Solved

Hacker Bot visiting each day - cferror fields not trapped - Coldfusion 9 site

Posted on 2014-02-24
8
138 Views
Last Modified: 2015-07-15
I use standard cferror trapping to go to cferror template and send me an email when request errors occur.

Ever day I get errors generated from an attempted hacker bot - It looks like they are trying to inject some links somewhere.  The attempts always fail and generate the errors below. The only error field that gets populated some of the time is error.diagnostics   Sometimes it is blank too.

Here are two examples of the failed daily hack attempt wth fields emailed to me
ErrorDate         #Error.DateTime#
     Browser           #Error.Browser#
     Remote Address    #Error.RemoteAddress#
     HTTP Referrer     #Error.HTTPReferer#
         Template          #Error.Template#
     Query String      #Error.QueryString#
     User name         
     HTML Code Format  <PRE>The United States &lt;a href=&quot; http://www.aprilborbon.com/writing/ &quot;&gt;buy vermox&lt;/a&gt;  payment arrangements should be made with the patient.
 &lt;a href=&quot; http://www.gtonics.net/technology/oscommerce &quot;&gt;topiramate online&lt;/a&gt;  For more information, contact PKP secretary.
 &lt;a href=&quot; http://dalit.dk/omos/ &quot;&gt;buy generic effexor xr online&lt;/a&gt;  Nyarang’O P, Mutema A, Odero W, Sumba O. Interviewing: A manual on
 </PRE> 

Open in new window


ErrorDate         #Error.DateTime#
     Browser           #Error.Browser#
     Remote Address    #Error.RemoteAddress#
     HTTP Referrer     #Error.HTTPReferer#
         Template          #Error.Template#
     Query String      #Error.QueryString#
     User name         
     HTML Code Format  <PRE>Punk not dead  &lt;a href=&quot; http://www.suckvalleywaywalk.ie/health-safety/ &quot;&gt;fish cycline tetracycline 250mg 100 capsules&lt;/a&gt;  instructions of their preceptor. If there is concern about the preceptors instructions, students
 &lt;a href=&quot; http://www.aprilborbon.com/writing/ &quot;&gt;vermox for children&lt;/a&gt;  Pharmacy Procedures Manual | 1 March 2010 13
 &lt;a href=&quot; http://www.gtonics.net/technology/oscommerce &quot;&gt;topamax and weight loss&lt;/a&gt;  Personal accountability and responsibility for actions
 </PRE> 

Open in new window


All the error fields are normally populated when an error is trapped - just not when this happens.

So I am not able to diagnose what the bot is trying to do so I can thwart it. I use cfqueryparam on querys

Any ideas?

This is a coldfusion 9 site www.housecarers.com
0
Comment
Question by:Ian White
  • 5
  • 3
8 Comments
 
LVL 4

Expert Comment

by:Rodrigo Munera
ID: 39884926
It sounds like a blind form post jacking,

I would use try/catch blocks to prepare the error and mail it to yourself, adding CGI and FORM dumps to see what the bot is trying to attempt

<cftry>
        <!--- code where the error is being thrown goes here before the catch --->
    <cfcatch type="any">
        <cfsavecontent variable="dumps">
            <cfif isDefined("CGI")>
                <cfdump var="#CGI#">
            </cfif>
            <cfif isDefined("FORM")>
                <cfdump var="#FORM#">
            </cfif>
        </cfsavecontent>
        <cfmail to="admin@company.com">
            #dumps#
        </cfmail>
        <!--- Insert graceful error handling code here --->
    </cfcatch>
</cftry>

Open in new window

0
 
LVL 4

Expert Comment

by:Rodrigo Munera
ID: 39884930
Also, if you design your action page to validate the exact type of content you want to receive and send the user back to the original form if the correct data is not present, that might discourage the bot to attempt further attacks on your site.

