My thinking is:
The way it appears, a zombie will hit about 2 -12 pages on my web
server - over the course of a few seconds - then leave me alone..
On the first page they hit, if I ban them, then the next 1 to 11
tries will not succeed even if they happen to find a vulnerable file
anywhere on the server.
This attack appears to be well coordinated.. I get hit by one IP for
a few seconds, then it switches to another IP address for a few
seconds and I never see the first one again.. a few overlap so I may
see 3 or 4 different IPs at a time, but never more than that so far..
I am still working out the details but it seems to be working: I use
a server variable that holds a list of 20 banned IP addresses. When
a new IP appears, I add it to the end of the list and remove the first one..
seems to be working nicely.
I fixed the problem of banning people with the word Declare in the
form submission.. I now look for ";declare"
Keywords and banning IPs by themselves are not the answer - I
understand that - but along with the changes to the DB permissions,
use of sqlqueryparameters and cfparams, they add another layer of defense..
I can't believe this isn't a big news story.. it has been the focus
of my life for the last 48 hours:)
>Second and finally, this attack is a zombie attack using computers
>throughout the net infected with an adware program of some sort. It is not
>likely that banning IP addresses will have any significant impact on the
>number of attacks as their origin will be moving target.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309563
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
