Brad, That might make sense if the infection is some sort of control that makes use of an underlying request architecture (IE's for example). If that were the case then the request would be exactly as if it came from the users browser... Cookies and all - yes?
-mark -----Original Message----- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2008 11:40 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion ----- Original Message ----- From: "Brad Wood" <[EMAIL PROTECTED]> > Dang, the brutes thought of everything. I even tried a test to see if > the bots would return cookies I attempted to set in order to track > them easier. > Nope, they don't. Ok, I take that back. SOME, but not all, of the hack attempts come back to my site with the cookie I sent to them previously. Rather interesting-- I would expect them to all behave the same way. Perhaps there are different versions of the Trojan out there. Also, the attacks on my server today seem to either be targeting certain SES URLs, or just plain broken. I am getting hits like: /index.cfm?;DECLARE @S CHAR(4000);SET @S=CAST(0x4...6F72 AS CHAR(4000));EXEC(@S); You can see that the malicious string is NOT being sent in as any particular URL parameter. Furthermore, since the = sign has not been escaped, the string gets broken up such that the variable name is ";DECLARE @S CHAR(4000);SET @S" and the value is the rest of the string. What the heck are they trying to do? Has today's attacks actually infected anyone? ~Brad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310545 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
