The month of May seems to be a time for many SQL injection attacks around the world. Unfortunately one of the sites affected by these attacks happens to be one that is administrated by a friend of mine. As it so happens the site was also developed by a friend and I'm sure we can have a good time reminding him to give SQL injections the respect it deserves for a long time to come.

Anyway, getting back to the attack, I was able to get a few logs to see what was happening first had. Here is a (modified) extract of the IIS logs that show what had happened:

This particular attack carried out from within China (WHOIS - 58.215.76.181) is pretty interesting, most of the SQL is obfuscated behind a very long hex string (CAST(0x HEX string)). I've removed the original string and replaced it with something harmless and much shorter in the above log entries.

The attacker has tried 2 slight variations of a SQL injection attack in the form of

1) /page.asp?pageID=2;SQLStatement;--   

2) /page.asp?pageID=2';SQLStatement;--

the attacker keeps trying the above 2 combinations on different pages of the website till he gets status 200 result; then leaves.

So what has the attacker done in his SQL statement?  To figure this out we can fire up SQL Server Management Studio and pretty much use the same code that the attacker used except that we substitute the EXEC with a PRINT to view the query.

DECLARE @S NVARCHAR(4000);
SET @S = CAST(0xuseTheActualHexString AS NVARCHAR(4000))
PRINT(@S)

The attacker had queried all the all the user tables, found column names in each of these tables that are used to store string values such as text, nvarchar, or varchar etc. then it adds a <script> tag with a URL pointing to  a malicious .js file into each of  the column values. The SQL had also been "nice" not to replace the original values and only append to it, and also even properly deallocate and close cursors they used in their attack query!

The result of all that meant that all the websites configured to use that database will start to display its pages as shown in the following Google search result. Innocent visitors of the site would in some cases be executing that .js file in their browser which could cause all kinds of havoc depending on what is in the specified .js file.

Recovering from the attack is straight forward; use a clean backup of the database, or if you really wanted you could just remove the appended <script .. > portion from all the column data using the same script that was used to insert it.

But do we prevent this from happening again? well that's another post. Just remember to give SQL injections the respect it deserves.

Yesterday I found out that Mobitel (Sri Lanka) don't have their GPRS/MMS settings online like Dialog GSM. Even Google couldn’t find them for me! After a little bit of searching online, I finally gave in and called Mobitel's customer support. After listening to a few songs and a recording that kept reminding that the call was valuable to them and will be attended to soon, I was finally able to get the settings from them. So to save you the pain here they are:

GPRS Settings:
Access Point: ISP

WAP Settings
- Data bearer: Packet data
- Access point name: isp
- Authentication: Normal
- Homepage: http://wap.mobitel.lk
- Network type : IPv4
- Phone ip address : Atomatic
- Proxy serv. address : 192.168.050.163
- Proxy port number : 0


MMS Settings
- Connection name - MobitelMMS
- Data bearer – Packet data
- Access point name - wapmms
- Authentication - Normal
- Homepage - http://192.168.50.165
- Network type : IPv4
- Phone ip address : Atomatic
- Name  server : Atomatic
- Proxy serv. address : 192.168.050.163
- Proxy port number : 8080


Now that Mobitel is supporting 3.5G HSPA technology I'm sure they would add this information to their website soon.

Today I went to a presentation by the international Creativity Guru Fredrik Haren on "Creativity & Idea Generation". It proved to be quite eye opening or should I say thought provoking!  Here are a few things he talked about.

Ideas are in demand
More and more people are getting higher education, information is widely and quickly available, especially now with the help of the internet. There for considering what supply and demand does the value of information, knowledge is going down. So “what’s going to be valuable?” ask Fredrik.  Ideas.

Schools kill creativity.
His point was that, before schooling kids are full of ideas had have a fresh way of thinking. After having school education, people are less creative. We seem to be stuck with the what we learn by seeing, hearing, reading etc. Not to say that schooling is a bad thing, but maybe some things need to be changed.

If an adult was asked  where they’d like to have an extra pair of eyes; "at the back of the head" would be the quick and usual answer; not creative. He’s asked this from  a bunch of kids , and the  answers pretty creative: "on my finger tip” – to see around corners or inside small places, "in my big sisters room” - hmmm, "on my feet”  -  wanted to use them as roller blades  and even a kid who wanted them in the “back of the mouth” – so he could see his heart beating, and know that he’s alive.

