RE: Script on one site
Yeah I did that already. It is in the .cfm files themselves. I also have code in place to prevent SQL injection attacks. I'm hoping these were files I just missed on the first cleanup. -Original Message- From: Al Musella, DPM [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 10:38 AM To: CF-Talk Subject: Re: Script on one site Look at the .cfm file and see if these script tags are in the cfm file or if they are stored in a database. Look through your database. Look at every table and see if there is a lot of junk at the end of some char or varchar fields.. At 10:37 PM 9/2/2008, you wrote: >I have one site in particular that keeps getting this kind of stuff on >the bottom of .cfm pages right above the tag. I have already >recreated their FTP account once with a strong password. It seems odd >this is only happening to .cfm pages though and only on this site on the >server. Any ideas? > > > > > >http://www.ncwc.ru/fgg.js</a>>src=<a rel="nofollow" href="http://www.ncwc.ru/fgg.js">http://www.ncwc.ru/fgg.js</a>>
Re: Script on one site
Look at the .cfm file and see if these script tags are in the cfm file or if they are stored in a database. Look through your database. Look at every table and see if there is a lot of junk at the end of some char or varchar fields.. At 10:37 PM 9/2/2008, you wrote: >I have one site in particular that keeps getting this kind of stuff on >the bottom of .cfm pages right above the tag. I have already >recreated their FTP account once with a strong password. It seems odd >this is only happening to .cfm pages though and only on this site on the >server. Any ideas? > > > > > >http://www.ncwc.ru/fgg.js>src=http://www.ncwc.ru/fgg.js>
RE: Script on one site
Yes we just had this happen and it was a sql attack. -Original Message- From: Justin D. Scott [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 12:01 AM To: CF-Talk Subject: RE: Script on one site > Any ideas? Probably a SQL injection attack. See the previous discussion on this topic: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241 -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311974 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Script on one site
Only if you are outputting a variable from the database at the bottom of your page right under your body tag. You need to find out if the text is being output in a variable which has come from the database, or if it is actually in the .CFM files. Even if you hardened your FTP password, your server could be infected with a virus that continues to modify your code. There are actually tons of ways it *could* be happening. Let's start by deciding where that text is actually stored. ~Brad - Original Message - From: "Justin D. Scott" <[EMAIL PROTECTED]> To: "CF-Talk" Sent: Tuesday, September 02, 2008 11:00 PM Subject: RE: Script on one site >> Any ideas? > > Probably a SQL injection attack. See the previous discussion on this > topic: > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311972 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Script on one site
> Any ideas? Probably a SQL injection attack. See the previous discussion on this topic: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241 -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311971 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Script on one site
you have become a victim of sql injection. there are huge threads on this forum devoted to the recent spate of sqli attacks, with great suggestions re fixing this. the most important thing: make sure all your queries use ! Azadi Saryev Sabai-dee.com http://www.sabai-dee.com/ [EMAIL PROTECTED] wrote: > I have one site in particular that keeps getting this kind of stuff on > the bottom of .cfm pages right above the tag. I have already > recreated their FTP account once with a strong password. It seems odd > this is only happening to .cfm pages though and only on this site on the > server. Any ideas? > > > > > > http://www.ncwc.ru/fgg.js> src=http://www.ncwc.ru/fgg.js> src=http://www.ncwc.ru/fgg.js> src=http://www.ncwc.ru/fgg.js> src=http://www.ncwc.ru/fgg.js> src=http://www.ncwc.ru/fgg.js> src=http://www.ncwc.ru/fgg.js> src=http://www.ncwc.ru/fgg.js> src=http://www.ncwc.ru/fgg.js> src=http://www.kj5s.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.bosf.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.bosf.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.kj5s.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.bosf.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.po4c.ru/fgg.js> src=http://www.bosf.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.bosf.ru/fgg.js> src=http://www.kpo3.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.kj5s.ru/fgg.js> src=http://www.kj5s.ru/fgg.js> src=http://www.kj5s.ru/fgg.js> src=http://www.po4c.ru/fgg.js> src=http://www.bosf.ru/fgg.js> src=http://www.bosf.ru/fgg.js> src=http://www.bosf.ru/fgg.js> src=http://www.ch35.ru/fgg.js> src=http://www.ch35.ru/fg
