Solved

Is this a sign someone is hacking my site?

Posted on 2008-10-07
4
244 Views
Last Modified: 2010-04-11
I'm getting some 404 missing page errors but when I look at the page that was requested it looks like someone was tryning to hack the site.

The ad ":80" or ":443" and some other code into the URL as shown below

http://www.MySite.com:80/MySubDir/MyPage.cfm?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x....  
Is this an attempt to hack the site?

How should I handle this.  
0
Comment
Question by:bigmikey88
4 Comments
 
LVL 9

Expert Comment

by:Andrew Maurer
ID: 22666280
yes that does look like SQL injection.

make sure you are using <cfqueryparam> in your queries
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22669338
You should always make sure you filter for sql / java injection

This doesn't look like a targeted attack on your site - those would not normally generate 404 errors.  This is probably the work of a script kiddie who is searching thousands of sites for one he can take over.
0
 
LVL 39

Accepted Solution

by:
gdemaria earned 500 total points
ID: 22672304
This is a well know SQL injection attack, it's hit thousands.
Just enter "DECLARE%20@" into google or EE.

http://web-robot-abuse.blogspot.com/2008/08/latest-hack-running-right-now-is.html

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_23633558.html

One method prevent it at the top is to add some code in your application.cfm file that checks the query string for "DECLARE%20@"   If found, just abort.    
0
 

Author Comment

by:bigmikey88
ID: 22683683
Thanks Sage  That was it...

OK, so here is what I did and it is working very well

See the code

in the application.cfm  page

I detect if there is a query string  i.e.  anything in the URL following a ?

If so I look to see if it contains the attack words  "declare, truncate, iframe...."

If so this gets written to a log file with time and IP address and the offending word

then it aborts

ha I love it

thx
mike


<cfset AttackList = "declare,truncate,select,iframe,srs">
<cfoutput>
<cfset Qstring = cgi.query_string>
<cfif Len(Qstring) GT 1><!--- check to see if there is a querry string --->
<cfloop index="i" list="#AttackList#">
<cfif FindNoCase(i,Qstring) GT 0>
 
<cfset Path = "#DrivePath#" & "#LogFilePath#\AttackErrors.txt">
<cffile action="APPEND"
file="#Path#"
output="Date: #RunDate#, Time: #RunTime#,Page: Application.cfm - root,
Attack Command: #i#
HTTP Referrer: #CGI.HTTP_REFERER#
Remote Address: #CGI.REMOTE_HOST#
Browser: #CGI.HTTP_USER_AGENT#
REQUEST_METHOD: #CGI.REQUEST_METHOD#
PATH_TRANSLATED: #CGI.PATH_TRANSLATED#
Query String In URL: #Qstring#
__________________________________________________"
addnewline="Yes"> 
 <cfabort>
<cfelse>
</cfif>
</cfloop>
</cfif><!--- end of if there is a query string --->
</cfoutput>
<!--- end of attacks in URL query string --->

Open in new window

0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question