Re: Recent SQL Injection attacks
I do declare that keyword matching alone has issues :-) Yeah, that can really bite you in the butt! We've been having pretty good results with the tool that is posted over at my site. It does a fairly decent job of catching most injection and XSS attacks and with some recent updates that I made to it, has a low rate of false positives. While it doesn't include any IP blocking or monitoring functions, it would be pretty easy to add those if desired. You may need to tweak it a tad for your specific application, but it's pretty easy code to work with. http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18 --- Mary Jo ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329804 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
On Friday 15 Jan 2010, Chung Chow wrote: if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or I do declare that keyword matching alone has issues :-) -- Helping to challengingly envisioneer eigth-generation network integrated turn-key bandwidth as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329750 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329728 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! I wouldn't run a cold fusion server without a tool like fusion reactor. I created my website with coldfusion 2.0, and a lot of the pages haven't been updated (except for sql injection proofing) since then.and I learned a lot since then.. fusion reactor gives me the list of slow running pages, and I try to improve at least one of them every day. I made the entire site much faster, and concentrated on the most frequently used pages. Before fusionreactor, I had no idea which pages were the slowest, and what was being looked at right now and by whom, and how the querries were doing - timewise and memory wise. For the forms, my website deals with some mentally challenged people and really important stuff.. so I try to make it easy for them. I log all attempts to login. I get an alert if someone fails more than twice. I get a screen with the username they are trying, the passwords they tried, the real password, name , location (so I know the time zone) phone number - as well as a way to unlock it ( it gets locked after 3 unsuccessful attempts). I can tell if it is a real person struggling or if it is someone trying to break in. If they are trying to break in, I add their ip address to our list of banned ip addresses. If it is a real person, and the local time is reasonable, I call them and help them get in. I am planning on adding chat capability soon. I usually turn off ftp on my server, except when I need someone to upload a large file like an mri. I had it on recently and noticed the log file was way too big (it is usually 1-2k, and now it was like 100k).. so I looked through it and saw someone was alternating between trying administrator and webmaster as the user names, and many password. Never got in. I don't have an administrator or webmaster account allowed for ftp access:) At 04:11 PM 1/13/2010, you wrote: How do you guys monitor these attacks? The webserver logs? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329710 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329712 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329720 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329721 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329717 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329722 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329716 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329718 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329719 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
The qpscanner is ok in general but I want something that will only get me numeric variables that are not in a cfqueryparam. That is not enough to protect you! It is not hard to create injection attacks that bypass CF's auto-doubling of quotes. qpscanner deliberately errs on the side of paranoia, because it only takes one small hole for an attacker to get in and cause havoc. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329661 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Recent SQL Injection attacks
I know it's not enough but the point was that there has to be a priority in what gets fixed. If there are 300+ query vars to fix, which do you do first? My solution is to fix the numeric vars first and then fix everything else after. In the end it all gets done but until I get to the end, the most dangerous vars have to be hit before the 'less' dangerous ones. It would be prefered to take the app down, fix it, and put it back up but with this client that is not an option. That means I have to work fast and smart to get the job done on a live site. Ug. :( -- Michael On Thu, Jan 14, 2010 at 5:43 AM, Peter Boughton bought...@gmail.com wrote: The qpscanner is ok in general but I want something that will only get me numeric variables that are not in a cfqueryparam. That is not enough to protect you! It is not hard to create injection attacks that bypass CF's auto-doubling of quotes. qpscanner deliberately errs on the side of paranoia, because it only takes one small hole for an attacker to get in and cause havoc. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329662 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Recent SQL Injection attacks
I think there's at least one or two more too. I should really make a note of them somewhere... Charlie Arehart's list. Pretty sure he's got all this listed in a security/similar category. Yep, here we go: http://www.carehart.org/cf411/#testing ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329664 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
