Is this a sign someone is hacking my site?

I'm getting some 404 missing page errors but when I look at the page that was requested it looks like someone was tryning to hack the site.

The ad ":80" or ":443" and some other code into the URL as shown below

http://www.MySite.com:80/MySubDir/MyPage.cfm?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x....  
Is this an attempt to hack the site?

How should I handle this.  
bigmikey88Asked:
Who is Participating?
 
gdemariaConnect With a Mentor Commented:
This is a well know SQL injection attack, it's hit thousands.
Just enter "DECLARE%20@" into google or EE.

http://web-robot-abuse.blogspot.com/2008/08/latest-hack-running-right-now-is.html

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_23633558.html

One method prevent it at the top is to add some code in your application.cfm file that checks the query string for "DECLARE%20@"   If found, just abort.    
0
 
Andrew MaurerCommented:
yes that does look like SQL injection.

make sure you are using <cfqueryparam> in your queries
0
 
edster9999Commented:
You should always make sure you filter for sql / java injection

This doesn't look like a targeted attack on your site - those would not normally generate 404 errors.  This is probably the work of a script kiddie who is searching thousands of sites for one he can take over.
0
 
bigmikey88Author Commented:
Thanks Sage  That was it...

OK, so here is what I did and it is working very well

See the code

in the application.cfm  page

I detect if there is a query string  i.e.  anything in the URL following a ?

If so I look to see if it contains the attack words  "declare, truncate, iframe...."

If so this gets written to a log file with time and IP address and the offending word

then it aborts

ha I love it

thx
mike


<cfset AttackList = "declare,truncate,select,iframe,srs">
<cfoutput>
<cfset Qstring = cgi.query_string>
<cfif Len(Qstring) GT 1><!--- check to see if there is a querry string --->
<cfloop index="i" list="#AttackList#">
<cfif FindNoCase(i,Qstring) GT 0>
 
<cfset Path = "#DrivePath#" & "#LogFilePath#\AttackErrors.txt">
<cffile action="APPEND"
file="#Path#"
output="Date: #RunDate#, Time: #RunTime#,Page: Application.cfm - root,
Attack Command: #i#
HTTP Referrer: #CGI.HTTP_REFERER#
Remote Address: #CGI.REMOTE_HOST#
Browser: #CGI.HTTP_USER_AGENT#
REQUEST_METHOD: #CGI.REQUEST_METHOD#
PATH_TRANSLATED: #CGI.PATH_TRANSLATED#
Query String In URL: #Qstring#
__________________________________________________"
addnewline="Yes"> 
 <cfabort>
<cfelse>
</cfif>
</cfloop>
</cfif><!--- end of if there is a query string --->
</cfoutput>
<!--- end of attacks in URL query string --->

Open in new window

0
All Courses

From novice to tech pro — start learning today.