Comments on: Mass SQL Injection attack is still out there

By: RandomUser

RandomUser — Wed, 06 Aug 2008 13:03:12 +0000

I’ve been watching this botnet attempt to infect various servers I manage over the last week. Eventually I got annoyed that they were triggering the error handling so I wrote some code to automatically add them to the banned IP list when they try.

They’re still trying with the ton of IP addresses they have access to, but I don’t have to see so many errors any more.

By: Jack

Jack — Wed, 23 Jul 2008 17:31:47 +0000

Thanks for the excellent info. We converted your code into ColdFusion too – great article!

By: Slavik

Slavik — Thu, 26 Jun 2008 09:09:53 +0000

@Qwaider – The attacks are automated coming from a zombie botnet so they will keep trying to hit your site even if you are not vulnerable. Thanks for the suggestion about ‘;’. Actually, the last replace will replace ‘;’ with ‘,’.

By: Luary

Luary — Thu, 26 Jun 2008 01:07:57 +0000

The regular expression did not work in my case. I ended up doing a Split(stringtoscan, “;”)(0) and with that result replaced “‘” with “””, removing “@” as well as removing SQL key words such as DROP, EXECUTE, UPDATE, etc.

By: Qwaider

Qwaider — Tue, 24 Jun 2008 19:52:40 +0000

I’m facing the very same attack, and I’m monitoring it very closely. I wish I could figure out what these people want. I mean, it’s obvious that I’ve got everything parametrized and they will not get through. But this doesnt stop them from trying as I can see it.

Quick suggestion on your function above. Unless the querystring has a use for “;”, you might want to check for that in specific simply because someone might have “;drop” or something else that could be harmful

Just my 2c

By: DBA

DBA — Tue, 24 Jun 2008 19:19:27 +0000

THANK YOU VERY MUCH FOR THIS FIX.