You should install a waf, this will stop simple sql injection attempts. There are sever as l out there for iis. For a cf specific solution there is fuseguard from foundeo.com
For rdp I suggest you restrict it by ip address using windows firewall or use a vpn. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On 17 May 2013 04:48, "Al Musella, DPM" <[email protected]> wrote: > > My server run a small nonprofit website. Has been good for years but > now is getting overwhelemed by a denial of service attack going on > for the last week and ramping up quickly - it was freezing a few > times a day at first but now has been freezing a few times an hour. > more than 99.9% of all of my traffic now has this user agent: > > Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.15 > > but it comes from many different IP addresses and only goes to 1 > page on my website. The ips are from all around the world. Mostly > outside the usa but a lot inside as well. This page allows a few url > variables and they are changing the url variables trying to do sql > injection. The page doesn't insert anything into a database but does > read a database. It is protected with cfqueryparam and luckily I had > no database corruption.. > > > I found a way to keep the server up - it worked for an hour straight now:) > > I moved the page (which has a few big querries) to a new address > and changed the links in my menu system so people and google can find > it.. and replaced the old page with a 404 error page that says the > page was moved. (in case a real person tried it..they can see it. but > hopefully this botnet will see 404 and think it is not there any more). > > If they move to another page I will have to just sacrifice anyone > else using that browser and block it on the entire server. > > They are also trying to log in with remote desktop to the > administrator account (which I always disable and has a lockout > policy for 3 wrong passwords). > > Anyone else have this problem or a better way to fix it? They are hit > that 404 page about 10,000 times in the last few minutes but that 404 > page takes up .0004 seconds compared to .01 sec for the real page so > the server seems ok with the load. > > BTW: I have been using Power Admin server monitor - which restarts > the cold fusion service when it > freezes... > <http://www.poweradmin.com/servermonitor/> > http://www.poweradmin.com/servermonitor/ > cool tool - this is how I found out about the remote desktop attack - > it monitors the event log as well as disk space and web! > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355749 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
