Solved

Is this a sign someone is hacking my site?

Posted on 2008-10-07
4
243 Views
Last Modified: 2010-04-11
I'm getting some 404 missing page errors but when I look at the page that was requested it looks like someone was tryning to hack the site.

The ad ":80" or ":443" and some other code into the URL as shown below

http://www.MySite.com:80/MySubDir/MyPage.cfm?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x....  
Is this an attempt to hack the site?

How should I handle this.  
0
Comment
Question by:bigmikey88
4 Comments
 
LVL 9

Expert Comment

by:Andrew Maurer
ID: 22666280
yes that does look like SQL injection.

make sure you are using <cfqueryparam> in your queries
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22669338
You should always make sure you filter for sql / java injection

This doesn't look like a targeted attack on your site - those would not normally generate 404 errors.  This is probably the work of a script kiddie who is searching thousands of sites for one he can take over.
0
 
LVL 39

Accepted Solution

by:
gdemaria earned 500 total points
ID: 22672304
This is a well know SQL injection attack, it's hit thousands.
Just enter "DECLARE%20@" into google or EE.

http://web-robot-abuse.blogspot.com/2008/08/latest-hack-running-right-now-is.html

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_23633558.html

One method prevent it at the top is to add some code in your application.cfm file that checks the query string for "DECLARE%20@"   If found, just abort.    
0
 

Author Comment

by:bigmikey88
ID: 22683683
Thanks Sage  That was it...

OK, so here is what I did and it is working very well

See the code

in the application.cfm  page

I detect if there is a query string  i.e.  anything in the URL following a ?

If so I look to see if it contains the attack words  "declare, truncate, iframe...."

If so this gets written to a log file with time and IP address and the offending word

then it aborts

ha I love it

thx
mike


<cfset AttackList = "declare,truncate,select,iframe,srs">

<cfoutput>

<cfset Qstring = cgi.query_string>

<cfif Len(Qstring) GT 1><!--- check to see if there is a querry string --->

<cfloop index="i" list="#AttackList#">

<cfif FindNoCase(i,Qstring) GT 0>
 

<cfset Path = "#DrivePath#" & "#LogFilePath#\AttackErrors.txt">

<cffile action="APPEND"

file="#Path#"

output="Date: #RunDate#, Time: #RunTime#,Page: Application.cfm - root,

Attack Command: #i#

HTTP Referrer: #CGI.HTTP_REFERER#

Remote Address: #CGI.REMOTE_HOST#

Browser: #CGI.HTTP_USER_AGENT#

REQUEST_METHOD: #CGI.REQUEST_METHOD#

PATH_TRANSLATED: #CGI.PATH_TRANSLATED#

Query String In URL: #Qstring#

__________________________________________________"

addnewline="Yes"> 

 <cfabort>

<cfelse>

</cfif>

</cfloop>

</cfif><!--- end of if there is a query string --->

</cfoutput>

<!--- end of attacks in URL query string --->

Open in new window

0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now