What I'm curious about, is that there seems to be noone you can report this to?
I got hammered again the other day.. this time as well through
whatever form fields they could find.
Mark
On Sat, Aug 16, 2008 at 12:07 PM, Al Musella, DPM
<[EMAIL PROTECTED]> wrote:
> And changed
> EXEC to ExEC
>
>
And changed
EXEC to ExEC
I am getting hit pretty hard again. It stopped for a few days but
they are back.
At 06:56 PM 8/15/2008, you wrote:
>They completely stopped on the 11th, but they are back to day spelling it
>like "DeCLARE".
>
>~Brad
~
They completely stopped on the 11th, but they are back to day spelling it
like "DeCLARE".
~Brad
- Original Message -
From: "Claude Schneegans" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Friday, August 15, 2008 5:32 PM
Subject: Re: SQL injection attack
>>Not as far as technique, but it was much larger in scale than most of us
have experience before.
By the way, are you still getting hits from this attack?
I don't see any anymore.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/cust
>>Going through 136+ posts seems a bit too much, many thanks.
Arn't you affraid to get even more if you start another thread again? ;-)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to t
As an FYI: for those that did use Apache configs to stop this attack, if you
did not make sure your check was not case sensitive your being hit again.
I just saw this start coming into our logs this afternoon: Note that DECLARE
changed to DeCLARE. Some of the posts I saw for people to modify apac
> But I know all this, I thought the sql injection attack went beyond it,
> thanks anyway, Justin.
Not as far as technique, but it was much larger in scale than most of us
have experience before. Some were getting hit so hard they had to
filter it farther up the chain (IIS, firewall, etc.) but
On Fri, Aug 15, 2008 at 1:12 PM, Don L <[EMAIL PROTECTED]> wrote:
> But I know all this, I thought the sql injection attack went beyond it,
> thanks anyway, Justin.
>
it did not.
--
A byte walks into a bar and orders a pint. Bartender asks him "What's
wrong?" Byte says "Parity error." Bartender
But I know all this, I thought the sql injection attack went beyond it, thanks
anyway, Justin.
> The same place we've always been:
>
> * Validate user input
> * Use CFQUERYPARAM
>
> For applications that have old code, run a tool that will tell you
> what
> queries need to be updated or run a
> Sorry for the "top posting", where are we now in terms of best practice for
> cf8 protection again sql injection attack? Going through 136+ posts seems a
> bit too much, many thanks. Some one who has closely monitored this thread
> probably could help.
The same place we've always been:
* V
Sorry for the "top posting", where are we now in terms of best practice for cf8
protection again sql injection attack? Going through 136+ posts seems a bit
too much, many thanks. Some one who has closely monitored this thread probably
could help.
>Sorry for the problems with the House of Fusi
> >1) It protects only against known threats. In order to be excluded we
> have
> >to be a step far enough ahead to make sure the pattern is included.
> >2) It will produce false positives.
> >3) It is not role or user based.
> >4) Tend to give a false sense of security.
>
>
> Just to add to th
> You of all people have been around long enough to know, that
> if we as a developer could have our jobs made easier. Makes
> me wonder why you made your comment?
I don't see it as Adobe's place to tell me how to write code, which is
essentially what a framework of any type does. In the same wa
On Mon, Aug 11, 2008 at 9:01 PM, Andrew Scott wrote:
> But one can dream. Like you said, I also doubt it will become open
> source this release... Or even the next, but it will happen... Mark those
> words...
While I don't think we'll get away from SQL anytime soon, I have
managed to get
oper
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 12 August 2008 2:44 AM
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion
> The second is that this is why. ColdFusion
Interestingly, hibernate is one of the rumoured additions to CF9:
http://www.barneyb.com/barneyblog/2008/06/19/cfunited-day-one/
etc
On Tue, Aug 12, 2008 at 12:44 AM, Dave Watts <[EMAIL PROTECTED]> wrote:
>
> ColdFusion is a programming language, like Java. Just as Java doesn't come
> with an OR
On Mon, Aug 11, 2008 at 10:11 AM, Jochem van Dieten wrote:
> I just see different degrees of guilt. Negligence from developers,
> greedy shortcuts from management, lazyness from end users, criminal
> intent from hackers etc.
I don't see ISPs on there, and while I'm no fan of much of the
ISP-b
On Sun, Aug 10, 2008 at 6:35 AM, Bobby Hartsfield wrote:
> Suggesting and getting caught doing are 2 different things. IF
> writing/posting code were an issue though... then everyone who posted the
> full script would be worried ;-)
I hope it's just chicken-little, but it's happening to other coun
Security in layers.
