100,000 MySQL injection attacks in a few days

Recently my site has been hit with huge numbers of injection attacks. Right now, I trap them and return a static page.

Here’s what my URL looks like:


This is what an attack looks like:


I know for sure that this isn’t just a bad link or fat-fingered typing so I don’t want to send them to an overview page. I also don’t want to use any resources on my site delivering a ‘missing’ page.

Based on a couple of comments on Stackoverflow, I looked up how to return ‘page not found’. This Stackoverflow answer by icktoofay suggests using a 404 and then the die(); – the bot thinks that there isn’t a page and might even go away, and no resources are used to display a page not found message.

Here’s what mostly works.

header("HTTP/1.0 404 Not Found");

I still get attempts, but they usually only try 20 or so times and then they go away for a few days.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.