a very dirty quick possibly solution is to check the CGI.QUERY variable and see if it contains specific SQL keywords that would not normally be in a search. and either cfabort if it does and/or send yourself an email alerting you of the possible attack.
From: Dean H. Saxe Sent: Friday, November 20, 2009 12:01 PM To: [email protected] Subject: Re: [ACFUG Discuss] SQL Injection Generally, the only thing they are looking for is personally identifiable information (PII) such as names, addresses, social security numbers and, most of all, credit card numbers. Without such information the attackers usually either go away or they may use your site to serve up malware, such as with the Gumblar worm last summer. -dhs -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children." -- John James Audubon On Nov 20, 2009, at 7:02 AM, Jason Vanhoy wrote: Another thing that one can potentially determine from examining the logs after such attempts is whether or not there's someone specifically interested in your data, or is it more likely they're looking for *any* data that's easy to access, and you just happened to come up in the list. On Fri, Nov 20, 2009 at 10:00 AM, Teddy R. Payne <[email protected]> wrote: What text was being used for the attack, when the attack occured, where did the attack come from, was the attack successful, is there another way they could exploit that part of the application, how localized or widespread is the attack, and what is the potential risk of all the above in the terms of revenue, developer time, private data, and public confidence. Teddy R. Payne, ACCFD Google Talk - [email protected] On Fri, Nov 20, 2009 at 9:56 AM, Rudi Shumpert <[email protected]> wrote: Doing most of that. Except for the analysis later part. Anything specific you look for in doing the analysis? On Fri, Nov 20, 2009 at 9:50 AM, Teddy R. Payne <[email protected]> wrote: You start off by trapping the error. Prevent the transaction. Record the error somewhere more persistent for review and analysis later. Display an error to the user that matches your site with a meaningful message. Creating error trapping that can specifically identify these types of attempts could also reduce your noise to sound ratio as well. Teddy R. Payne, ACCFD Google Talk - [email protected] On Fri, Nov 20, 2009 at 9:44 AM, Rudi Shumpert <[email protected]> wrote: the stuff I'm seeing is nothing really new, just was wondering if there are some best practices on what do to after to stop the attempt. -Rudi On Fri, Nov 20, 2009 at 9:27 AM, Mischa Uppelschoten <[email protected]> wrote: I probably missed something, but this article is almost a year and a half old... what specifically is attempted now? : Hey folks, : I saw Johns tweet earlier this week about a new wave of SQL Injection ( and : link to a great article on it : http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-again : st-sql-injection-and-xss), and sure enough Im seeing ahuge upswing in : attempts. Over 100 failed attempts last night alone. : : We have taken the steps to prevent damage / harm, but I was wondering what : folks are doing after they stop the attempt. What kind of message if any do : you provide ? Are people checking the logs, and blocking IPs of the worst : offenders? Or something else? : : -Rudi Mischa Uppelschoten VP of Technology The Banker's Exchange, LLC. 4200 Highlands Parkway SE Suite A Smyrna, GA 30082-5198 Phone: (404) 605-0100 ext. 10 Fax: (404) 355-7930 Web: www.BankersX.com Follow this link for Instant Web Chat: http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN ----------------------- Original Message ----------------------- From: Rudi Shumpert <[email protected]> To: [email protected] Date: Fri, 20 Nov 2009 06:47:20 -0500 Subject: [ACFUG Discuss] SQL Injection Hey folks, I saw John's tweet earlier this week about a new wave of SQL Injection ( and link to a great article on it http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-against-sql-injection-and-xss), and sure enough I'm seeing a huge upswing in attempts. Over 100 failed attempts last night alone. We have taken the steps to prevent damage / harm, but I was wondering what folks are doing after they stop the attempt. What kind of message if any do you provide ? Are people checking the logs, and blocking IP's of the worst offenders? Or something else? -Rudi ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
