I wrote an IIS log parser which can not only parse the IIS logs to a DB but when the url params are over a certain size or has certain key words, it'll flag it as a problem to look at later. Unfortunately, the attack was on a clients site and we knew about it when the page display was compromised. The logs were only good after the fact.
This attack didn't use the standard "declare" statement but it did have a longer than normal request string. Cleaning it out wasn't much of a problem once it was identified. I've added another bit of text to my injection scanner code but... I'm going through query after query on his site which will take me a while to recode. I'm going to have to dig up my auto-query-param code that I wrote for someone many years ago and get it up to date. More work and less rest. :( -- Michael On Wed, Jan 13, 2010 at 4:11 PM, Chad Gray <cg...@careyweb.com> wrote: > > How do you guys monitor these attacks? The webserver logs? > >> -----Original Message----- >> From: Al Musella, DPM [mailto:muse...@virtualtrials.com] >> Sent: Wednesday, January 13, 2010 12:34 PM >> To: cf-talk >> Subject: Re: Recent SQL Injection attacks >> >> >> I have been getting a lot lately... and had an interesting >> one. One computer was hammering my server. They were trying a >> dictionary attack on one of my forms, in addition to trying sql >> injection on every dynamic page. Strangely, the IP address of the >> attacker, 204.238.82.17, was from the USA. It was a security >> company. I called them and asked what they were doing. They said a >> security audit! They said they had permission. Turns out they were >> hired to test a website that is one letter off from my domain name >> and they made a mistake. They stopped immediately. At least they >> told me I passed:) >> >> My ftp server has also been getting dictionary attacks from >> Amsterdam 95.154.246.98.. luckily my ftp sites are set up to allow >> only certain ip addresses. >> >> >> At 08:14 PM 1/12/2010, you wrote: >> >> >Didn't know about that IP. Thanks >> > >> >They got in through some code that was written literally 10 years ago >> >on one of the clients forgotten sites. I've fixed up the cfquery tags >> >and added my anti-injection code to the whole dir. >> > >> >Thanks >> > >> >-- >> >> >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329634 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
