Urgent: Posible Dictionary Attack Every 3 Sec, Logging not caching IP

Posted on 2007-10-05
Last Modified: 2013-12-24
Im trying to track some 404 errors that are popping up every 3 seconds on my cold fusion "webserver.log" file.

Someone or something is trying to pull this non-existant files. Example of this log file:
"Error","TID=952","10/05/07","12:35:55","HTTP/1.0 404 Object Not Found. The template specified, D:\www\\Suzuki_Dealership.cfm, does not exist on the specified server."
"Error","TID=652","10/05/07","12:37:55","HTTP/1.0 404 Object Not Found. The template specified, D:\www\\Austin_Mini.cfm, does not exist on the specified server."
"Error","TID=612","10/05/07","12:40:03","HTTP/1.0 404 Object Not Found. The template specified, D:\www\\Burlington_Car_Dealers.cfm, does not exist on the specified server."

Like mentioned before, multiple lines every 3 sec, for different files.

Problem is also that i am logging also to NT and i can't seem to log this errors in particular on the iis logs, but if i try to access a non existing cfm from the outside world, it will be logged. Strange.

I'm trying to pin point the source.

Cold Fusion is also not logging the ip or hostname. Can this also me accomplished?
Question by:speednow
    LVL 6

    Accepted Solution

    You could look at this >>

    Now the idea behind this is to the page to when a 404 is hit, it logs the users information. You could make a custom page to store the variables to a database.
    LVL 36

    Assisted Solution

    "Someone or something is trying to pull this non-existant files."

    while it's possible that someone is trying to harvest protected information (if you have such a thing) I don't think this is an attack, more like a misconfiguration.

    did these files exist at one time? It's possible someone set up a script (like cfhttp) to pull prices or whatever from these pages. If they have been moved or deleted, the script would still run and try to access the files. Another possibility is a cfschedule on your own server running on templates that have been move or removed.

    You could do what nathan has suggested and create a custom 404 page

    a cf version could be something like

    An Error Has Occured. Please check the address and try again.

    <cfquery name="track404IP" ...>
      insert into tblIPTracking

    you could also track with more cgi variables

    once you see where the IP calls are coming from you could either try and contact them or just block them at the firewall.


    Author Comment

    The files haven't existed at anytime.  How can i check on those cfhttp's.

    Im still unable to log.

    Author Comment

    Still unknown what is causing this.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Network it in WD Red

    There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

    This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
    Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now