by      
Search Engine Link Poisoning via SQL Injection to URL Q=ABC'/**/or/**/1=@@version)— This script seems to have only one design property and that is to get this injection script indexed by search engines linking to your site. Once you discover this you might already have thousands of bad links. But there is a way to clean it up and prevent if from returning. (I think...)

I don't have a page called: Q =ABC'/**/or/**/1=@@version))— but I can make one if you would like.

This article was published first based on reports from a single 24 hour period. After reviewing more than 30 days of reports it has been identified that this type of SQL Injection has one serious impact to websites and that is search engine link poisoning.

It is recommended that you not only guard against SQL Injection but also monitor links that have been indexed in major search engines.

Update: 7-18-2012:

I've searched and cannot find a single thing that points to any SQL Injection known for this code string. In fact the more I look the more I see other sites indexed with code strings the same.

I'm going to look at it completely different in a "Search Engine Poisoning" kind of way.

Each attack seems to start with a single page load from a few of the boys overseas. Then it's either a Mediapartner bot or a Baidu bot that follows that same page load. From what I can see it's Mediapartner.google then but not always the Baidu bot or unknown is right behind.

The pattern really seems to follow forms that adjust querystrings. Here's an example from a quick search using only /**/or/**/1=@@version

http://www. deejaylink. com/images/mypic.asp?pid=1003&tkwd=Ubu)/**/or/**/1=@@version--

The site link above shows the )/**/ pattern we have seen before and if you copy the link you'll see that it's part of the title.

Interesting that "Showing image from tag" .... then leaves the /**/ code.

My best guess is this is to corrupt the search indexes of those that run Adsense advertisements. I've not found any sites (as of this date with only a few searches) with this query string that didn't have Adsense advertisements.

If what I'm thinking is correct it's best that you start with a redirect code project to remove the /**/or/**/ strings from the query and then redirect them to the proper location.

Just my opinion and the end of the 7-18-2012 update.

Continued:

We all need to learn and this was one major learning experience regarding how to get your website indexed in major search engines with bad query strings.

It's the old "Two wrongs make it really wrong" in that some spider bots do not identify who they are, media bots follow the actual query string and SQL injection scripts designed to block will block even the good bots.

Now add that to what many sites have which are bookmark links, dynamic update links and you suddenly have a corrupted link pointing to your own website created by your own code which was designed to be flexible.

Here's the code that I'm running to tell the search engines to update their malformed links containing the /**/ SQL injection code.

The code below will work but you need to have just a bit more than normal creative thinking when you are working on countermeasures. I would really like to share with you some of the more detailed versions but if I did that you might think everything here is free. By the way, one line is missing

If Len(Request.ServerVariables("HTTP_REFERER")) > 10 And Len(Request.QueryString) > 1 Then 
strQueryStringItem = LCase(Request.QueryString)
 If InStr(LCase(strQueryStringItem),"/**/") >= 1 OR InStr(LCase(strQueryStringItem),"version))") >= 1 OR InStr(LCase(strQueryStringItem),"%2F**%2F") >= 1 OR InStr(LCase(strQueryStringItem),"%40%40") >= 1 Then
         Call CleanUpSearchIndex(Request.ServerVariables("SCRIPT_NAME"))
    End If
End If


Function CleanUpSearchIndex(strCUSI)
If Len(Request.QueryString)> 0 Then
 strQS = Request.QueryString
 If InStr(LCase(strQS),"/**/") >= 1 OR InStr(LCase(strQS),"@@version") >= 1 Then

    strQS = Replace(strQS,"'/**/or/**/1=@@version--))","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),"'/**/or/**/1=@@version--))","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),"/**/or/**/1=@@version--))","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),"/**/or/**/","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),"@@version","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),"--))","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),"--)","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),"/**/","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),"1=))--","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),"'1=","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),"))1=-2d","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),"1=)--2","",1,-1,vbTextCompare)
    strQS = Replace(LCase(strQS),")1=--","",1,-1,vbTextCompare)
 
        sRedirectPage = "http://yourwebsite.com"&strCUSI&"?"&strQS
        Response.Status = "301 Moved Permanently" 
        Response.Redirect(sRedirectPage) 
        Response.End 
 End If
End If
End Function

To make this work you need to test it with a good seach query. The idea find your malformed links in Google, Bing, Yahoo, etc and test them. I've created a second layer that basically does the above with better encode decode from the search engines. You'll see what you need as you test things. If you're running ASP Classic send me a live chat request and I might have time to review your settings and code with you.

This code is from my ASP Classic websites which are the only one's running query string calls still. (Expect the search here).

You can use the logic and write your own .Net and php code if you know how. (If you send a completed code script I'll add it here.)

The idea is to make sure the mediapartners-google and search engine bots do not index the malformed page. I have an alert that is sent each time a page is accessed so I can monitor the search engine updates.

The script that hits directly will bypass the HTTP Referer but the following scripts or when a person clicks on the search engine link the link will be cleaned from "Known" issues and redirected to the proper page.

 

You can try to whitelist but the issue is some of the bots are not identified and useragent isn't the best method of identifying a good bot from a bad.

I'll guess most of you don't have SQL Injection scripts monitoring your site but you might have some static one's that need to be edited to match new patterns.

From my logs the patterns listed above in the code are the top used in this case.

From a simple little SQL Injection ....

Q=ABC'/**/or/**/1=@@version)—

I've found more damage is caused by the search engines actually indexing these new URL's as valid.

It's more 301 Status Codes for everyone to clear out the bad links but it has to be done.

I've looked at other sites in Google, Yahoo, Bing and they show the same thing. It leads to confusion when you attempt to identify who's actually running the script. Is it a surfer clicking on a search engine or is it the actual scripting bandit?

Who knows and really, who cares, right? (That's sarcasm by the way)

Search engine spam like image redirects, those ?http.htm php hacks and others lead to normal visitors being subjected to bad links.
Do your part and clear out the bad links and indexes by setting up a redirect when you detect the /**/ code in your URL.

Bottom line, it started from the network listed here and one in Russia. Not to say those are bad areas but they had either 1 or 2 people starting this mess that cost me time which is money.

But I learned a bit more about how people setup to trash good websites in search engines. Lucky for me it's only 600 or so bad links out of 47,000+.

Baidu as a search engine is off the hook but the 2 network addresses that were identified as first users of the scripts on only Adsense enabled websites are still blocked.

Have a great day!

If you have any questions about this article feel free ask ask them.





Search Engine Link Poisoning via SQL Injection to URL Q=ABC'/**/or/**/1=@@version)— This script seems to have only one design property and that is to get this injection script indexed by search engines linking to your site. Once you discover this you might already have thousands of bad links. But there is a way to clean it up and prevent if from returning. (I think...)