I have been getting a lot lately... and had an interesting one. One computer was hammering my server. They were trying a dictionary attack on one of my forms, in addition to trying sql injection on every dynamic page. Strangely, the IP address of the attacker, 204.238.82.17, was from the USA. It was a security company. I called them and asked what they were doing. They said a security audit! They said they had permission. Turns out they were hired to test a website that is one letter off from my domain name and they made a mistake. They stopped immediately. At least they told me I passed:) My ftp server has also been getting dictionary attacks from Amsterdam 95.154.246.98.. luckily my ftp sites are set up to allow only certain ip addresses. At 08:14 PM 1/12/2010, you wrote: Didn't know about that IP. Thanks They got in through some code that was written literally 10 years ago on one of the clients forgotten sites. I've fixed up the cfquery tags and added my anti-injection code to the whole dir. Thanks -- ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329625 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
How do you guys monitor these attacks? The webserver logs? -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Wednesday, January 13, 2010 12:34 PM To: cf-talk Subject: Re: Recent SQL Injection attacks I have been getting a lot lately... and had an interesting one. One computer was hammering my server. They were trying a dictionary attack on one of my forms, in addition to trying sql injection on every dynamic page. Strangely, the IP address of the attacker, 204.238.82.17, was from the USA. It was a security company. I called them and asked what they were doing. They said a security audit! They said they had permission. Turns out they were hired to test a website that is one letter off from my domain name and they made a mistake. They stopped immediately. At least they told me I passed:) My ftp server has also been getting dictionary attacks from Amsterdam 95.154.246.98.. luckily my ftp sites are set up to allow only certain ip addresses. At 08:14 PM 1/12/2010, you wrote: Didn't know about that IP. Thanks They got in through some code that was written literally 10 years ago on one of the clients forgotten sites. I've fixed up the cfquery tags and added my anti-injection code to the whole dir. Thanks -- ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329633 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
I wrote an IIS log parser which can not only parse the IIS logs to a DB but when the url params are over a certain size or has certain key words, it'll flag it as a problem to look at later. Unfortunately, the attack was on a clients site and we knew about it when the page display was compromised. The logs were only good after the fact. This attack didn't use the standard declare statement but it did have a longer than normal request string. Cleaning it out wasn't much of a problem once it was identified. I've added another bit of text to my injection scanner code but... I'm going through query after query on his site which will take me a while to recode. I'm going to have to dig up my auto-query-param code that I wrote for someone many years ago and get it up to date. More work and less rest. :( -- Michael On Wed, Jan 13, 2010 at 4:11 PM, Chad Gray cg...@careyweb.com wrote: How do you guys monitor these attacks? The webserver logs? -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Wednesday, January 13, 2010 12:34 PM To: cf-talk Subject: Re: Recent SQL Injection attacks I have been getting a lot lately... and had an interesting one. One computer was hammering my server. They were trying a dictionary attack on one of my forms, in addition to trying sql injection on every dynamic page. Strangely, the IP address of the attacker, 204.238.82.17, was from the USA. It was a security company. I called them and asked what they were doing. They said a security audit! They said they had permission. Turns out they were hired to test a website that is one letter off from my domain name and they made a mistake. They stopped immediately. At least they told me I passed:) My ftp server has also been getting dictionary attacks from Amsterdam 95.154.246.98.. luckily my ftp sites are set up to allow only certain ip addresses. At 08:14 PM 1/12/2010, you wrote: Didn't know about that IP. Thanks They got in through some code that was written literally 10 years ago on one of the clients forgotten sites. I've fixed up the cfquery tags and added my anti-injection code to the whole dir. Thanks -- ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329634 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
using cfformprotect i am doing an exercise whereby loggin each offending IP address in a table. next to each IP i am recording the number of times they reoffend. i am then using a block script (found from this site i think?)... !--- blacklist ip addresses --- cfset fName = getDirectoryFromPath(getCurrentTemplatePath()) blacklist.txt / cfif isDefined(url.updateapp) or NOT isDefined(application.blacklist) cfset application.blacklist = / cfif FileExists(fName) cftry cffile action=read file=#fName# variable=application.blacklist charset=utf-8 / cfcatch/cfcatch /cftry /cfif /cfif cfif ListFind(application.blacklist, cgi.remote_addr, Chr(13)Chr(10)) cflocation addtoken=false url=/blacklist.html / cfabort / /cfif cfif FindNoCase(DECLARE, cgi.query_string) OR FindNoCase(CAST, cgi.query_string) OR FindNoCase(EXEC, cgi.query_string) OR FindNoCase(DROP, cgi.query_string) OR FindNoCase(DELETE, cgi.query_string) cfif not ListFind(application.blacklist, cgi.remote_addr,Chr(13)Chr(10)) cfset application.blacklist = ListAppend(application.blacklist, cgi.remote_addr, Chr(13)Chr(10)) / cftry cffile action=write file=#fName# output=#application.blacklist# charset=utf-8 / cfcatch/cfcatch /cftry cflocation addtoken=false url=/blacklist.html / cfabort / /cfif /cfif i am updating the text file with IP addresses with multiple offences. has been interesting and i do believe i have cut down the spam/injection attacks. however the table continues to grow and i think i am losing the battle. anyway thought this may gorw some ideas... ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329635 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