While it is usually best to thwart this style of attack at the
route/firewall, it is wise to have the extra layers at the
Apache/IIS/webserver, Coldfusion Application, CF Query and JDBC DB user
permission layers. If the first layer is bypassed or compromised then the
next laye
> The second is that this is why. ColdFusion should have
> adopted an approach that used an ORM instead With an ORM
> it reduces the risk, provided the ORM takes these attacks seriously.
>
> I have never seen these attacks with hibernate, within GORM
> and Domain Driven design approache
> Viewing this as a rape case, if a girl was hanging out on a
> street corner and asking passers-by to rape her, then, yes,
> she bears some responsibility for putting herself in that
> situation. It doesn't mean the one who rapes her doesn't
> bear the greater responsibility for the situation
> Ah. You're from the "blame the victim" school.
>
> Unfortunately, when I wrote the first 1,000 ColdFusion
> templates using Ben Forta's CF 4.0 book, there was no
> CFQueryParam. So going back and rewriting all those programs
> (now well into several thousand) has been a bitch. And all
> i
Seeing code solutions to this is cool. but imho its best left to your
router/firewall to handle. I'd contact the provider to have them put some
better controls in place. These are scenarios that almost delve into why cisco
has the zero day features on their gear..
~
Dave Morris wrote:
> Ah. You're from the "blame the victim" school.
I just see different degrees of guilt. Negligence from developers,
greedy shortcuts from management, lazyness from end users, criminal
intent from hackers etc.
> So I shouldn't be mad at the poor little hackers, because they
gt; From: Mark Kruger [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2008 11:24 AM
> To: CF-Talk
> Subject: RE: SQL injection attack on House of Fusion
>
> Rick,
>
> While your argument is well put, perhaps we could choose a slightly less
> inflammatory analogy than ra
On Monday 11 Aug 2008, Brad Wood wrote:
> I'm fairly convinced this bot used the Internet Explorer on the victims
It would make sense to use the same ActiveX control IE uses, yes.
--
Tom Chiverton
This email is sent for and on behalf of Hall
: Monday, August 11, 2008 9:45 AM
> To: CF-Talk
> Subject: RE: SQL injection attack on House of Fusion
>
> This would probably be more productively viewed as as "responsibility"
> issue, rather than blame.
>
> Both parties, webmaster and attacker, bear responsibility for the
l Message-
From: Rick Faircloth [mailto:[EMAIL PROTECTED]
Sent: 11 August 2008 15:45
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion
This would probably be more productively viewed as as
"responsibility" issue, rather than blame.
Both parties, webmaster and attacker, bea
ssage-
From: Rick Faircloth [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2008 9:45 AM
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion
This would probably be more productively viewed as as "responsibility"
issue, rather than blame.
Both parties, webmaster and
Sent: Monday, August 11, 2008 3:37 AM
Subject: RE: SQL injection attack on House of Fusion
> Hmmm...
>
> Of course it is possible to use cookies They chose not too... Why...
> Because they have no real need to be attached to a se
Criticizing someone for negligence is not blaming the victim. If the person who
coded the site is so incompetent as not to include a cfqueryparam for any user
input that has direct impact on the database, then they deserve to get blamed.
What's so difficult about
As for going back and finding
Morris
> >
> >
> >
> >> -----Original Message-
> >> From: Greg Morphis [mailto:[EMAIL PROTECTED]
> >> Sent: Monday, August 11, 2008 9:04 AM
> >> To: CF-Talk
> >> Subject: Re: SQL injection attack on House of Fusion
> >>
>
CHOP away at
> our systems until they find that one hole we didn't catch, and then blame it
> on the victim!
>
> Dave Morris
>
>
>
>> -Original Message-
>> From: Greg Morphis [mailto:[EMAIL PROTECTED]
>> Sent: Monday, August 11, 2008 9:04 AM
>>
CHOP away at
our systems until they find that one hole we didn't catch, and then blame it
on the victim!
Dave Morris
> -Original Message-
> From: Greg Morphis [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2008 9:04 AM
> To: CF-Talk
> Subject: Re: SQL injection
> I'm sure they exist even for CF 4.0
Yup, the val() function did/does wonders for integer input on queries,
even way back in CF4.
-Justin Scott
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release
mad at the poor little hackers, because they were doing us
> all favor by pointing out our faults. That is your school of thought,
> right?
