Or get an open source IDS like Snort...
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"I have always strenuously supported the right of every man to his
own opinion, however different that opinion might be to mine. He who
denies another this right makes a slave of himself to his present
opinion, because he precludes himself the right of changing it."
-- Thomas Paine, 1783
On Aug 2, 2007, at 7:54 PM, [EMAIL PROTECTED] wrote:
Don't be surprised if the sources are zombies. You can certainly
block them, but at some point
you'll just need to look over the code to make certain you're
cover. BTW, you'll see these scans on
other service ports as well like ftp, mail, etc. Write some scripts
to check your logs periodically
so you are alerted to a problem.
John
[EMAIL PROTECTED]
----- Original Message -----
From: Dean H. Saxe
To: [email protected]
Sent: Thu, 2 Aug 2007 19:08:24 -0400
Subject: Re: [ACFUG Discuss] URL hackers
Cheyenne,
Do a reverse lookup on the IPs, figure out who owns them and call the
upstream provider if you have logs.
As far as using Google, they may use that to find error messages from
your sites which might give enough info for someone to find a bug and
exploit it. But that's just doing background research in order to
find a group of targets. This is probably automated probing of your
site and there's not much you can do except ensure your code and
servers are secure. You can lock out the IPs, but it will probably
come from somewhere else eventually. Web App Firewalls will stop
some of this, but generally I find them to be a measure of last
resort when you know you're full of holes and can't fit it fast
enough.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or
that we are to stand by the president right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the American
public."
-- Theodore Roosevelt
On Aug 2, 2007, at 6:45 PM, Cheyenne Throckmorton wrote:
Over the past few days I've noticed some rudimentary attempts to do
some SQL injection type attacks over the URL string on a few of our
sites.
The stuff I'm getting is your typical '1=1 and user>0' type stuff
added to the end of URLs. Looks almost like they may be using
Google to hack for possible vulnerable strings in CFML sites. I
know this has been very popular with .asp pages, maybe they are
moving onto .cfm now as well.
In any case, I am double checking our security and think we are
fine, still, not having encountered this, I was wondering what some
of you all might do in similar instances.
I am noticing the attacks are coming to several of our sites from
the same group of IP addresses. Is there a place to report this
type of activity? Should you just shut off access entirely for
these IPs? I know the worst problems with hackers is that once
they are in, they are really tough to get rid of, but at the same
time I'd hate to cut off access to a group of IPs if say it was
like Comcast customers and not the RowandanNationalGreatDeals.com
or something.
Thanks,
Cheyenne
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
