I had some spare time to do maintenance to the web sites I own, they were feeling very neglected, I must say.
Part of that maintenance involved looking through logs to determine what was causing a spike in resource utilization, since I have a shared resource plan and get hate mail when the hoster detects sustained usage over the level that I pay for.
At any rate, I discovered an attempted SQL injection attack from an IP in the Ukraine… here is the log entry (with the source IP left unedited):
22.214.171.124 - - [01/Feb/2015:16:05:54 -0500] "GET /arcade.php?act=Arcade&do=stats&comment=a&s_id=11%20AND%20(SELECT%201%20FROM%20(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(username,0x3a,password,0x3a,salt,0x3a,email)%20FROM%20user%20WHERE%20id%20=%201),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a) HTTP/1.1" 404 236 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14"
Doing some research, it looks like this was probably someone using Kali/Metasploit to use a canned attack against a known issue with WordPress Photo Gallery.
For more, see:
Shame on you, bad guys. Shame on you. I did the obligatory “right thing” and reported the abuse to RIPE. It won’t make any difference, but it felt like doing nothing was a poor response.