>
> Dave Morris
>
>
>> -Original Message-
>> From: Dave Watts [mailto:[EMAIL PROTECTED]
>> Sent: Sunday, August
: Sunday, August 10, 2008 11:15 PM
> To: CF-Talk
> Subject: RE: SQL injection attack on House of Fusion
>
> > Anyway, I propose the dot-com millionaires who left us stuck
> > with the current mess in the spam and virus arena be
> > personally required to fund an internat
-Original Message-
From: Wil Genovese [mailto:[EMAIL PROTECTED]
Sent: Saturday, 9 August 2008 2:26 AM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
very few bots accept cookies. I've never actually seen one that does,
but I have read it is possible to writ
Phone: +613 9015 8628
Mobile: 0404 998 273
-Original Message-
From: Ben Forta [mailto:[EMAIL PROTECTED]
Sent: Saturday, 9 August 2008 2:05 AM
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion
Yep, was curious about that too. I modified Justin's script to not send
e-
> Anyway, I propose the dot-com millionaires who left us stuck
> with the current mess in the spam and virus arena be
> personally required to fund an international Goon Squad with
> kneecap breaking instructions to go after these vandals.
And who exactly would that be?
> If someone did this c
Wait, sorry. This is a cf-community thread, not a cf-talk one. It will be
moved right away.
On Sun, Aug 10, 2008 at 11:32 PM, Michael Dinowitz <
[EMAIL PROTECTED]> wrote:
> I propose a baseball bat. It works well with both genders.
>
> On Sun, Aug 10, 2008 at 11:16 PM, William Seiter <[EMAIL PROT
I propose a baseball bat. It works well with both genders.
On Sun, Aug 10, 2008 at 11:16 PM, William Seiter <[EMAIL PROTECTED]> wrote:
> You assume much.
>
> Women are just as prowess at running a computer virus attack as men.
>
> We just don't hear about them as much, as they seem to not get cau
You haven't been around teenage boys much recently. That and the XBox are the
ONLY things they would miss.
Anyway, I propose the dot-com millionaires who left us stuck with the current
mess in the spam and virus arena be personally required to fund an
international Goon Squad with kneecap brea
o: CF-Talk
::Subject: Re: SQL injection attack on House of Fusion
::
::>I've heard that in Saudi Arabia, a thief has the offending member removed
::at
::>the wrist. Since hackers commit their offence with their brain, wouldn't
::it
::>be appropriate to behead them?
::>
::>Just
>I've heard that in Saudi Arabia, a thief has the offending member removed at
>the wrist. Since hackers commit their offence with their brain, wouldn't it
>be appropriate to behead them?
>
>Just a suggestion. :-\
>
>Dave L.
Personally I'd rather they had a different part of their anatomy cut off.
t in your reply :-o
Heh
..:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
http://cf4em.com
-Original Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 09, 2008 11:51 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
I'd tell y
I'd tell you to watch what you suggest on a public forum, but heck-- we
already know the FBI doesn't care. :)
~Brad
> Hmmm... if everyone did something like this... it would not only be
> funny...
> but probably piss off apnic and make them do something about their portion
> of this problem (w
http://cf4em.com
-Original Message-
From: Mike Kear [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 09, 2008 4:49 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
I guess i'm missing something, Bobby. Why does a big share of the
problem belong to Apnic?
Cheers
I guess i'm missing something, Bobby. Why does a big share of the
problem belong to Apnic?
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
On Sun, Aug 10, 2008
om
-Original Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 09, 2008 1:37 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Bobby, what have you been using to look up the origin of the IPs en masse?
I found a site that let's me do
obby Hartsfield" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Saturday, August 09, 2008 11:58 AM
Subject: RE: SQL injection attack on House of Fusion
> Now look at how many of those are from Asia Pacific Network Info Centre
: SQL injection attack on House of Fusion
Here are my top 50: Note that the top 1 is in the same subnet as your
top 1. I had 134,993 attempts that I caught..
IP (times)
203.160.1.52 (705)
203.162.3.160 (373)
203.160.1.76 (325)
61.164.132.230 (325)
59.15.212.125 (258)
210.112.177.244 (252
Here are my top 50: Note that the top 1 is in the same subnet as your
top 1. I had 134,993 attempts that I caught..
