    that is invalid and will cause your code to error, which means your site is open to sql injection attacks.  If you didn't trap errors then the response code will be 500.  So people write bots that make these requests and if the server responds with a 500 code then that site is flagged as being open to sql injection attacks.  Once the site is identified as such, a hacker will come along later and see if he can get any luck breaking your login etc, or if he recognises known software on it that he can attack.  So identifying possible targets is automated, and a human-based attack will follow up, or a more intensive script-based attack might follow up.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, May 26, 2014 10:27 PM
  • User-1982395779 posted

    Thanks for that answer - that querystring was causing an error in my code initially, as I was expecting a numeric value. I've sinced changed my code to validate querystring parms, plus, I am routing any requests from that user agent to a blank page.

    Monday, May 26, 2014 10:56 PM