Michael Robinson
asked on
Is this a sign someone is hacking my site?
I'm getting some 404 missing page errors but when I look at the page that was requested it looks like someone was tryning to hack the site.
The ad ":80" or ":443" and some other code into the URL as shown below
http://www.MySite.com:80/MySubDir/MyPage.cfm?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x....
Is this an attempt to hack the site?
How should I handle this.
The ad ":80" or ":443" and some other code into the URL as shown below
http://www.MySite.com:80/MySubDir/MyPage.cfm?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x....
Is this an attempt to hack the site?
How should I handle this.
You should always make sure you filter for sql / java injection
This doesn't look like a targeted attack on your site - those would not normally generate 404 errors. This is probably the work of a script kiddie who is searching thousands of sites for one he can take over.
This doesn't look like a targeted attack on your site - those would not normally generate 404 errors. This is probably the work of a script kiddie who is searching thousands of sites for one he can take over.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Sage That was it...
OK, so here is what I did and it is working very well
See the code
in the application.cfm page
I detect if there is a query string i.e. anything in the URL following a ?
If so I look to see if it contains the attack words "declare, truncate, iframe...."
If so this gets written to a log file with time and IP address and the offending word
then it aborts
ha I love it
thx
mike
OK, so here is what I did and it is working very well
See the code
in the application.cfm page
I detect if there is a query string i.e. anything in the URL following a ?
If so I look to see if it contains the attack words "declare, truncate, iframe...."
If so this gets written to a log file with time and IP address and the offending word
then it aborts
ha I love it
thx
mike
<cfset AttackList = "declare,truncate,select,iframe,srs">
<cfoutput>
<cfset Qstring = cgi.query_string>
<cfif Len(Qstring) GT 1><!--- check to see if there is a querry string --->
<cfloop index="i" list="#AttackList#">
<cfif FindNoCase(i,Qstring) GT 0>
<cfset Path = "#DrivePath#" & "#LogFilePath#\AttackErrors.txt">
<cffile action="APPEND"
file="#Path#"
output="Date: #RunDate#, Time: #RunTime#,Page: Application.cfm - root,
Attack Command: #i#
HTTP Referrer: #CGI.HTTP_REFERER#
Remote Address: #CGI.REMOTE_HOST#
Browser: #CGI.HTTP_USER_AGENT#
REQUEST_METHOD: #CGI.REQUEST_METHOD#
PATH_TRANSLATED: #CGI.PATH_TRANSLATED#
Query String In URL: #Qstring#
__________________________________________________"
addnewline="Yes">
<cfabort>
<cfelse>
</cfif>
</cfloop>
</cfif><!--- end of if there is a query string --->
</cfoutput>
<!--- end of attacks in URL query string --->
make sure you are using <cfqueryparam> in your queries