> RewriteCond %{QUERY_STRING} .*DECLARE.*
> RewriteRule ^(.*)$ violation.htm [nc,L]
Ok, that looks short and simple enough that maybe I can handle
with 156 emails from the list.
I have never used an mod_rewrites or whatever, so I guess I should
put these on my VPS running MySQL and IIS6?
If so, is there a simple explanation of how to do it? Oh wait, this
came from the cf-linux list. The mod is a linux deal only, right?
You guys have got me worried...
Rick
> -----Original Message-----
> From: Terry Ford [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 08, 2008 1:21 PM
> To: CF-Linux
> Subject: Re: SQL injection attacks getting out of control
>
> Ok... here's what appears to be hitting us:
>
> http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
>
> I decoded the hex in the attack strings I'm seeing right now, and most of
> them are pointing to
> http://sdo.1000mg.cn/csrss/w.js.
>
> That is the Asprox botnet, which went through ASP sites a few months ago...
> looks like they
recruited a
> bunch of drones, and those drones have moved from ASP (verynx attacks) to
> attack CF. Pretty
ingenious
> really, infecting websites via injection attack in order to infect clients
> with browser
vulnerabilities.
>
> The more CF sites that get infected, the more drones that are recruited, and
> the more persistent
the
> attacks become.
>
> In theory this should taper off as the botnet moves on to their next target.
> Looks like it's
hitting
> sites such as houseandfusion and our site hardest, which each have zillions
> of pages indexed in
Google
> (they botnet chooses target pages from Google searches).
>
> Whatever the case, from what I've seen on CF-talk it appears that these
> attacks infected a lot of
CF
> servers, and as such we're likely going to be targeted hard in all manners of
> attacks in the
future.
> Looks like a good lesson against CF sloppiness.
>
>
> p.s. we're up to 62000 attack attempts now in 5 hours. Still accelerating,
> but thankfully not
> exponential.
>
> Here's the rewrite I'm using. Am no mod_rewrite expert, but it appears to
> be working:
>
> RewriteCond %{QUERY_STRING} .*DECLARE.*
> RewriteRule ^(.*)$ violation.htm [nc,L]
>
> Interesting philosophical thought: I can't help but believe that the URL
> rewriting we do over
much of
> our site (product.cfm?id=14 appearing as /product/14.html etc etc) has
> helped reduce the attacks
> significantly. It seems to me that such URL rewriting is actually a very
> important security
tool, as
> we enter a period where botnets start targetting .cfm pages. I plan on
> increasing our CFM
obfuscation
> over the coming weeks to help hide CF from the search engines and automated
> attacks. Seems to me
that
> it's a lot safer presenting your entire site as HTML to the outside world.
>
> Regards
> Terry
>
>
>
>
> --- On Fri, 8/8/08, Wil Genovese <[EMAIL PROTECTED]> wrote:
>
> > From: Wil Genovese <[EMAIL PROTECTED]>
> > Subject: Re: SQL injection attacks getting out of control
> > To: "CF-Linux" <[email protected]>
> > Date: Friday, August 8, 2008, 12:11 PM
> > what is your rewrite rule? I'm ok with mod-rewite, but
> > no expert
> > that's for sure.
> >
> >
> > Wil Genovese
> >
> > One man with courage makes a majority.
> > -Andrew Jackson
> >
> > A fine is a tax for doing wrong. A tax is a fine for doing
> > well.
> >
> >
> >
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive: http://www.houseoffusion.com/groups/CF-Linux/message.cfm/messageid:4435
Subscription: http://www.houseoffusion.com/groups/CF-Linux/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.14
