We had the same thing happen on many different apps.
I ended up with 1000's of emails.
We ended up adding this to our application.cfc in the onrequestStart method.
all the hack attempts had "declare" in them--
so this blocks the request and we dont need to wait till it reaches the
cfqueryparam and trigger the error emails.
<cfif reFindNocase("declare",cgi.query_string)>
<cfcontent reset="Yes">
<cfheader statuscode="403" statustext="Access denied">
<cfreturn false>
</cfif>
On Tue, Aug 26, 2008 at 11:52 PM, Matthew <[EMAIL PROTECTED]>wrote:
>
> Hi guys
>
> Over the past few months we've been getting 1000s of errors from some
> idiot trying to hit us with a query injection attack (I've read on
> several forums that these hackers have given up on ASP sites and are
> now targeting CF site). Fortunately we didn't get stung because of
> good queryparaming however it's just annoying getting 100s of errors
> each day!! I very carefully unpacked the string and as per my guess it
> was setup to modify every record in every DB table and populate it
> with a reference back to a supposed .js file on a server in China.
> The .js file tries to download a .exe which would probably be a virus.
>
> There's no point trying to block their IP because they IP jump across
> 100s of addresses.
>
> I'm going to build in a fix to block the errors i.e. scan the query
> string for a 'declare' reference and kill it however does anyone know
> where I can report these guys to? The .js file lives at www.ppexe.com,
> which when I do a whois lookup there are minimal details and they're
> all in Chinese.
>
> Word of advice to all: DON'T FORGET TO <CFQUERYPARM/>!!!!
>
> Cheers
> Matthew
> >
>
--
"anything you say can/will be used against you--
--nothing you say can/will be used to help you."
-Professor James Duane
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"cfaussie" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cfaussie?hl=en
-~----------~----~----~----~------~----~------~--~---