IP (times)
203.160.1.52 (705)
203.162.3.160 (373)
203.160.1.76 (325)
61.164.132.230 (325)
59.15.212.125 (258)
210.112.177.244 (252)
70.189.143.59 (219)
221.253.217.138 (204)
96
Terry Ford wrote:
> Nimda did not use SQL injection as any sort of primary vector.
But it infected websites in order to infect browsers in order to infect
websites etc. So the current wave of worms using the same mechanism is
really 7 years too late to be ingenious.
Jochem
deal with
a major flaw in its own software. That's rare ;)
http://www.microsoft.com/technet/security/advisory/954462.mspx
--- On Sat, 8/9/08, Jochem van Dieten <[EMAIL PROTECTED]> wrote:
> From: Jochem van Dieten <[EMAIL PROTECTED]>
> Subject: Re: SQL injection attack
>1) It protects only against known threats. In order to be excluded we have
>to be a step far enough ahead to make sure the pattern is included.
>2) It will produce false positives.
>3) It is not role or user based.
>4) Tend to give a false sense of security.
Just to add to this, in my own testi
Still no go for me. I appreciate the help from all.
On Sat, Aug 9, 2008 at 8:58 AM, Wil Genovese <[EMAIL PROTECTED]> wrote:
> Ray,
>
> Our sysadmin ran into the same issue when we started on this
> yesterday Here is part of the rule we're using now and it works for
> the case yours does not. note
Ray,
Our sysadmin ran into the same issue when we started on this
yesterday Here is part of the rule we're using now and it works for
the case yours does not. note the ^.
RewriteCond %{QUERY_STRING} ^.*DECLARE.*$
Wil Genovese
One man with courage makes a majority.
-Andrew Jackson
A fine
Ok, I've noticed that when I go to
host.com/?declare
it is working
but
host.com/x/index.cfm?';[EMAIL PROTECTED](4000);[EMAIL
PROTECTED](0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C6563
No go. It's not life or death - Im still using cfqueryparam, but I'd
love to get this working at the lowest level.
On Fri, Aug 8, 2008 at 11:47 PM, denstar <[EMAIL PROTECTED]> wrote:
> non-wrapped (and it was grabbed off the web somewhere):
>
> Options +FollowSymLinks
> Options +Indexes
> Rewri
Depending on your default directory settings in httpd.conf, you may
need to add the following directory attributes as well to your site to
allow mod_rewrite to operate:
#Allow mod rewrite on this directory
Options FollowSymLinks
AllowOverride All
Order deny,allow
Allow from all
Also, you ca
On Fri, Aug 8, 2008 at 11:12 PM, Raymond Camden <[EMAIL PROTECTED]> wrote:
> Hmm. I'm having no luck with this. I'm trying it on a blogcfc site, so
> it's being added after /, so I also added path_info
>
> RewriteEngine on
> RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
> RewriteRule ^(.*)$ /vi
Terry Ford wrote:
> Pretty ingenious really, infecting websites via injection attack in order to
> infect clients with browser vulnerabilities.
In 2001 it was: http://www.cert.org/advisories/CA-2001-26.html Now it is
just business as usual.
Jochem
~~
Theoretically, it would be possible to write a code-review type tool
that uses database introspection to rewrite queries to use the proper
cfqueryparms everywhere.
Wouldn't work for queries built by code tho, so... hmmm
I wonder why we can't do something like that at a lower-level, ya
know?
w from all
RewriteEngine On
. rewrites here
Regards
--- On Sat, 8/9/08, Raymond Camden <[EMAIL PROTECTED]> wrote:
> From: Raymond Camden <[EMAIL PROTECTED]>
> Subject: Re: SQL injection attack on House of Fusion
> To: "CF-Talk"
> Date: Saturday, August 9, 2008,
non-wrapped (and it was grabbed off the web somewhere):
Options +FollowSymLinks
Options +Indexes
RewriteEngine On
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
RewriteRule .* /violation.htm [L]
RewriteCond %{PATH_INFO} .*DECLARE.* [NC]
RewriteRule .* /violation.htm [L]
The [L] tells
Strange. And it looks like it /should/ work in the server conf too.
Might be something like symlinks being turned off in the main
Directory block or something.
Try adding this (we'll leave off the ifModule, as we'd want an error
if we don't have mod_rewrite loaded (and I'd try to limit where I'm
Pete,
Gabriel Reed and Mary Jo Sminkey created a decent regex and script that does
a good job.
http://www.coldfusionmuse.com/index.cfm/2008/7/28/Coldfusion-Blacklist-Funct
ion-for-SQLi
It uses a native java regex pattern matcher for effeciency - meaning it will
work only on cf 6.x or above.
