Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2008 11:03 AM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Tell us how you really feel Ben. :)
I had to temporarily stop apache on my site long enough to get a stop gap in
place. My database
- Original Message -
From: Andy Matthews [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, August 08, 2008 3:00 PM
Subject: RE: SQL injection attack on House of Fusion
blocking the IPs would probably stop the attacks, but analyzing them is
going to be useless. They're either
On Fri, Aug 8, 2008 at 3:25 PM, Brad Wood [EMAIL PROTECTED] wrote:
Yeah, I'm well aware of the near impossibility of ever tracking IP address
to anything useful, but I'm a person who likes data, for within mounds of
useless data can be found trends. Most of all, I'm just curious. Also, I'd
(and counting at the rate of
500+ new IP addresses each hour) of this botnet available if that's of any use
to anyone.
Regards
--- On Fri, 8/8/08, Brad Wood [EMAIL PROTECTED] wrote:
From: Brad Wood [EMAIL PROTECTED]
Subject: Re: SQL injection attack on House of Fusion
To: CF-Talk cf-talk
-Talk cf-talk@houseoffusion.com
Sent: Friday, August 08, 2008 3:00 PM
Subject: RE: SQL injection attack on House of Fusion
blocking the IPs would probably stop the attacks, but analyzing
them is
going to be useless. They're either using some hacked computer as a
proxy,
or have some sort
Then 20-30 minutes later he would show up again with a different IP.
How do you know it was the same guy ?
May be it was the same bot doing the same thing, but these bots are just
like viruses,
they spread anywhere.
--
___
REUSE CODE! Use custom tags;
See
On Fri, Aug 8, 2008 at 4:13 PM, Claude Schneegans
[EMAIL PROTECTED] wrote:
Then 20-30 minutes later he would show up again with a different IP.
How do you know it was the same guy ?
May be it was the same bot doing the same thing, but these bots are just
like viruses,
they spread anywhere.
Well I guess I'm glad I am not the only one dealing with this. I implemented
cfif cgi.query_string contains DECLARE%20
cfheader statuscode=500 statustext=Server Error
/cfif
at the top of /Application.cfm and that stopped it dead in its tracks,
but not before spiking my custom logging app
If you use CF to write the bot, for instance ;-)
Speaking of such, snagging a cookie with CF is ridiculously easy (of course
it is ;) ). cfhttp returns the responseHeader a structure.
EX:
This:
cfoutput
#cfhttp.responseHeader[Set-Cookie]#
/cfoutput
Returns this:
- Original Message -
From: Wil Genovese [EMAIL PROTECTED]
on. So go ahead and just block THE WORLD.
I don't plan on blocking anyone. I just wanted to play with the data. :)
~Brad
~|
Adobe® ColdFusion® 8 software
On Fri, Aug 8, 2008 at 2:45 PM, Terry Ford [EMAIL PROTECTED] wrote:
Here's the rewrite I'm using (linux apache) to keep traffic off the app
server.
RewriteCond %{QUERY_STRING} .*DECLARE.*
RewriteRule ^(.*)$ violation.htm [nc,L]
Okay, I'm a rewrite and apache newbie. I'm trying to replicate
Original Message -
From: Eric P [EMAIL PROTECTED]
The problem becomes even more difficult to enforce
since ISPs don't necessarily want to offend their paying customers.
It depends on the ISP. I've seen plenty that didn't mind telling a customer
they needed to clean their server or
Scratch that. declare is case sensitive. Seems to work now.
Matt
On Fri, Aug 8, 2008 at 6:00 PM, Matt Williams [EMAIL PROTECTED] wrote:
On Fri, Aug 8, 2008 at 2:45 PM, Terry Ford [EMAIL PROTECTED] wrote:
Here's the rewrite I'm using (linux apache) to keep traffic off the app
server.
Has anyone written a broad-spectrum script (i.e. scrubs URL variables, form
variables, looks for verboten words, etc.) that is effective against these
attacks? If not, why don't we get coordinated and write something as a
community that users can simple include/invoke via application.cfm or in
I think it goes:
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
to have the no-case option.
Thanks for clarifying the loadmodule stuff, I should'a said something
along those lines earlier.
--
Employ your time in improving yourself by other men's writings, so
that you shall gain easily what
I've tried this on a windows apache server, but it doesn't seem to be
working. Must it be in a VirtualDirectory block? I have it set outside
so as to work on all sites.
On Fri, Aug 8, 2008 at 2:45 PM, Terry Ford [EMAIL PROTECTED] wrote:
Our site has now seen just over 200,000 attack attempts
A simple look at the docs would state why, but it doesn't appear to
work if you've got it floating (rewrites in general). I don't
remember, off hand.
I'm pretty sure it will work in a Directory or Location block too, tho.
--
Employ your time in improving yourself by other men's writings, so
You can keep it in a different .conf file, and use the Include
directive, to pull it in wherever you need it, BTW.
--
Employ your time in improving yourself by other men's writings, so
that you shall gain easily what others have labored hard for.
Socrates
On Fri, Aug 8, 2008 at 10:05 PM, denstar
Hmm. I'm having no luck with this. I'm trying it on a blogcfc site, so
it's being added after /, so I also added path_info
RewriteEngine on
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
RewriteRule ^(.*)$ /violation.htm
RewriteCond %{PATH_INFO} .*DECLARE.* [NC]
RewriteRule ^(.*)$
Pete,
Gabriel Reed and Mary Jo Sminkey created a decent regex and script that does
a good job.
http://www.coldfusionmuse.com/index.cfm/2008/7/28/Coldfusion-Blacklist-Funct
ion-for-SQLi
It uses a native java regex pattern matcher for effeciency - meaning it will
work only on cf 6.x or above.
Strange. And it looks like it /should/ work in the server conf too.
Might be something like symlinks being turned off in the main
Directory block or something.
Try adding this (we'll leave off the ifModule, as we'd want an error
if we don't have mod_rewrite loaded (and I'd try to limit where
non-wrapped (and it was grabbed off the web somewhere):
Options +FollowSymLinks
Options +Indexes
RewriteEngine On
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
RewriteRule .* /violation.htm [L]
RewriteCond %{PATH_INFO} .*DECLARE.* [NC]
RewriteRule .* /violation.htm [L]
The [L] tells
RewriteEngine On
. rewrites here
Regards
--- On Sat, 8/9/08, Raymond Camden [EMAIL PROTECTED] wrote:
From: Raymond Camden [EMAIL PROTECTED]
Subject: Re: SQL injection attack on House of Fusion
To: CF-Talk cf-talk@houseoffusion.com
Date: Saturday, August 9, 2008, 12:12 AM
Hmm
Theoretically, it would be possible to write a code-review type tool
that uses database introspection to rewrite queries to use the proper
cfqueryparms everywhere.
Wouldn't work for queries built by code tho, so... hmmm
I wonder why we can't do something like that at a lower-level, ya
know?
201 - 224 of 224 matches
Mail list logo