Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Is this a sign someone is hacking my site?

Posted on 2008-10-07
4
Medium Priority
?
251 Views
Last Modified: 2010-04-11
I'm getting some 404 missing page errors but when I look at the page that was requested it looks like someone was tryning to hack the site.

The ad ":80" or ":443" and some other code into the URL as shown below

http://www.MySite.com:80/MySubDir/MyPage.cfm?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x....  
Is this an attempt to hack the site?

How should I handle this.  
0
Comment
Question by:bigmikey88
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 9

Expert Comment

by:Andrew Maurer
ID: 22666280
yes that does look like SQL injection.

make sure you are using <cfqueryparam> in your queries
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22669338
You should always make sure you filter for sql / java injection

This doesn't look like a targeted attack on your site - those would not normally generate 404 errors.  This is probably the work of a script kiddie who is searching thousands of sites for one he can take over.
0
 
LVL 39

Accepted Solution

by:
gdemaria earned 2000 total points
ID: 22672304
This is a well know SQL injection attack, it's hit thousands.
Just enter "DECLARE%20@" into google or EE.

http://web-robot-abuse.blogspot.com/2008/08/latest-hack-running-right-now-is.html

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_23633558.html

One method prevent it at the top is to add some code in your application.cfm file that checks the query string for "DECLARE%20@"   If found, just abort.    
0
 

Author Comment

by:bigmikey88
ID: 22683683
Thanks Sage  That was it...

OK, so here is what I did and it is working very well

See the code

in the application.cfm  page

I detect if there is a query string  i.e.  anything in the URL following a ?

If so I look to see if it contains the attack words  "declare, truncate, iframe...."

If so this gets written to a log file with time and IP address and the offending word

then it aborts

ha I love it

thx
mike


<cfset AttackList = "declare,truncate,select,iframe,srs">
<cfoutput>
<cfset Qstring = cgi.query_string>
<cfif Len(Qstring) GT 1><!--- check to see if there is a querry string --->
<cfloop index="i" list="#AttackList#">
<cfif FindNoCase(i,Qstring) GT 0>
 
<cfset Path = "#DrivePath#" & "#LogFilePath#\AttackErrors.txt">
<cffile action="APPEND"
file="#Path#"
output="Date: #RunDate#, Time: #RunTime#,Page: Application.cfm - root,
Attack Command: #i#
HTTP Referrer: #CGI.HTTP_REFERER#
Remote Address: #CGI.REMOTE_HOST#
Browser: #CGI.HTTP_USER_AGENT#
REQUEST_METHOD: #CGI.REQUEST_METHOD#
PATH_TRANSLATED: #CGI.PATH_TRANSLATED#
Query String In URL: #Qstring#
__________________________________________________"
addnewline="Yes"> 
 <cfabort>
<cfelse>
</cfif>
</cfloop>
</cfif><!--- end of if there is a query string --->
</cfoutput>
<!--- end of attacks in URL query string --->

Open in new window

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question