Generally, the only thing they are looking for is personally identifiable information (PII) such as names, addresses, social security numbers and, most of all, credit card numbers. Without such information the attackers usually either go away or they may use your site to serve up malware, such as with the Gumblar worm last summer.
-dhs -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children." -- John James Audubon On Nov 20, 2009, at 7:02 AM, Jason Vanhoy wrote: > Another thing that one can potentially determine from examining the logs > after such attempts is whether or not there's someone specifically interested > in your data, or is it more likely they're looking for *any* data that's easy > to access, and you just happened to come up in the list. > > > > On Fri, Nov 20, 2009 at 10:00 AM, Teddy R. Payne <teddyrpa...@gmail.com> > wrote: > What text was being used for the attack, when the attack occured, where did > the attack come from, was the attack successful, is there another way they > could exploit that part of the application, how localized or widespread is > the attack, and what is the potential risk of all the above in the terms of > revenue, developer time, private data, and public confidence. > > > Teddy R. Payne, ACCFD > Google Talk - teddyrpa...@gmail.com > > > > On Fri, Nov 20, 2009 at 9:56 AM, Rudi Shumpert <shump...@gmail.com> wrote: > Doing most of that. > > Except for the analysis later part. Anything specific you look for in doing > the analysis? > > > On Fri, Nov 20, 2009 at 9:50 AM, Teddy R. Payne <teddyrpa...@gmail.com> wrote: > You start off by trapping the error. Prevent the transaction. Record the > error somewhere more persistent for review and analysis later. Display an > error to the user that matches your site with a meaningful message. > > Creating error trapping that can specifically identify these types of > attempts could also reduce your noise to sound ratio as well. > > > Teddy R. Payne, ACCFD > Google Talk - teddyrpa...@gmail.com > > > > > On Fri, Nov 20, 2009 at 9:44 AM, Rudi Shumpert <shump...@gmail.com> wrote: > the stuff I'm seeing is nothing really new, just was wondering if there are > some best practices on what do to after to stop the attempt. > > -Rudi > > On Fri, Nov 20, 2009 at 9:27 AM, Mischa Uppelschoten > <mischa.uppelscho...@bankersx.com> wrote: > I probably missed something, but this article is almost a year and a half > old... what specifically is attempted now? > > : Hey folks, > > : I saw Johns tweet earlier this week about a new wave of SQL Injection ( and > > : link to a great article on it > : > http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-again > : st-sql-injection-and-xss), and sure enough Im seeing ahuge upswing in > : attempts. Over 100 failed attempts last night alone. > > : > : We have taken the steps to prevent damage / harm, but I was wondering what > : folks are doing after they stop the attempt. What kind of message if any > do > : you provide ? Are people checking the logs, and blocking IPs of the worst > : offenders? Or something else? > : > : -Rudi > > > > > Mischa Uppelschoten > VP of Technology > The Banker's Exchange, LLC. > 4200 Highlands Parkway SE > Suite A > Smyrna, GA 30082-5198 > > Phone: (404) 605-0100 ext. 10 > Fax: (404) 355-7930 > Web: www.BankersX.com > Follow this link for Instant Web Chat: > http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN > ----------------------- Original Message ----------------------- > > From: Rudi Shumpert <shump...@gmail.com> > To: discussion@acfug.org > Date: Fri, 20 Nov 2009 06:47:20 -0500 > Subject: [ACFUG Discuss] SQL Injection > > Hey folks, > > I saw John's tweet earlier this week about a new wave of SQL Injection ( and > link to a great article on it > http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-against-sql-injection-and-xss), > and sure enough I'm seeing a huge upswing in attempts. Over 100 failed > attempts last night alone. > > We have taken the steps to prevent damage / harm, but I was wondering what > folks are doing after they stop the attempt. What kind of message if any do > you provide ? Are people checking the logs, and blocking IP's of the worst > offenders? Or something else? > > -Rudi > ------------------------------------------------------------- To unsubscribe > from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform For more info, see > http://www.acfug.org/mailinglists Archive @ > http://www.mail-archive.com/discussion%40acfug.org/ List hosted by > http://www.fusionlink.com > ------------------------------------------------------------- > > > > >