The hacker will keep trying as long as he sees that his attempts are causing some errors to be tripped on your server.
0
 

Author Comment

by:Ian White
ID: 39885142
Thanks. I have an extensive site with a number of forms.  

<!--- code where the error is being thrown goes here before the catch --->
The trouble is I don't know where the error is being thrown.

As advised cferror in application.cfm goes to error handling template but the referer and template are not populated

HTTP Referrer     #Error.HTTPReferer#
Template          #Error.Template#
0
 
LVL 4

Accepted Solution

by:
Rodrigo Munera earned 500 total points
ID: 39885942
I'm not sure if the CGI and FORM data from the request would make it to the error page specified in your error handler, but you can give it a try.

In your error handler add:

        <cfsavecontent variable="dumps">
            <cfif isDefined("ERROR")>
                <cfdump var="#ERROR#" label="Error Dump">
            </cfif>
            <cfif isDefined("CGI")>
                <cfdump var="#CGI#" label="CGI Dump">
            </cfif>
            <cfif isDefined("FORM")>
                <cfdump var="#FORM#" label="Form Dump">
            </cfif>
        </cfsavecontent>
        <cfmail to="admin@company.com">
            #dumps#
        </cfmail>

Open in new window

That should give you all available data ColdFusion has made available to your error handler regarding the request.

Also, if your forms take any form of sensitive information, you may want to clean the dumps before emailing them (What good is to have your server secure if you're potentially emailing credit card information in an error reporting email?)

Here's a good resource on securing your dump data http://www.bennadel.com/index.cfm?event=blog.viewcode&id=932&index=3

Here's another resource where ben implements his secure dumps into cferror http://www.bennadel.com/blog/932-Ask-Ben-Handling-Errors-With-ColdFusion-CFError.htm
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:Ian White
ID: 39888307
Yes I tried that - but still error fields not displaying so I have no idea of the template causing the error
0
 

Author Comment

by:Ian White
ID: 39893598
I ended up checking for the injection in application.cfm then aborting. Not sure what would be best thing to
present to the hacker - currently just aborting

<cfloop collection="#form#" item="item">
 <cfif form[item] contains "exec("

 or  form[item] contains  "href=&quot"
 
  >

<!--- Do something to the hacker - blank page? --->
<cfabort>
</cfloop>

Open in new window

0
 

Author Comment

by:Ian White
ID: 39908240
No Matter what I do - an error is generated but fields dont get trapped except for error.diagnostics - see example below so error.template etc not reported

ErrorDate         #Error.DateTime#
     Browser           #Error.Browser#
     Remote Address    #Error.RemoteAddress#
     HTTP Referrer     #Error.HTTPReferer#
         Template          #Error.Template#
     Query String      #Error.QueryString#
     User name         
     HTML Code Format  <PRE>We went to university together &lt;a href=&quot; http://www.moorelegal.net/austin-law-office.html &quot;&gt;generic for nexium 40 mg&lt;/a&gt;  dispensed in quantities sufficient to effect optimum economy, up to 90 days.
 &lt;a href=&quot; http://fuckedup.cc/category/writing/ &quot;&gt;75 mg topamax&lt;/a&gt;  Preceptors qualify to participate in the PEP by meeting and adhering to standards set by the UNC
 &lt;a href=&quot; http://www.chdesignsinc.com/?page_id=194 &quot;&gt;acyclovir iv rxlist&lt;/a&gt;  frozen inserts, and one camping stove that we will lend if we are not using them. Please return
 &lt;a href=&quot; http://lbhoffmangroup.com/index.php/testimonials &quot;&gt;50 mg amitriptyline&lt;/a&gt;  salt and curry powder to taste
 </PRE> 

Open in new window

0
 

Author Closing Comment

by:Ian White
ID: 40884327
please close inactive
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Account Lockouts 25 151
Protectings Systems from Malicous Users 4 93
Can I put javascript code in my application.cfm file 4 32
More Than One Website On Same DMZ Server 3 54
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now