Good list al - but I have a couple of revisions for you :) First, this code:
<cfqueryparam name="id" default="0" type="integer"/> Creates a variable in the VARIABLES scope. If you are scoping your variables (as in "#url.id#" then this will have no affect on that scope - or the form scope). If you are not scoping your variables then shame on you :) Second and finally, this attack is a zombie attack using computers throughout the net infected with an adware program of some sort. It is not likely that banning IP addresses will have any significant impact on the number of attacks as their origin will be moving target. -Mark -----Original Message----- From: Al Musella, DPM [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2008 8:49 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... That may help with this particular attack, but I already have seen 2 versions of it today.. Both happened to have the "EXEC(" but there are variations that use other key words. The correct way (which unfortunately I found out through failure:) is: 1. Run a scanner like: http://qpscanner.riaforge.org/ and fix EVERY query it finds so that it uses cfqueryparam 2. Do a search for every cfparam in your code and add the correct type. For example: <cfparam name="id" default="0" type="integer"> That will prevent people from adding anything to the end of the integer.. 3. Set up a sitewide error handler to email you when a problem occurs... you will be amazed at how many attempts that cfparam catches.. 4. Set up your database so that the user you use with coldfusion is denied permission to all of the system tables and stored procedures that you do not use. 5. I use a filter similar to what you mention below, in the application.cfm or application.cfc file.. mine uses a few other words.. such as ";DECLARE" , "CHAR( " , ";SET " and "CAST( " and I am also working on a system of banning the bad IP addresses on the entire server for a while.. figuring if they hit a protected page, why let them keep trying.. I am collecting data on the attack, and it appears that an IP address is only used 2-15 times within a 1 minute period.. then it is never used again. So it looks like banning the IP for an hour should be ok.. 6. I set up an automated task to check 10 different tables for my own entry every 15 minutes - checking that the email address and website address hasn't changed. If it does, I get notified.. 7. Make sure that you backup your website and database as frequently as possible. Keep old versions in case the next attack just changes a few numbers here and there instead of being this obvious. At 08:30 PM 7/23/2008, you wrote: >What about if I put: > ><cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains >"EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> > >in my all cf files on my web site and if hacker gonna try to run any of >this files for example: > >index.cfm?+code, mail.cfm?+code etc basically it attacks all on google >indexed, but if u put in all of the files, it should abort the >connection everytime when one files is executed and tehn any query wont >be executed....it should work...what do you think? > >Radek ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309556 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
