One of my websites got hit.. I always use cfqueryparam - at least for the last few years, but some old code (this website started with version 1 of CF) was still hanging around that was unprotected. I used that scanning tool and it found about 20 unprotected querries out of about 20,000...
anyway - I set up a filter in the application.cfm to watch for a few of these bad keywords..and temporarily ban those IPs.. I am getting hit a few times a minute now.. on all of the websites I run.. however, one of the owners got banned when he included the word "Declare" in a product description:) for this attack, I am thinking wouldn't it be wise to remove permission to use the sysobjects and syscolumns from the user I access the MS SQL server with from CF? (In other words, I am assuming that cf does not need access to these tables - does it?) >Mark, > >Thanks for the info. I tried this and it >located the code. I removed the comment and >Executed however, the code still remains. >Any help you can offer would be great! > >Thanks! > > > >For those of you who have been hit by this attack and who need to try > >something short of restoring your DB, this script will generate a series of > >update statements in reverse of the hack that's been going around: > > > >----------------------------------------------------------- > >DECLARE @T varchar(255), @C varchar(255) > >DECLARE @sql varchar(4000) > >DECLARE @script varchar(255) > >/*fill in the value of the malicious script. */ > >select @script = '<script src="*scriptsrc"></script><!---' > > > >DECLARE Table_Cursor CURSOR FOR > > SELECT a.name, b.name > > FROM sysobjects a, syscolumns b > > WHERE a.id = b.id AND a.xtype = 'u' > > AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167) > > > > OPEN Table_Cursor > > FETCH NEXT FROM Table_Cursor INTO @T, @C > > WHILE (@@FETCH_STATUS = 0) > > BEGIN > > SELECT @sql = 'update [' + @T +'] set ['+ @C +'] = Replace([' + > >@C + '],''' + @script + ''','''')' > > PRINT @sql > > > > /*uncomment this after checking the output using print */ > > --EXEC(@sql) > > > > FETCH NEXT FROM Table_Cursor INTO @T, @C > > END > >CLOSE Table_Cursor > >DEALLOCATE Table_Cursor > > > >------------------------------------------------------- > > > >1) Replace the value of @script (the select at the top) with the value of > >the string that's been inserted into your DB > >2) Run the script AS IS - you should see a list of "update" statements that > >look like this: > > > >update [**tablename] set [**columnName] = Replace([**ColumnName],'<script > >src="*scriptsrc"></script><!---','') > > > >Where **tablename and **columname represent actual tables/columns from your > >DB. > > > >You can then run the updates individually to strip out the malicious code... > >I also converted the update to a select to compare the values and see what > >the result would be on update. > > > >3) If you are brave you can comment out the "EXEC(@sql)" line and rerun the > >script. Doing so will hit every table and every char column with these > >updates so be sure you know what you are doing. > > > > > >-Mark > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309548 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