Mar
Hmm. I'm having no luck with this. I'm trying it on a blogcfc site, so
it's being added after /, so I also added path_info
RewriteEngine on
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
RewriteRule ^(.*)$ /violation.htm
RewriteCond %{PATH_INFO} .*DECLARE.* [NC]
RewriteRule ^(.*)$ /vio
You can keep it in a different .conf file, and use the Include
directive, to pull it in wherever you need it, BTW.
--
Employ your time in improving yourself by other men's writings, so
that you shall gain easily what others have labored hard for.
Socrates
On Fri, Aug 8, 2008 at 10:05 PM, denstar
A simple look at the docs would state why, but it doesn't appear to
work if you've got it "floating" (rewrites in general). I don't
remember, off hand.
I'm pretty sure it will work in a Directory or Location block too, tho.
--
Employ your time in improving yourself by other men's writings, so
t
I've tried this on a windows apache server, but it doesn't seem to be
working. Must it be in a VirtualDirectory block? I have it set outside
so as to work on all sites.
On Fri, Aug 8, 2008 at 2:45 PM, Terry Ford <[EMAIL PROTECTED]> wrote:
> Our site has now seen just over 200,000 attack attempts
I think it goes:
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
to have the no-case option.
Thanks for clarifying the loadmodule stuff, I should'a said something
along those lines earlier.
--
Employ your time in improving yourself by other men's writings, so
that you shall gain easily what other
Has anyone written a broad-spectrum script (i.e. scrubs URL variables, form
variables, looks for verboten words, etc.) that is effective against these
attacks? If not, why don't we get coordinated and write something as a
community that users can simple include/invoke via application.cfm or in
spe
Scratch that. declare is case sensitive. Seems to work now.
Matt
On Fri, Aug 8, 2008 at 6:00 PM, Matt Williams <[EMAIL PROTECTED]> wrote:
> On Fri, Aug 8, 2008 at 2:45 PM, Terry Ford <[EMAIL PROTECTED]> wrote:
>> Here's the rewrite I'm using (linux apache) to keep traffic off the app
>> server.
>
Original Message -
From: "Eric P" <[EMAIL PROTECTED]>
> The problem becomes even more difficult to enforce
> since ISPs don't necessarily want to offend their paying customers.
It depends on the ISP. I've seen plenty that didn't mind telling a customer
they needed to clean their server
On Fri, Aug 8, 2008 at 2:45 PM, Terry Ford <[EMAIL PROTECTED]> wrote:
> Here's the rewrite I'm using (linux apache) to keep traffic off the app
> server.
>
> RewriteCond %{QUERY_STRING} .*DECLARE.*
> RewriteRule ^(.*)$ violation.htm [nc,L]
Okay, I'm a rewrite and apache newbie. I'm trying to rep
- Original Message -
From: "Wil Genovese" <[EMAIL PROTECTED]>
> on. So go ahead and just block THE WORLD.
>
I don't plan on blocking anyone. I just wanted to play with the data. :)
~Brad
~|
Adobe® ColdFusion® 8 sof
>> If you use CF to write the bot, for instance ;-)
Speaking of such, snagging a cookie with CF is ridiculously easy (of course
it is ;) ). cfhttp returns the responseHeader a structure.
EX:
This:
#cfhttp.responseHeader["Set-Cookie"]#
Returns this:
mytestcookie=test;expires=Sun, 01-Aug-20
Well I guess I'm glad I am not the only one dealing with this. I implemented
at the top of /Application.cfm and that stopped it dead in its tracks,
but not before spiking my custom logging app and turning my weekly
sales response figures to oatmeal. A little spit and polish fixed
that.
On Fri, Aug 8, 2008 at 4:13 PM, Claude Schneegans
<[EMAIL PROTECTED]> wrote:
> >>Then 20-30 minutes later he would show up again with a different IP.
>
> How do you know it was the same guy ?
> May be it was the same bot doing the same thing, but these bots are just
> like viruses,
> they spread a
>>Then 20-30 minutes later he would show up again with a different IP.
How do you know it was the same guy ?
May be it was the same bot doing the same thing, but these bots are just
like viruses,
they spread anywhere.
--
___
REUSE CODE! Use custom tags;
See
ime.
