Solved

Is this a sign someone is hacking my site?

Posted on 2008-10-07
4
245 Views
Last Modified: 2010-04-11
I'm getting some 404 missing page errors but when I look at the page that was requested it looks like someone was tryning to hack the site.

The ad ":80" or ":443" and some other code into the URL as shown below

http://www.MySite.com:80/MySubDir/MyPage.cfm?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x....  
Is this an attempt to hack the site?

How should I handle this.  
0
Comment
Question by:bigmikey88
4 Comments
 
LVL 9

Expert Comment

by:Andrew Maurer
ID: 22666280
yes that does look like SQL injection.

make sure you are using <cfqueryparam> in your queries
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22669338
You should always make sure you filter for sql / java injection

This doesn't look like a targeted attack on your site - those would not normally generate 404 errors.  This is probably the work of a script kiddie who is searching thousands of sites for one he can take over.
0
 
LVL 39

Accepted Solution

by:
gdemaria earned 500 total points
ID: 22672304
This is a well know SQL injection attack, it's hit thousands.
Just enter "DECLARE%20@" into google or EE.

http://web-robot-abuse.blogspot.com/2008/08/latest-hack-running-right-now-is.html

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_23633558.html

One method prevent it at the top is to add some code in your application.cfm file that checks the query string for "DECLARE%20@"   If found, just abort.    
0
 

Author Comment

by:bigmikey88
ID: 22683683
Thanks Sage  That was it...

OK, so here is what I did and it is working very well

See the code

in the application.cfm  page

I detect if there is a query string  i.e.  anything in the URL following a ?

If so I look to see if it contains the attack words  "declare, truncate, iframe...."

If so this gets written to a log file with time and IP address and the offending word

then it aborts

ha I love it

thx
mike


<cfset AttackList = "declare,truncate,select,iframe,srs">
<cfoutput>
<cfset Qstring = cgi.query_string>
<cfif Len(Qstring) GT 1><!--- check to see if there is a querry string --->
<cfloop index="i" list="#AttackList#">
<cfif FindNoCase(i,Qstring) GT 0>
 
<cfset Path = "#DrivePath#" & "#LogFilePath#\AttackErrors.txt">
<cffile action="APPEND"
file="#Path#"
output="Date: #RunDate#, Time: #RunTime#,Page: Application.cfm - root,
Attack Command: #i#
HTTP Referrer: #CGI.HTTP_REFERER#
Remote Address: #CGI.REMOTE_HOST#
Browser: #CGI.HTTP_USER_AGENT#
REQUEST_METHOD: #CGI.REQUEST_METHOD#
PATH_TRANSLATED: #CGI.PATH_TRANSLATED#
Query String In URL: #Qstring#
__________________________________________________"
addnewline="Yes"> 
 <cfabort>
<cfelse>
</cfif>
</cfloop>
</cfif><!--- end of if there is a query string --->
</cfoutput>
<!--- end of attacks in URL query string --->

Open in new window

0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question