Don't be surprised if the sources are zombies. You can certainly block them, but at some point you'll just need to look over the code to make certain you're cover. BTW, you'll see these scans on other service ports as well like ftp, mail, etc. Write some scripts to check your logs periodically so you are alerted to a problem.
John [EMAIL PROTECTED] ----- Original Message ----- From: Dean H. Saxe To: [email protected] Sent: Thu, 2 Aug 2007 19:08:24 -0400 Subject: Re: [ACFUG Discuss] URL hackers Cheyenne, Do a reverse lookup on the IPs, figure out who owns them and call the upstream provider if you have logs. As far as using Google, they may use that to find error messages from your sites which might give enough info for someone to find a bug and exploit it. But that's just doing background research in order to find a group of targets. This is probably automated probing of your site and there's not much you can do except ensure your code and servers are secure. You can lock out the IPs, but it will probably come from somewhere else eventually. Web App Firewalls will stop some of this, but generally I find them to be a measure of last resort when you know you're full of holes and can't fit it fast enough. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "To announce that there must be no criticism of the president, or that we are to stand by the president right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public." -- Theodore Roosevelt On Aug 2, 2007, at 6:45 PM, Cheyenne Throckmorton wrote: > Over the past few days I've noticed some rudimentary attempts to do > some SQL injection type attacks over the URL string on a few of our > sites. > > The stuff I'm getting is your typical '1=1 and user>0' type stuff > added to the end of URLs. Looks almost like they may be using > Google to hack for possible vulnerable strings in CFML sites. I > know this has been very popular with .asp pages, maybe they are > moving onto .cfm now as well. > > In any case, I am double checking our security and think we are > fine, still, not having encountered this, I was wondering what some > of you all might do in similar instances. > > I am noticing the attacks are coming to several of our sites from > the same group of IP addresses. Is there a place to report this > type of activity? Should you just shut off access entirely for > these IPs? I know the worst problems with hackers is that once > they are in, they are really tough to get rid of, but at the same > time I'd hate to cut off access to a group of IPs if say it was > like Comcast customers and not the RowandanNationalGreatDeals.com > or something. > > Thanks, > Cheyenne > > ------------------------------------------------------------- > Annual Sponsor - Figleaf Software > > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink > ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
