Charles: Thanks for the reply. Unfortunately, they don't know when the attack happened and their current hosting company has not been very attentive to backing up files or the database. It's also built on a CMS with page content changes made daily.
Thanks. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ > -----Original Message----- > From: Charles Sheehan-Miles [mailto:char...@sheehanmiles.net] > Sent: Wednesday, October 21, 2009 4:31 PM > To: cf-talk > Subject: Re: After the fact: SQL Injection Scanner > > > You might consider restoring a copy of a recent backup, then comparing > against known records that shouldn't have changed (for example comment > records) > > On Wed, Oct 21, 2009 at 4:04 PM, Mosh Teitelbaum > <mosh.teitelb...@evoch.com>wrote: > > > > > Andy: > > > > Unfortunately, I don't have the SQL Injection code. From what I can > > gather, > > the attack resulted in a whole bunch of copies of some PHP code that > > essentially gives the user access to both the file system and the > database. > > I'm still working on getting the log files from the web host (FTP is > down > > for some reason) but with the PHP files, they could have changed the > > database without having to do so via the URL. > > > > -- > > Mosh Teitelbaum > > evoch, LLC > > Tel: (301) 942-5378 > > Fax: (301) 933-3651 > > Email: mosh.teitelb...@evoch.com > > WWW: http://www.evoch.com/ > > > > > > > -----Original Message----- > > > From: Andy Matthews [mailto:li...@commadelimited.com] > > > Sent: Wednesday, October 21, 2009 3:49 PM > > > To: cf-talk > > > Subject: RE: After the fact: SQL Injection Scanner > > > > > > > > > Mark's right. If you have the SQL injection code, you can > essentially > > > reverse engineer it and use it as a blueprint to fix the problems. > > > > > > > > > andy > > > > > > -----Original Message----- > > > From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] > > > Sent: Wednesday, October 21, 2009 2:10 PM > > > To: cf-talk > > > Subject: After the fact: SQL Injection Scanner > > > > > > > > > All: > > > > > > > > > > > > A client called today letting me know that their server had been > > > breached > > > and that some malicious code had been uploaded to the site. After > > > doing > > > some research into the particular files that were uploaded, it > turns > > > out > > > that the attack is also usually accompanied by a SQL Injection > attack. > > > Their database is huge and, instead of manually going through the > > > database > > > looking for altered records, I thought to write some code that > would > > > scan > > > the records and report any potential problems. Before doing that, > does > > > anyone know of any existing code that does that? > > > > > > > > > > > > Thanks in advance. > > > > > > > > > > > > -- > > > > > > Mosh Teitelbaum > > > > > > evoch, LLC > > > > > > Tel: (301) 942-5378 > > > > > > Fax: (301) 933-3651 > > > > > > WWW: http://www.evoch.com/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327471 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
