Sending an email every time that you have some sort of attempt is a really great way to turn a SQL Injection attack into a Denial of Service attack that you are doing to yourself.
________________________________ From: John Youngman <j...@jg-technologies.net> To: discussion@acfug.org Sent: Fri, November 20, 2009 12:24:58 PM Subject: Re: [ACFUG Discuss] SQL Injection a very dirty quick possibly solution is to check the CGI.QUERY variable and see if it contains specific SQL keywords that would not normally be in a search. and either cfabort if it does and/or send yourself an email alerting you of the possible attack. From: Dean H. Saxe Sent: Friday, November 20, 2009 12:01 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] SQL Injection Generally, the only thing they are looking for is personally identifiable information (PII) such as names, addresses, social security numbers and, most of all, credit card numbers. Without such information the attackers usually either go away or they may use your site to serve up malware, such as with the Gumblar worm last summer. -dhs -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children." -- John James Audubon On Nov 20, 2009, at 7:02 AM, Jason Vanhoy wrote: Another thing that one can potentially determine from > examining the logs after such attempts is whether or not there's someone > specifically interested in your data, or is it more likely they're looking > for > *any* data that's easy to access, and you just happened to come up in the > list. > > > > >On Fri, Nov 20, 2009 at 10:00 AM, Teddy R. Payne <teddyrpa...@gmail.com> > >wrote: > >What text was being used for the attack, when the attack >> occured, where did the attack come from, was the attack successful, is >> there >> another way they could exploit that part of the application, how >> localized >> or widespread is the attack, and what is the potential risk of all the >> above >> in the terms of revenue, developer time, private data, and public >> confidence. >> >> >> >>Teddy R. Payne, ACCFD >>Google Talk - teddyrpa...@gmail.com >> >> >> >> >>On Fri, Nov 20, 2009 at 9:56 AM, Rudi Shumpert <shump...@gmail.com> wrote: >> >>Doing most of that. >>> >>>Except for the analysis later >>> part. Anything specific you look for in doing the analysis? >>> >>> >>> >>> >>>On Fri, Nov 20, 2009 at 9:50 AM, Teddy R. Payne >>> <teddyrpa...@gmail.com> wrote: >>> >>>You start off by trapping the error. Prevent the >>>> transaction. Record the error somewhere more persistent for review >>>> and analysis later. Display an error to the user that matches your >>>> site with a meaningful message. >>>> >>>>Creating error trapping that can >>>> specifically identify these types of attempts could also reduce >>>> your >>>> noise to sound ratio as well. >>>> >>>> >>>>Teddy R. Payne, ACCFD >>>>Google Talk - teddyrpa...@gmail.com >>>> >>>> >>>> >>>> >>>> >>>>On Fri, Nov 20, 2009 at 9:44 AM, Rudi Shumpert >>>> <shump...@gmail.com> wrote: >>>> >>>>the stuff I'm seeing is nothing really new, just was >>>>> wondering if there are some best practices on what do to after >>>>> to stop >>>>> the attempt. >>>>> >>>>>-Rudi >>>>> >>>>> >>>>>On Fri, Nov 20, 2009 at 9:27 AM, Mischa >>>>> Uppelschoten <mischa.uppelscho...@bankersx.com> >>>>> >>>>> wrote: >>>>> >>>>>I probably missed something, but this article >>>>>> is almost a year and a half old... what specifically is >>>>>> attempted >>>>>> now? >>>>>> >>>>>>: Hey folks, >>>>>> >>>>>>: I saw Johns tweet >>>>>> earlier this week about a new wave of SQL Injection ( and >>>>>> >>>>>> >>>>>>: link to a great article on it >>>>>>: >>>>>>http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-again >>>>>>: >>>>>> st-sql-injection-and-xss), and sure enough Im seeing ahuge >>>>>> upswing >>>>>> in >>>>>>: attempts. Over 100 failed attempts last night >>>>>> alone. >>>>>> >>>>>> >>>>>>: >>>>>>: We have taken the steps to prevent damage / >>>>>> harm, but I was wondering what >>>>>>: folks are doing >>>>>> after they stop the attempt. What kind of message if any >>>>>> do >>>>>>: you provide ? Are people checking the logs, and >>>>>> blocking IPs of the worst >>>>>>: offenders? Or something >>>>>> else? >>>>>>: >>>>>>: -Rudi >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>Mischa >>>>>> Uppelschoten >>>>>>VP of Technology >>>>>>The Banker's Exchange, >>>>>> LLC. >>>>>>4200 Highlands Parkway SE >>>>>>Suite A >>>>>>Smyrna, GA >>>>>> 30082-5198 >>>>>> >>>>>>Phone: (404) 605-0100 ext. >>>>>> 10 >>>>>>Fax: (404) >>>>>> 355-7930 >>>>>>Web: www.BankersX.com >>>>>>Follow this link for >>>>>> Instant Web Chat: >>>>>>http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN >>>>>>----------------------- Original Message >>>>>> >>>>>>----------------------- >>>>>> >>>>>>From: Rudi Shumpert <shump...@gmail.com> >>>>>>To: discussion@acfug.org >>>>>>Date: Fri, 20 Nov 2009 06:47:20 -0500 >>>>>>Subject: [ACFUG Discuss] SQL Injection >>>>>> Hey folks, >>>>>> >>>>>>I saw John's >>>>>> tweet earlier this week about a new wave of SQL Injection ( >>>>>> and link >>>>>> to a great article on it >>>>>> http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-against-sql-injection-and-xss), >>>>>> >>>>>> and sure enough I'm seeing a huge upswing in attempts. Over >>>>>> 100 failed attempts last night alone. >>>>>> >>>>>>We have taken the steps >>>>>> to prevent damage / harm, but I was wondering what folks are >>>>>> doing >>>>>> after they stop the attempt. What kind of message if any do >>>>>> you provide ? Are people checking the logs, and blocking >>>>>> IP's >>>>>> of the worst offenders? Or something >>>>>> else? >>>>>> >>>>>>-Rudi >>>>>>------------------------------------------------------------- >>>>>> To unsubscribe from this list, manage your profile @ >>>>>> http://www.acfug.org?fa=login.edituserform For >>>>>> more info, see http://www.acfug.org/mailinglists Archive @ >>>>>> http://www.mail-archive.com/discussion%40acfug.org/ >>>>>> >>>>>> List hosted by http://www.fusionlink.com >>>>>> >>>>>> ------------------------------------------------------------- >>>>>> >>>>> >>>> >>> >> > ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
