So we are investigating a rather weird incident. We have someone who appears to be attempting to crash our internet facing servers (running luminus). We have several weird failed username attempts, some with valid data (but wrong syntax) and some with what appears to be gibberish.
look:
4 '@^Y@.@~q|wpmymzz2,&,2|pq{jvk@-1',@lvo.(,1-+*1)+1./.@+)*'
6 '@^Y@)@{vlk2++(2lvszqk@-1'+@lvo.(,1-+*1)+1))@&&/'
8 '@^Y@.@os~vq2,(/2os~vq@-1'+@lvo.(,1-+*1)+1+/@.(&'
9 '@^Y@.@{vlk2++(2lvszqk@-1',@lvo.(,1-+*1)+1./+@+)*'
9 '@^Y@.@{vlk2++(2lvszqk@-1',@lvo.(,1-+*1)+1(,@./*'
9 '@^Y@.@{vlk2++(2lvszqk@-1'+@lvo.(,1-+*1)+1..(@./*'
9 '@^Y@.@{vlk2++(2lvszqk@-1'+@lvo.(,1-+*1)+1.'(@&&/'
10 '@^Y@.@{vlk2++(2lvszqk@-1',@lvo.(,1-+*1)+1./(@+)*'
11 '@^Y@.@o()2,,*2|pq{jvk@-1',@lvo.(,1-+*1)+1((@./*'
11 '@^Y@.@os~vq2+(-2lvszqk@-1'+@lvo.(,1-+*1)+1./+@.(&'
12 '@^Y@.@{vlk2++(2lvszqk@-1'+@lvo.(,1-+*1)+1.),@.(&'
16 '@^Y@.@os~vq2,(/2os~vq@-1'+@lvo.(,1-+*1)+1.,)@./*'
17'@^Y@.@{vlk2++(2lvszqk@-1',@lvo.(,1-+*1)+1.*.@&&/
18 '@^Y@.@o()2,,*2|pq{jvk@-1'+@lvo.(,1-+*1)+1)'@+)*'
20 '@^Y@.@o()2,,*2|pq{jvk@-1'+@lvo.(,1-+*1)+1.,*@.(&'
A normal login on our site consists of 3 number and 3 letters (like CAB123, not a valid username, but valid syntax) or if they a new their "j number" which is an id number that starts off with J like J12345678
I thought it may be injection, as another site suggested it was SQL injection, but then someone else claimed that it did not have any valid PHP or SQL syntax.
If you want to see this structure, take a string and throw it into google, you will find analytics pages that show that this attack has been attempted again and again.
See:
https://www.google.com/search?q=%40^Y%40%29%40{vlk2%2B%2B%282lvszqk%40-1%27%2B%40lvo.%28%2C1-%2B*1%29%2B1%29%29%40%26%26%2F&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-USfficial&client=firefox-a
Any help would be appreciated!
look:
4 '@^Y@.@~q|wpmymzz2,&,2|pq{jvk@-1',@lvo.(,1-+*1)+1./.@+)*'
6 '@^Y@)@{vlk2++(2lvszqk@-1'+@lvo.(,1-+*1)+1))@&&/'
8 '@^Y@.@os~vq2,(/2os~vq@-1'+@lvo.(,1-+*1)+1+/@.(&'
9 '@^Y@.@{vlk2++(2lvszqk@-1',@lvo.(,1-+*1)+1./+@+)*'
9 '@^Y@.@{vlk2++(2lvszqk@-1',@lvo.(,1-+*1)+1(,@./*'
9 '@^Y@.@{vlk2++(2lvszqk@-1'+@lvo.(,1-+*1)+1..(@./*'
9 '@^Y@.@{vlk2++(2lvszqk@-1'+@lvo.(,1-+*1)+1.'(@&&/'
10 '@^Y@.@{vlk2++(2lvszqk@-1',@lvo.(,1-+*1)+1./(@+)*'
11 '@^Y@.@o()2,,*2|pq{jvk@-1',@lvo.(,1-+*1)+1((@./*'
11 '@^Y@.@os~vq2+(-2lvszqk@-1'+@lvo.(,1-+*1)+1./+@.(&'
12 '@^Y@.@{vlk2++(2lvszqk@-1'+@lvo.(,1-+*1)+1.),@.(&'
16 '@^Y@.@os~vq2,(/2os~vq@-1'+@lvo.(,1-+*1)+1.,)@./*'
17'@^Y@.@{vlk2++(2lvszqk@-1',@lvo.(,1-+*1)+1.*.@&&/
18 '@^Y@.@o()2,,*2|pq{jvk@-1'+@lvo.(,1-+*1)+1)'@+)*'
20 '@^Y@.@o()2,,*2|pq{jvk@-1'+@lvo.(,1-+*1)+1.,*@.(&'
A normal login on our site consists of 3 number and 3 letters (like CAB123, not a valid username, but valid syntax) or if they a new their "j number" which is an id number that starts off with J like J12345678
I thought it may be injection, as another site suggested it was SQL injection, but then someone else claimed that it did not have any valid PHP or SQL syntax.
If you want to see this structure, take a string and throw it into google, you will find analytics pages that show that this attack has been attempted again and again.
See:
https://www.google.com/search?q=%40^Y%40%29%40{vlk2%2B%2B%282lvszqk%40-1%27%2B%40lvo.%28%2C1-%2B*1%29%2B1%29%29%40%26%26%2F&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-USfficial&client=firefox-a
Any help would be appreciated!