Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 168
  • Last Modified:

Urgent: Posible Dictionary Attack Every 3 Sec, Logging not caching IP

Im trying to track some 404 errors that are popping up every 3 seconds on my cold fusion "webserver.log" file.

Someone or something is trying to pull this non-existant files. Example of this log file:
---------------------------------------------------
"Error","TID=952","10/05/07","12:35:55","HTTP/1.0 404 Object Not Found. The template specified, D:\www\domain.com\Suzuki_Dealership.cfm, does not exist on the specified server."
"Error","TID=652","10/05/07","12:37:55","HTTP/1.0 404 Object Not Found. The template specified, D:\www\domain.com\Austin_Mini.cfm, does not exist on the specified server."
"Error","TID=612","10/05/07","12:40:03","HTTP/1.0 404 Object Not Found. The template specified, D:\www\domain.com\Burlington_Car_Dealers.cfm, does not exist on the specified server."

------------------------------------------------------
Like mentioned before, multiple lines every 3 sec, for different files.

Problem is also that i am logging also to NT and i can't seem to log this errors in particular on the iis logs, but if i try to access a non existing cfm from the outside world, it will be logged. Strange.

I'm trying to pin point the source.

Cold Fusion is also not logging the ip or hostname. Can this also me accomplished?
0
speednow
Asked:
speednow
  • 2
2 Solutions
 
nathana21Commented:
You could look at this >> http://www.4guysfromrolla.com/webtech/073100-1.shtml

Now the idea behind this is to the page to when a 404 is hit, it logs the users information. You could make a custom page to store the variables to a database.
0
 
SidFishesCommented:
"Someone or something is trying to pull this non-existant files."

while it's possible that someone is trying to harvest protected information (if you have such a thing) I don't think this is an attack, more like a misconfiguration.

did these files exist at one time? It's possible someone set up a script (like cfhttp) to pull prices or whatever from these pages. If they have been moved or deleted, the script would still run and try to access the files. Another possibility is a cfschedule on your own server running on templates that have been move or removed.

You could do what nathan has suggested and create a custom 404 page

a cf version could be something like


An Error Has Occured. Please check the address and try again.

<cfquery name="track404IP" ...>
  insert into tblIPTracking
(404time,
CallerIP)
Values
(#Now()#,
#cgi.remote_addr#)

you could also track with more cgi variables http://livedocs.adobe.com/coldfusion/6/CFML_Reference/Expressions5.htm

once you see where the IP calls are coming from you could either try and contact them or just block them at the firewall.






0
 
speednowAuthor Commented:
The files haven't existed at anytime.  How can i check on those cfhttp's.

Im still unable to log.
0
 
speednowAuthor Commented:
Still unknown what is causing this.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now