Is this a sign someone is hacking my site?

I'm getting some 404 missing page errors but when I look at the page that was requested it looks like someone was tryning to hack the site.

The ad ":80" or ":443" and some other code into the URL as shown below;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x....  
Is this an attempt to hack the site?

How should I handle this.  
Who is Participating?
gdemariaConnect With a Mentor Commented:
This is a well know SQL injection attack, it's hit thousands.
Just enter "DECLARE%20@" into google or EE.

One method prevent it at the top is to add some code in your application.cfm file that checks the query string for "DECLARE%20@"   If found, just abort.    
Andrew MaurerCommented:
yes that does look like SQL injection.

make sure you are using <cfqueryparam> in your queries
You should always make sure you filter for sql / java injection

This doesn't look like a targeted attack on your site - those would not normally generate 404 errors.  This is probably the work of a script kiddie who is searching thousands of sites for one he can take over.
bigmikey88Author Commented:
Thanks Sage  That was it...

OK, so here is what I did and it is working very well

See the code

in the application.cfm  page

I detect if there is a query string  i.e.  anything in the URL following a ?

If so I look to see if it contains the attack words  "declare, truncate, iframe...."

If so this gets written to a log file with time and IP address and the offending word

then it aborts

ha I love it


<cfset AttackList = "declare,truncate,select,iframe,srs">
<cfset Qstring = cgi.query_string>
<cfif Len(Qstring) GT 1><!--- check to see if there is a querry string --->
<cfloop index="i" list="#AttackList#">
<cfif FindNoCase(i,Qstring) GT 0>
<cfset Path = "#DrivePath#" & "#LogFilePath#\AttackErrors.txt">
<cffile action="APPEND"
output="Date: #RunDate#, Time: #RunTime#,Page: Application.cfm - root,
Attack Command: #i#
Remote Address: #CGI.REMOTE_HOST#
Query String In URL: #Qstring#
</cfif><!--- end of if there is a query string --->
<!--- end of attacks in URL query string --->

Open in new window

All Courses

From novice to tech pro — start learning today.