Rick, I believe this current wave of attacks is only targeting MS SQL
Server. You mention you are using MySQL, so *this* particular attack
should be of no concern to you.
-Ryan
Rick Faircloth wrote:
>> RewriteCond %{QUERY_STRING} .*DECLARE.*
>> RewriteRule ^(.*)$ violation.htm [nc,L]
>>
>
> Ok, that looks short and simple enough that maybe I can handle
> with 156 emails from the list.
>
> I have never used an mod_rewrites or whatever, so I guess I should
> put these on my VPS running MySQL and IIS6?
>
> If so, is there a simple explanation of how to do it? Oh wait, this
> came from the cf-linux list. The mod is a linux deal only, right?
>
> You guys have got me worried...
>
> Rick
>
>
>
>> -----Original Message-----
>> From: Terry Ford [mailto:[EMAIL PROTECTED]
>> Sent: Friday, August 08, 2008 1:21 PM
>> To: CF-Linux
>> Subject: Re: SQL injection attacks getting out of control
>>
>> Ok... here's what appears to be hitting us:
>>
>> http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
>>
>> I decoded the hex in the attack strings I'm seeing right now, and most of
>> them are pointing to
>> http://sdo.1000mg.cn/csrss/w.js.
>>
>> That is the Asprox botnet, which went through ASP sites a few months ago...
>> looks like they
>>
> recruited a
>
>> bunch of drones, and those drones have moved from ASP (verynx attacks) to
>> attack CF. Pretty
>>
> ingenious
>
>> really, infecting websites via injection attack in order to infect clients
>> with browser
>>
> vulnerabilities.
>
>> The more CF sites that get infected, the more drones that are recruited, and
>> the more persistent
>>
> the
>
>> attacks become.
>>
>> In theory this should taper off as the botnet moves on to their next target.
>> Looks like it's
>>
> hitting
>
>> sites such as houseandfusion and our site hardest, which each have zillions
>> of pages indexed in
>>
> Google
>
>> (they botnet chooses target pages from Google searches).
>>
>> Whatever the case, from what I've seen on CF-talk it appears that these
>> attacks infected a lot of
>>
> CF
>
>> servers, and as such we're likely going to be targeted hard in all manners
>> of attacks in the
>>
> future.
>
>> Looks like a good lesson against CF sloppiness.
>>
>>
>> p.s. we're up to 62000 attack attempts now in 5 hours. Still accelerating,
>> but thankfully not
>> exponential.
>>
>> Here's the rewrite I'm using. Am no mod_rewrite expert, but it appears to
>> be working:
>>
>> RewriteCond %{QUERY_STRING} .*DECLARE.*
>> RewriteRule ^(.*)$ violation.htm [nc,L]
>>
>> Interesting philosophical thought: I can't help but believe that the URL
>> rewriting we do over
>>
> much of
>
>> our site (product.cfm?id=14 appearing as /product/14.html etc etc) has
>> helped reduce the attacks
>> significantly. It seems to me that such URL rewriting is actually a very
>> important security
>>
> tool, as
>
>> we enter a period where botnets start targetting .cfm pages. I plan on
>> increasing our CFM
>>
> obfuscation
>
>> over the coming weeks to help hide CF from the search engines and automated
>> attacks. Seems to me
>>
> that
>
>> it's a lot safer presenting your entire site as HTML to the outside world.
>>
>> Regards
>> Terry
>>
>>
>>
>>
>> --- On Fri, 8/8/08, Wil Genovese <[EMAIL PROTECTED]> wrote:
>>
>>
>>> From: Wil Genovese <[EMAIL PROTECTED]>
>>> Subject: Re: SQL injection attacks getting out of control
>>> To: "CF-Linux" <[email protected]>
>>> Date: Friday, August 8, 2008, 12:11 PM
>>> what is your rewrite rule? I'm ok with mod-rewite, but
>>> no expert
>>> that's for sure.
>>>
>>>
>>> Wil Genovese
>>>
>>> One man with courage makes a majority.
>>> -Andrew Jackson
>>>
>>> A fine is a tax for doing wrong. A tax is a fine for doing
>>> well.
>>>
>>>
>>>
>>>
>>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive: http://www.houseoffusion.com/groups/CF-Linux/message.cfm/messageid:4436
Subscription: http://www.houseoffusion.com/groups/CF-Linux/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.14
