Giant SQL Injection Spider Attack

Posted At : August 8, 2008 8:55 AM
Related Categories: ColdFusion,.NET,SQL Server

There is a giant Spider bot net based SQL Injection attack going on right now. This has personally affected some friends of mine, and I have been reading about it on the CF-Talk list.

Unfortunately, there does not seem much that can be done about it other than to try to ride the storm out. I have not seen anything in the Tech press about this yet, but they seem to be a day late and dollar short anyways.

Comments (8) |

Print |

Send |

del.icio.us |

Digg It! |

Linking Blogs | 1238 Views

Comments

[Add Comment]

I was just playing with http://portcullis.riaforge.org/. It will help filter em out, log and block them, which is handy. Even when protected (queryparam, etc) I hate all the emails I get from the errors the injections attempts make. Filtering and logging them makes more sense.

# Posted By Joshua cyr | 8/8/08 10:26 AM

I've lost count of the hundreds of error emails I've gotten from my blog over the last few days due to this attack. All my error emails go into a separate folder so it's no hardship for me - once a day I go into the folder, select-all and delete - just mildly annoying.

I think you're right - this will go away eventually :)

# Posted By Sean Corfield | 8/8/08 10:40 AM

Hey David, besides the tool Joshua recommends, I'd like to offer a little more encouragement. I wouldn't conclude that "there does not seem much that can be done about it other than to try to ride the storm out." Not at all.

The good news is that many have written providing ideas to block the attacks (from code changes to configuration changes), as well as ways to revert whatever changes are made by this current wave of attacks. The easiest way to find them is to go to coldfusionbloggers.org and search for hack, and there are (today) 2 pages of entries going back to 7/18 mostly on the topic. Hope that helps. I may have more to say on my own blog soon.

# Posted By Charlie Arehart | 8/8/08 11:02 AM

I think most CF developers who have been around for any length of time use sql parameters in their queries or use stored procedures if they are not using an ORM. It is annoying getting those errors though.

I saw one post on CF-Talk where they had gotten 40000 attacks in the last 24 hours.

# Posted By David Fekke | 8/8/08 11:03 AM

Portcullis saved my butt. I saw the first version of this SQL injection attack about two weeks ago in my cferror emails. Most of my code was protected, but then after doing some searching I found that some of my old code (10 years+ old) and some written by other developers. (Ok, I missed a few in the last 10 years too :-)) Needed to be fixed ASAP. The first step I did was to put Portcullis on each site and filter out the attack string from ever getting to a SQL query. That bought me the time to fix the code correctly and test it.

# Posted By Mark W. Breneman | 8/8/08 11:13 AM

I just saw some FaceBook comments on this, and when I checked my logs they were huge. No harm done, but the volume slowed down things down a bit. Since I show referers on my blog I'm a magnet for spam referers, so I filter all requests through a blacklist then a whitelist before showing the referer. To defeat the injection attacks I just added a simple pattern matcher to my filter to quickly abort requests that are characteristic of the attacks.

# Posted By Steven Erat | 8/8/08 12:07 PM

I experienced this on a couple different websites.
I was able to find the problematic template by searching the IIS logs for the word "DECLARE" which pulled up the template and variable reseponsible.

# Posted By KC | 8/9/08 12:19 AM

I ran across this approach to blocking the recent sql injection bot using the .htaccess file: http://www.luismajano.com/blog/index.cfm/2008/8/8/... Has anyone tried this?

# Posted By Rose Pruyne | 8/11/08 2:13 PM

[Add Comment]

Sun	Mon	Tue	Wed	Thu	Fri	Sat
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31