That's because it's not a hacker; it's a script. It's either running in a
loop or on a schedule. There's not much point in trying to block the IP
address, since they could just change the IP address. It's probably onion
routed or otherwise obfuscated through a proxy of some sort; they can just
Sent from my Verizon Wireless 4G LTE DROID
Jen Larkin jlar...@gmail.com wrote:
That's because it's not a hacker; it's a script. It's either running in a
loop or on a schedule. There's not much point in trying to block the IP
address, since they could just change the IP address. It's probably
On 7/23/2013 12:51 AM, Justin Scott wrote:
Which brings up another security question. How does other sites
handle something like this automatically? I mean, if I see an
attack from an IP address, is it even worth blocking at the firewall?
I had an interesting attack yesterday ...
A bot hit
cfformprotect will help you with stuff like this
On Tue, Jul 23, 2013 at 12:35 PM, Les Mizzell lesm...@bellsouth.net wrote:
On 7/23/2013 12:51 AM, Justin Scott wrote:
Which brings up another security question. How does other sites
handle something like this automatically? I mean, if I
cfformprotect will help you with stuff like this
I'll second that... it's become a standard for me to implement on
public-facing forms to prevent automated submissions.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
I'll vote for that as well. Because it has several levels of detection it's
very reliable.
-mark
-Original Message-
From: Justin Scott [mailto:leviat...@darktech.org]
Sent: Tuesday, July 23, 2013 8:15 AM
To: cf-talk
Subject: Re: Hack Attempt on our database last night
cfformprotect
On Mon, Jul 22, 2013 at 4:29 PM, Mark A Kruger mkru...@cfwebtools.comwrote:
Pete,
So is that the purpose of the !3000 then? Got it!
That's correct Mark, you got it.
--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting Products
http://hackmycf.com -
You can run cast function on the hex string to see the actual sql it
generates, which I thought was required anyway so not sure that query would
even execute otherwise.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 22 Jul 2013 04:45, Justin Scott
Check out the 4th comment here -
http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection
Seems to be similar attack.
On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.orgwrote:
We had someone trying to hack our system last night and I would like to
In this particular case it's not generating SQL but just filling in
space to match the number of columns with the original query.
Basically once it executes without an error it allows the attacker to
see how many columns the original query is selecting. It's part of an
automated attack tool.
Message-
From: Byron Mann [mailto:byronos...@gmail.com]
Sent: Monday, July 22, 2013 11:49 AM
To: cf-talk
Subject: RE: Hack Attempt on our database last night
That makes sense to me, looks more like an attempt to see if an injection
would work.
Byron Mann
Lead Engineer Architect
HostMySite.com
0x313032... etc */ --
Doesn't the /* */ force the whole string into a comment? Hard to see how
that would succeed.
-Mark
-Original Message-
From: Justin Scott [mailto:leviat...@darktech.org]
Sent: Monday, July 22, 2013 11:19 AM
To: cf-talk
Subject: Re: Hack Attempt on our
: Monday, July 22, 2013 11:19 AM
To: cf-talk
Subject: Re: Hack Attempt on our database last night
In this particular case it's not generating SQL but just filling in
space to match the number of columns with the original query.
Basically once it executes without an error it allows the attacker to
see
Russ,
The query never processed. The hacker was relentless though. For about 5
straight hours he kept trying.
Which brings up another security question. How does other sites handle
something like this automatically? I mean, if I see an attack from an IP
address, is it even worth blocking
Justin,
That is the same attack we had. He never made it through to our database to
execute the query. I scanned the DB logs and it failed on him every time.
Thanks for the link, it was helpful.
Dave
~|
Order the Adobe
with application firewalls mostly.
There are plenty of options out there from hardware to software to web
server plugins.
For a cf specific WAF try fuseguard.
On Mon, Jul 22, 2013 at 7:28 PM, Dave Hatz daveh...@hatzventures.orgwrote:
Russ,
The query never processed. The hacker was
On Mon, Jul 22, 2013 at 12:45 PM, Mark A Kruger mkru...@cfwebtools.comwrote:
Doesn't the /* */ force the whole string into a comment? Hard to see how
that would succeed.
It is a MySQL version specific comment so if MySQL version is greater than
version 3.0 in this case it would execute, all
Ah that is devilishly clever.
-Original Message-
From: Pete Freitag [mailto:p...@foundeo.com]
Sent: Monday, July 22, 2013 2:23 PM
To: cf-talk
Subject: Re: Hack Attempt on our database last night
On Mon, Jul 22, 2013 at 12:45 PM, Mark A Kruger
mkru...@cfwebtools.comwrote:
Doesn't
Pete,
So is that the purpose of the !3000 then? Got it!
-Original Message-
From: Pete Freitag [mailto:p...@foundeo.com]
Sent: Monday, July 22, 2013 2:23 PM
To: cf-talk
Subject: Re: Hack Attempt on our database last night
On Mon, Jul 22, 2013 at 12:45 PM, Mark A Kruger
mkru
Which brings up another security question. How does other sites
handle something like this automatically? I mean, if I see an
attack from an IP address, is it even worth blocking at the firewall?
What I do is a combination of input sanitizing and using cfqueryparam
to the point where it's
We had someone trying to hack our system last night and I would like to know
what he was trying to get. Seems one of our new Junior programmers didn't use
CFQUERYPARAM and allowed this param into the query string. Needless to say, I
will be having a nice long chat with him when he gets into
There was some discussion about a very similar injection on Stack
Overflow which may be useful:
http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection
-Justin
On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.org wrote:
We had someone trying to
22 matches
Mail list logo