Just doing a search with normal search words will never result in a 'hack'.

So it might be a denial of service attack. But they are normally from multiple different PC's, not just a single IP address.

Or it might be a hacking attempt if they are not passing in normal search words, but are instead passing in SQL commands, PHP code or HTML code, in place of a normal search words.

If you are concerned that it might be a hacker, then you should ensure you are using the latest version of Zoom (V5.1.1004 or higher). Over the years we have fixed up a number of HTTP cross site scripting XSS issues. Having these holes closed helps prevent exploitation of your site for nefarious purposes.

We would need need to see part of the log in order to comment more.

Ray,

I zipped up a piece of the search log file and put it here:

http://hauppauge.lightpath.net/support/searchlog.zip

This kind of activity happens every few days, with the same word search. I think you are right: they are looking for a vulnerable page on our site. I just don't understand why the multiple searches on the same word. Any ideas? Denial of service would be my guess but these bursts of activity seem to happen for a short period of time, maybe 30 minutes or so.

Is there anyway to limit the number of searches a particular IP address can make within a period of time? Like maybe no more than one search per second from the same IP address?

Yes, this is definitely a hack attempt. But not a very good one, and it will never work against Zoom.

It looks like a SQL injection attack type of attack.

The SQL code the hackers are trying to insert is something like this.

So in the Zoom log you can see stuff like this,
Many sites have seen the same attack. Try searching for x waitfor delay on Google.

This attack will never work on Zoom for the simple reason that Zoom doesn't even use a SQL database.

This doesn't explain why they repeat the same attack so many times. It would make more sense for them to attempt the attack once, then move on to a new site after it doesn't work. But it might be a script-kiddy who has a hacker script, but doesn't really know how to use it.

In any case I would block this IP address, using the .htacess file on your server (if you are using Apache).

Thanks for the links. I bet the person doing this was trying to get through the Zoom engine which they thought might be SQL based.

Our site doesn't use SQL either, but I'll keep an eye on the logs.

Given how widespread the attack was, across many different sites and scripts, I think it was a automated attack. The hacker probably wrote a script to automatically probe any sites that has a HTML form hoping to come across a SQL weakness by chance.