>Your database contains all its object names in metadata tables, which can be >queried directly.
It was mentioned last week, but just to re-iterate: You should set the permissions on the system table so that you can not read or write to the system tables. There is no need for it, and by removing access, this particular attack will fail. They would have to try guessing the table names by trial and error - or if you help them by displaying the table names in the error message they can find the tables quickly. So in your error handling template, never mention the name of the tables. I started logging and banning the IP addresses.. I logged 2500 IPs and 9027 hack attempts caught.. so each IP address tried an average of 4 times. Apparently, a single IP address will only try our site for less than a minute, then they are never seen again.. so I now ban the most recent 100 IPs. When a new IP attacks, I add it to the end of an application list..and remove the first item. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310458 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4