>
> ~Brad
>
> - Original Message -
> From: "Andy Matthews" <[EMAIL PROTECTED]>
> To: "CF-Talk"
> Sent: Friday, August 08, 2008 3:00 PM
> Subject: RE: SQL injection attack on House of Fusion
>
>
>> blocking the IPs would probably s
list of 12,000 IP addresses (and counting at the rate of
500+ new IP addresses each hour) of this botnet available if that's of any use
to anyone.
Regards
--- On Fri, 8/8/08, Brad Wood <[EMAIL PROTECTED]> wrote:
> From: Brad Wood <[EMAIL PROTECTED]>
> Subject: Re: SQL
On Fri, Aug 8, 2008 at 3:25 PM, Brad Wood <[EMAIL PROTECTED]> wrote:
> Yeah, I'm well aware of the near impossibility of ever tracking IP address
> to anything useful, but I'm a person who likes data, for within mounds of
> useless data can be found trends. Most of all, I'm just curious. Also, I'
24/7 uptime.
~Brad
- Original Message -
From: "Andy Matthews" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Friday, August 08, 2008 3:00 PM
Subject: RE: SQL injection attack on House of Fusion
> blocking the IPs would probably stop the attacks, but analyzing them is
> g
-Original Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2008 11:03 AM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Tell us how you really feel Ben. :)
I had to temporarily stop apache on my site long enough to get a stop gap in
place.
-Original Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2008 11:03 AM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Tell us how you really feel Ben. :)
I had to temporarily stop apache on my site long enough to get a stop gap in
place.
I'm using ionic isapi with the following
RewriteCond %{QUERY_STRING} ;DECLARE [I]
RewriteRule ;DECLARE /index.htm [I,L]
it works perfectly except for a single issue. If you're using a custom 404
in iis (like piping 404 errors to CF), then the isapi will hang the server.
--
Michael Dinowitz (http
Our site has now seen just over 200,000 attack attempts over the past 48 hours,
73,000 attack attempts over the past 5 hours.
Not nearly a DOS concern yet, as the acceleration of attacks has started to at
least flatten a bit over the last 2-3 hours, but we're watching it carefully.
The attacks
They might be doing a screen scrape looking for an error message to see if
they've hit on a vulnerable parameter. When/if the find one, they probably
log it or attempt to attack it.
~Brad
> For example, we'll see three successive errant query strings come
> through like this.
>
> ?a=1'&b=2&c=3
We've also noticed these SQL injection attempts rear their head the
last day or so; saw almost the exact same type of attack (I.e., same
injection payload) back in April as well.
The attack we're seeing is very (MS) SQL Server specific as they're
trying to hit some SQL Server system tables and inj
Hysterical!!
-Original Message-
From: Mike Kear [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2008 12:14 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Ben Forta said >
<<<<> On the plus side, it's nice to see CF finally get
Hysterical!!
-Original Message-
From: Mike Kear [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2008 12:14 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Ben Forta said >
<<<<> On the plus side, it's nice to see CF finally get
[EMAIL PROTECTED]
> Sent: Friday, August 08, 2008 12:36 PM
> To: CF-Talk
> Subject: RE: SQL injection attack on House of Fusion
>
>
> > even if it is from parasitic bottom-feeding bots created by
> despicable
> > scum-sucking feeble-excuse-for-a-carbon-based-li
> > ... by despicable scum-sucking feeble-excuse-for-a-
> > carbon-based-life-form repugnant socially-inept
> > basement-dwelling death-penalty-deserving hacker-wannabes.
>
> What makes you think they're lawyers, Ben?
That really isn't called for, Mike. You should be ashamed of yourself.
Lawyers
Mike,
That's the funniest comment I've heard this week... 10 points for Mr.Kear.
-mark
-Original Message-
From: Mike Kear [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2008 12:14 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Ben Forta said
lly* feel! :o)
> -Original Message-
> From: Ben Forta [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 08, 2008 11:51 AM
> To: CF-Talk
> Subject: RE: SQL injection attack on House of Fusion
>
> Yep, I turned e-mail notifications off too, leave it on and you can
> inadvertent
Ben Forta said >
> On the plus side, it's nice to see CF finally getting the recognition it
> deserves, even if it is from parasitic bottom-feeding bots created by
> despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant
> socially-inept basement-dwelling death-penalty
: "Wil Genovese" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Friday, August 08, 2008 11:26 AM
Subject: Re: SQL injection attack on House of Fusion
> very few bots accept cookies. I've never actually seen one that does,
> but I have read it is
101 - 200 of 224 matches
Mail list logo