Why do schools kill creativity?
We are taught of “the right way" of doing something. If you were asked to measure the height of a tall building using a barometer, the “correct” answer would be to  "measure the pressure at the floor level and then at the roof, calculate the height".  The answer is “wrong” if for example was answered as “thrown  the barometer off the roof and measure the time it takes to hit the ground, and calculate the height!” or “measure the barometer , shadows of barometer and the building, then calculate” or “threaten the owner with the barometer and ask for the answer”-creativity plus more.

Its easy
Coming up with a business idea could be simple, take two known things, combine them in a new way. your done! Take for example iFill. It streams mp3 files from free radio stations directly to your iPod; a combining of radio broadcasts with the IPod in a new way.

Let ideas come to you.
Everybody has some place, time or activity that usually brings about ideas. When or where do you come up with your best ideas? Spend more time at it, give ideas an opportunity to come to you.

The Idea Book
A best seller that is basically 150 Pages about ideas by Fredrik Haren which also has 150 empty pages for the readers to write their own ideas! Quite a brilliant idea of Fredrik's where he gets away with only writing half the book!

I've also got my hands on a copy of the book, so let the ideas begin!

Have you heard about the "Law of Attraction" and the intention-manifestation model of reality? Couldn’t make head of tail of what that meant? We'll here is a short little pod cast from Erin that makes understanding it as simple as ordering a roasted vegetable wrap at a fast food restaurant!

Happy and peaceful Deepavali to all Hindus’ world-over.

Deepavali is a major Hindu festival that Symbolizes the victory of good over evil. [wikipedia]

Most people spend a considerable amount of time reading, be it reading books or what comes up in a google search. If we are able to cut down time spent on reading in half, that itself would save a lot of time!

I’ve always been fascinated by the idea of being able to read fast. What's fascinating to me is that although you read fast, the level of comprehension does not diminish, in-fact some speed reading methods claim to actually increase comprehension!

Steve Pavlina has a post on how he tripled his reading speed using a method called PhotoReading. This method of course also requires that you invest around $250 on it. However, considering the advantages it could be a worthwhile investment for some.

I’ll of course do a bit more research on google regarding the subject before I make that investment I’m sure there must be plenty of free advice to get started.

UPDATE: Just incase you're wondering, Steve’s got some answers for your questions/doubts regarding PhotoReading in his latest post

I just got this in my mail..

Before the computer age,

An APPLICATION was for employment.
A PROGRAMME was a television show.
WINDOWS were something you hated to clean.
A KEYBOARD was a piano.
MEMORY was something you lost with age.
A CD was a bank account.
COMPRESS was something you did to garbage.
LOG ON was adding wood to a fire.
A HARD DRIVE was a long trip on the road.
A MOUSE PAD was where a mouse lived.
And a BACKUP happened to your toilet.
CUT you did with scissors.
PASTE you did with glue.
A WEB was a spider's home.
And a VIRUS was flu

Thanks to Madura and Merill, I've got my blog up again!

 

One of my friends sent this to me today. Its pretty deep if you really think about it, but who has the time! We’re all busy finding a better “cup”.

A group of working adults got together to visit their University Lecturer. The lecturer was happy to see them. Conversation soon turned into complaints about stress in work and life. The Lecturer just smiled and went to the kitchen to get an assortment of cups - some porcelain, some in plastic, some in glass, some plain looking and some looked rather expensive and exquisite. The Lecturer offered his former students the cups to get drinks for themselves. When all the students had a cup in hand with water, the Lecturer spoke:” If you noticed, all the nice looking, expensive cups were taken up, leaving behind the plain and cheap ones. While it is normal that you only want the best for yourselves, that is the source of your problems and stress. What all you wanted was water, not the cup, but we unconsciously went for the better cups." "Just like in life, if Life is Water, then the jobs, money and position in society are the cups. They are just tools to hold/maintain Life, but the quality of Life doesn't change." "If we only concentrate on the cup, we won't have time to enjoy/taste the water in it."

So my friends; Start to enjoy the water!

The last few weeks I've been unsuccessfully trying to wake up early in the morning. I do manage it once in a way, but still couldn't do it for more than a couple of days in a row.

I’ve been wanting to be a early riser for some time now, but it was Steve Pavlina’s blog on How to Become an Early Riser that actually got me started on this seriously, and with a plan! If you’re into Personal Development you might want to consider reading Steve’s Blog.

On a side note, although you might want to become an early bird, you definitely should not be a early worm, unless you want to end up eaten!