Our site has now seen just over 200,000 attack attempts over the past 48 hours, 73,000 attack attempts over the past 5 hours.
Not nearly a DOS concern yet, as the acceleration of attacks has started to at least flatten a bit over the last 2-3 hours, but we're watching it carefully. The attacks appear to only effect MSSQL. MySql seems to be safe from THIS attack, but clearly it's time to batten the hatches if you haven't already. We have 1.2 million pages indexed in Google, where the botnet is extracting URLs from. The level of the attack you are witnessing is likely proportional to your presence in google. The attacks are ONLY against our .CFM pages. No attacks are being run against our obfuscated CFM pages (product.cfm?id=12 => /product/12.html ). Here's the botnet attack that appears to be hitting us all: http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx Decoding the hex of our current attacks and most of them are pointing to http://sdo.1000mg.cn/csrss/w.js (malware). That is the Asprox botnet, which has beem going through ASP sites for a while... looks like they recruited a bunch of drones, and those drones have moved from ASP (verynx attacks) to attack CF. Pretty ingenious really, infecting websites via injection attack in order to infect clients with browser vulnerabilities. The more CF sites that get infected, the more drones that are recruited, and the more persistent the attacks become. Here's the rewrite I'm using (linux apache) to keep traffic off the app server. RewriteCond %{QUERY_STRING} .*DECLARE.* RewriteRule ^(.*)$ violation.htm [nc,L] Interesting philosophical thought: I can't help but believe that the URL rewriting we do over much of our site (product.cfm?id=14 appearing as /product/14.html etc etc) has helped reduce the attacks significantly. It seems to me that such URL rewriting is actually a very important security tool as we enter a period where botnets start targetting .cfm pages. I plan on increasing our CFM obfuscation over the coming weeks to help hide CF from the search engines and automated attacks. Seems to me that it's a lot safer presenting your entire site as HTML to the outside world. Regards Terry ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310562 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