Fast question. Has anyone seen an injection attack that used a field other than an integer? I've written a fast RegEx for use in Homesite (or any other regex using editor) that will find any query that has numeric 'looking' variables that are not in a cfqueryparam. While I have to change every variable not in a cfqueryparam, I'm trying to get the numerics first. Thanks -- Michael ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329638 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
Michael, Yes... Certain types of installations of MySQL are subject to character injection attacks. http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-charact er-field Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Michael Dinowitz [mailto:mdino...@houseoffusion.com] Sent: Wednesday, January 13, 2010 5:34 PM To: cf-talk Subject: Re: Recent SQL Injection attacks Fast question. Has anyone seen an injection attack that used a field other than an integer? I've written a fast RegEx for use in Homesite (or any other regex using editor) that will find any query that has numeric 'looking' variables that are not in a cfqueryparam. While I have to change every variable not in a cfqueryparam, I'm trying to get the numerics first. Thanks -- Michael ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329639 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
There's a project for that. I can't remember what it is off-hand, but I'm 100% sure there's a cfqueryparam-er.cfc out there, which does this. Maybe this one? : http://qpscanner.riaforge.org/ I think there's at least one or two more too. I should really make a note of them somewhere... It would be a good addition to codecop, too. :denny -- Time and memory are true artists; they remould reality nearer to the heart's desire. John Dewey On Wed, Jan 13, 2010 at 4:34 PM, Michael Dinowitz wrote: Fast question. Has anyone seen an injection attack that used a field other than an integer? I've written a fast RegEx for use in Homesite (or any other regex using editor) that will find any query that has numeric 'looking' variables that are not in a cfqueryparam. While I have to change every variable not in a cfqueryparam, I'm trying to get the numerics first. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329643 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
Maybe this one? : http://qpscanner.riaforge.org/ The other main one is http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection I think a mash up or two might have cropped up in the past year too. ~Brad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329645 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
The qpscanner is ok in general but I want something that will only get me numeric variables that are not in a cfqueryparam. The RegEx does that while putting the results in a single click position for me to edit immediately. My old cfqueryparam scanner allows for auto-insertion of cfqueryparam tags for variables, but the UI is nowhere near as good as qpscanner. I'll provide the rough regex I'm using as soon as I can so that anyone can use it, include it into an app, etc. -- Michael On Wed, Jan 13, 2010 at 7:11 PM, denstar valliants...@gmail.com wrote: There's a project for that. I can't remember what it is off-hand, but I'm 100% sure there's a cfqueryparam-er.cfc out there, which does this. Maybe this one? : http://qpscanner.riaforge.org/ I think there's at least one or two more too. I should really make a note of them somewhere... It would be a good addition to codecop, too. :denny ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329646 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Recent SQL Injection attacks
Mark, Thanks. The client is on MS SQL so doing the numbers first looks like a good idea for him. Always good to prioritize work. -- Michael On Wed, Jan 13, 2010 at 6:39 PM, Mark Kruger mkru...@cfwebtools.com wrote: Michael, Yes... Certain types of installations of MySQL are subject to character injection attacks. http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-charact er-field ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329647 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
Yes. All from ip 91.212.226.161 Which we have blocked at our firewall. Annoying, but we saw these coming 2 summers ago, and took steps. On Tue, Jan 12, 2010 at 6:05 PM, Michael Dinowitz mdino...@houseoffusion.com wrote: Has anyone seen any recent SQL injection attacks on their sites or in the wild? I just cleaned a bunch of JS and other code from a clients DB. Most of the scripts were running those fake anti-virus popups but some had other things like lung cancer scams. Anyone see anything? Thanks -- Michael ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329608 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
Didn't know about that IP. Thanks They got in through some code that was written literally 10 years ago on one of the clients forgotten sites. I've fixed up the cfquery tags and added my anti-injection code to the whole dir. Thanks -- Michael On Tue, Jan 12, 2010 at 6:31 PM, Jerry Johnson jmi...@gmail.com wrote: Yes. All from ip 91.212.226.161 Which we have blocked at our firewall. Annoying, but we saw these coming 2 summers ago, and took steps. On Tue, Jan 12, 2010 at 6:05 PM, Michael Dinowitz mdino...@houseoffusion.com wrote: Has anyone seen any recent SQL injection attacks on their sites or in the wild? I just cleaned a bunch of JS and other code from a clients DB. Most of the scripts were running those fake anti-virus popups but some had other things like lung cancer scams. Anyone see anything? Thanks -- Michael ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329610 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
